spring security 3中的10个典型用法小结

spring security 3比较庞大，但功能很强，下面小结下spring security 3中值得

注意的10个典型用法

1）多个authentication-provide可以同时使用

Java代码


<authentication-manager alias='authenticationManager'>

<authentication-provider>

<user-service>

<user authorities='ROLE_GUEST' name='guest' password=''/>

</user-service>

</authentication-provider>

<authentication-provider>

<jdbc-user-service data-source-ref='dataSource'/>

</authentication-provider>

</authentication-manager>

2 传统的<security:http>

Java代码


<security:http>

<security:intercept-url pattern='/admin/**' access='hasRole('ROLE_ADMIN')'/>

<security:intercept-url pattern='/account/**' access='hasRole('ROLE_USER')' />

<security:intercept-url pattern='/**' access='hasRole('ROLE_ANONYMOUS')' />

<!-- other elements removed for clarity -->

</security:http>

3 可以使用一大堆密码加密器：
aseDigestPasswordEncoder
BasePasswordEncoder
LdapShaPasswordEncoder
Md4PasswordEncoder,
Md5PasswordEncoder
MessageDigestPasswordEncoder
MessageDigestPasswordEncoder
PlaintextPasswordEncoder
ShaPasswordEncoder

4 SPRING security的标签

Java代码


<sec:authorize access='hasRole('supervisor')'>

This content will only be visible to users who have

the 'supervisor' authority in their list of <tt>GrantedAuthority</tt>s.

</sec:authorize>

这是根据角色判断是否显示

还可以根据URL判断是否显示

Java代码


<sec:authorize url='/admin'>

This content will only be visible to users who are authorized to send requests to the '/admin' URL.

</sec:authorize>

5 方法级的鉴别
@PreAuthorize @PostAuthorize @Secure

要启用上面三者，要
<global-method-security pre-post-annotations='enabled' />

这三个是在方法调用前，先鉴别是否有权限使用，比如

Java代码


public interface IUserService

｛

@PreAuthorize("hasRole('ROLE_USER')")

public void changePassword(String username, password);

｝

感觉这个其实不是很常用
6 同5，可以使用JSR-250 注解去做
<global-method-security jsr250-annotations=”enabled”/>

@RolesAllowed({“ROLE_USER”,”ROLE_ADMIN”})
@PermitAll
@DenyAll

这样使用：
@RolesAllowed({"ROLE_ADMIN","ROLE_USER"})
public void deleteUser(String username);
这个东西反正没用到，具体见手册

7 配置open-id,步骤

Java代码


<form action='j_spring-openid-security-check' method='post'>

<label for='openid_idenifier'>Login</label>:

<input id='openid_identifier' name='openid_identifier' type='text'/>

<input type='submit' value='Login' />

</form>

<http auto-config='true'>
<openid-login/>

</http>
当然要加上：spring-security-openid.jar

8 spring secruity能使用ldap
<ldap-server ldif='classpath:my-ldif-file.ldif' id='localserver' />

当然要加上：spring-security-openid.jar

9 使用远程 ldap-server
<ldap-server url='ldap://myServer/dc=captaindebug,dc=com:389' id='ldapExternal'
manager-dn='uid=admin,ou=users,ou=systems' manager-password='s3cret'/>

8和9还没用过，估计配置起来还有更多东西

10 使用https
<http auto-config='true' use-expressions='true'>
<intercept-url pattern='/login' requires-channel='https'/>

</https>

这个比较简单，用requires-channel＝'https'