Spring Security 3.x 完整入门教程
2016-03-16 14:53
573 查看
1,建一个web project,并导入所有需要的lib,这步就不多讲了。
2,配置web.xml,使用Spring的机制装载:
<? xml version="1.0" encoding="UTF-8" ?>
< web-app version ="2.4" xmlns ="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" >
< context-param >
< param-name > contextConfigLocation </ param-name >
< param-value > classpath:applicationContext*.xml </ param-value >
</ context-param >
< listener >
< listener-class >
org.springframework.web.context.ContextLoaderListener
</ listener-class >
</ listener >
< filter >
< filter-name > springSecurityFilterChain </ filter-name >
< filter-class >
org.springframework.web.filter.DelegatingFilterProxy
</ filter-class >
</ filter >
< filter-mapping >
< filter-name > springSecurityFilterChain </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< welcome-file-list >
< welcome-file > login.jsp </ welcome-file >
</ welcome-file-list >
</ web-app >
这个文件中的内容我相信大家都很熟悉了,不再多说了。
2,来看看applicationContext-security.xml这个配置文件,关于Spring Security的配置均在其中:
<? xml version="1.0" encoding="UTF-8" ?>
< beans:beans xmlns ="http://www.springframework.org/schema/security"
xmlns:beans ="http://www.springframework.org/schema/beans"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd" >
< http access-denied-page ="/403.jsp" > <!-- 当访问被拒绝时,会转到403.jsp -->
< intercept-url pattern ="/login.jsp" filters ="none" />
< form-login login-page ="/login.jsp"
authentication-failure-url ="/login.jsp?error=true"
default-target-url ="/index.jsp" />
< logout logout-success-url ="/login.jsp" />
< http-basic />
<!-- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前 -->
< custom-filter before ="FILTER_SECURITY_INTERCEPTOR"
ref ="myFilter" />
</ http >
<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置 -->
< beans:bean id ="myFilter" class ="com. user.erp.fwk.security.MyFilterSecurityInterceptor" >
< beans:property name ="authenticationManager"
ref ="authenticationManager" />
< beans:property name ="accessDecisionManager"
ref ="myAccessDecisionManagerBean" />
< beans:property name ="securityMetadataSource"
ref ="securityMetadataSource" />
</ beans:bean >
<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
< authentication-manager alias ="authenticationManager" >
< authentication-provider
user-service-ref ="myUserDetailService" >
<!-- 如果用户的密码采用加密的话,可以加点“盐”
<password-encoder hash="md5" />
-->
</ authentication-provider >
</ authentication-manager >
< beans:bean id ="myUserDetailService"
class ="com. user.erp.fwk.security.MyUserDetailService" />
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 -->
< beans:bean id ="myAccessDecisionManagerBean"
class ="com. user.erp.fwk.security.MyAccessDecisionManager" >
</ beans:bean >
<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 -->
< beans:bean id ="securityMetadataSource"
class ="com. user.erp.fwk.security.MyInvocationSecurityMetadataSource" />
</ beans:beans >
3,来看看自定义filter的实现:
package com. user.erp.fwk.security;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor
implements Filter {
private FilterInvocationSecurityMetadataSource securityMetadataSource;
// ~ Methods
// ========================================================================================================
/**
* Method that is actually called by the filter chain. Simply delegates to
* the { @link #invoke(FilterInvocation)} method.
*
* @param request
* the servlet request
* @param response
* the servlet response
* @param chain
* the filter chain
*
* @throws IOException
* if the filter chain fails
* @throws ServletException
* if the filter chain fails
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
invoke(fi);
}
public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
return this .securityMetadataSource;
}
public Class <? extends Object > getSecureObjectClass() {
return FilterInvocation. class ;
}
public void invoke(FilterInvocation fi) throws IOException,
ServletException {
InterceptorStatusToken token = super .beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super .afterInvocation(token, null );
}
}
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this .securityMetadataSource;
}
public void setSecurityMetadataSource(
FilterInvocationSecurityMetadataSource newSource) {
this .securityMetadataSource = newSource;
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
最核心的代码就是invoke方法中的InterceptorStatusToken token = super.beforeInvocation(fi);这一句,即在执行doFilter之前,进行权限的检查,而具体的实现已经交给 accessDecisionManager了,下文中会讲述。
4,来看看authentication-provider的实现:
package com. user.erp.fwk.security;
import java.util.ArrayList;
import java.util.Collection;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class MyUserDetailService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
Collection < GrantedAuthority > auths = new ArrayList < GrantedAuthority > ();
GrantedAuthorityImpl auth2 = new GrantedAuthorityImpl( " ROLE_ADMIN " );
auths.add(auth2);
if (username.equals( " user1 " )) {
auths = new ArrayList < GrantedAuthority > ();
GrantedAuthorityImpl auth1 = new GrantedAuthorityImpl( " ROLE_ user" );
auths.add(auth1);
}
// User(String username, String password, boolean enabled, boolean accountNonExpired,
// boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {
User user = new User(username,
" user" , true , true , true , true , auths);
return user;
}
}
在这个类中,你就可以从数据库中读入用户的密码,角色信息,是否锁定,账号是否过期等,我想这么简单的代码就不再多解释了。
5,对于资源的访问权限的定义,我们通过实现FilterInvocationSecurityMetadataSource这个接口来初始化数据。
package com. user.erp.fwk.security;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.AntUrlPathMatcher;
import org.springframework.security.web.util.UrlMatcher;
/**
*
* 此类在初始化时,应该取到所有资源及其对应角色的定义
*
* @author user
*
*/
public class MyInvocationSecurityMetadataSource
implements FilterInvocationSecurityMetadataSource {
private UrlMatcher urlMatcher = new AntUrlPathMatcher();;
private static Map < String, Collection < ConfigAttribute >> resourceMap = null ;
public MyInvocationSecurityMetadataSource() {
loadResourceDefine();
}
private void loadResourceDefine() {
resourceMap = new HashMap < String, Collection < ConfigAttribute >> ();
Collection < ConfigAttribute > atts = new ArrayList < ConfigAttribute > ();
ConfigAttribute ca = new SecurityConfig( " ROLE_ADMIN " );
atts.add(ca);
resourceMap.put( " /index.jsp " , atts);
resourceMap.put( " /i.jsp " , atts);
}
// According to a URL, Find out permission configuration of this URL.
public Collection < ConfigAttribute > getAttributes(Object object)
throws IllegalArgumentException {
// guess object is a URL.
String url = ((FilterInvocation)object).getRequestUrl();
Iterator < String > ite = resourceMap.keySet().iterator();
while (ite.hasNext()) {
String resURL = ite.next();
if (urlMatcher.pathMatchesUrl(url, resURL)) {
return resourceMap.get(resURL);
}
}
return null ;
}
public boolean supports(Class <?> clazz) {
return true ;
}
public Collection < ConfigAttribute > getAllConfigAttributes() {
return null ;
}
}
看看loadResourceDefine方法,我在这里,假定index.jsp和i.jsp这两个资源,需要ROLE_ADMIN角色的用户才能访问。
这个类中,还有一个最核心的地方,就是提供某个资源对应的权限定义,即getAttributes方法返回的结果。注意,我例子中使用的是 AntUrlPathMatcher这个path matcher来检查URL是否与资源定义匹配,事实上你还要用正则的方式来匹配,或者自己实现一个matcher。
6,剩下的就是最终的决策了,make a decision,其实也很容易,呵呵。
package com. user.erp.fwk.security;
import java.util.Collection;
import java.util.Iterator;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
public class MyAccessDecisionManager implements AccessDecisionManager {
// In this method, need to compare authentication with configAttributes.
// 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here.
// 2, Check authentication has attribute in permission configuration (configAttributes)
// 3, If not match corresponding authentication, throw a AccessDeniedException.
public void decide(Authentication authentication, Object object,
Collection < ConfigAttribute > configAttributes)
throws AccessDeniedException, InsufficientAuthenticationException {
if (configAttributes == null ) {
return ;
}
System.out.println(object.toString()); // object is a URL.
Iterator < ConfigAttribute > ite = configAttributes.iterator();
while (ite.hasNext()) {
ConfigAttribute ca = ite.next();
String needRole = ((SecurityConfig)ca).getAttribute();
for (GrantedAuthority ga:authentication.getAuthorities()) {
if (needRole.equals(ga.getAuthority())) { // ga is user's role.
return ;
}
}
}
throw new AccessDeniedException( " no right " );
}
@Override
public boolean supports(ConfigAttribute attribute) {
// TODO Auto-generated method stub
return true ;
}
@Override
public boolean supports(Class <?> clazz) {
return true ;
}
}
在这个类中,最重要的是decide方法,如果不存在对该资源的定义,直接放行;否则,如果找到正确的角色,即认为拥有权限,并放行,否则throw new AccessDeniedException("no right");这样,就会进入上面提到的403.jsp页面。
2,配置web.xml,使用Spring的机制装载:
<? xml version="1.0" encoding="UTF-8" ?>
< web-app version ="2.4" xmlns ="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" >
< context-param >
< param-name > contextConfigLocation </ param-name >
< param-value > classpath:applicationContext*.xml </ param-value >
</ context-param >
< listener >
< listener-class >
org.springframework.web.context.ContextLoaderListener
</ listener-class >
</ listener >
< filter >
< filter-name > springSecurityFilterChain </ filter-name >
< filter-class >
org.springframework.web.filter.DelegatingFilterProxy
</ filter-class >
</ filter >
< filter-mapping >
< filter-name > springSecurityFilterChain </ filter-name >
< url-pattern > /* </ url-pattern >
</ filter-mapping >
< welcome-file-list >
< welcome-file > login.jsp </ welcome-file >
</ welcome-file-list >
</ web-app >
这个文件中的内容我相信大家都很熟悉了,不再多说了。
2,来看看applicationContext-security.xml这个配置文件,关于Spring Security的配置均在其中:
<? xml version="1.0" encoding="UTF-8" ?>
< beans:beans xmlns ="http://www.springframework.org/schema/security"
xmlns:beans ="http://www.springframework.org/schema/beans"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd" >
< http access-denied-page ="/403.jsp" > <!-- 当访问被拒绝时,会转到403.jsp -->
< intercept-url pattern ="/login.jsp" filters ="none" />
< form-login login-page ="/login.jsp"
authentication-failure-url ="/login.jsp?error=true"
default-target-url ="/index.jsp" />
< logout logout-success-url ="/login.jsp" />
< http-basic />
<!-- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前 -->
< custom-filter before ="FILTER_SECURITY_INTERCEPTOR"
ref ="myFilter" />
</ http >
<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置 -->
< beans:bean id ="myFilter" class ="com. user.erp.fwk.security.MyFilterSecurityInterceptor" >
< beans:property name ="authenticationManager"
ref ="authenticationManager" />
< beans:property name ="accessDecisionManager"
ref ="myAccessDecisionManagerBean" />
< beans:property name ="securityMetadataSource"
ref ="securityMetadataSource" />
</ beans:bean >
<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
< authentication-manager alias ="authenticationManager" >
< authentication-provider
user-service-ref ="myUserDetailService" >
<!-- 如果用户的密码采用加密的话,可以加点“盐”
<password-encoder hash="md5" />
-->
</ authentication-provider >
</ authentication-manager >
< beans:bean id ="myUserDetailService"
class ="com. user.erp.fwk.security.MyUserDetailService" />
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 -->
< beans:bean id ="myAccessDecisionManagerBean"
class ="com. user.erp.fwk.security.MyAccessDecisionManager" >
</ beans:bean >
<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 -->
< beans:bean id ="securityMetadataSource"
class ="com. user.erp.fwk.security.MyInvocationSecurityMetadataSource" />
</ beans:beans >
3,来看看自定义filter的实现:
package com. user.erp.fwk.security;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor
implements Filter {
private FilterInvocationSecurityMetadataSource securityMetadataSource;
// ~ Methods
// ========================================================================================================
/**
* Method that is actually called by the filter chain. Simply delegates to
* the { @link #invoke(FilterInvocation)} method.
*
* @param request
* the servlet request
* @param response
* the servlet response
* @param chain
* the filter chain
*
* @throws IOException
* if the filter chain fails
* @throws ServletException
* if the filter chain fails
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
invoke(fi);
}
public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
return this .securityMetadataSource;
}
public Class <? extends Object > getSecureObjectClass() {
return FilterInvocation. class ;
}
public void invoke(FilterInvocation fi) throws IOException,
ServletException {
InterceptorStatusToken token = super .beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super .afterInvocation(token, null );
}
}
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this .securityMetadataSource;
}
public void setSecurityMetadataSource(
FilterInvocationSecurityMetadataSource newSource) {
this .securityMetadataSource = newSource;
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
最核心的代码就是invoke方法中的InterceptorStatusToken token = super.beforeInvocation(fi);这一句,即在执行doFilter之前,进行权限的检查,而具体的实现已经交给 accessDecisionManager了,下文中会讲述。
4,来看看authentication-provider的实现:
package com. user.erp.fwk.security;
import java.util.ArrayList;
import java.util.Collection;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class MyUserDetailService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
Collection < GrantedAuthority > auths = new ArrayList < GrantedAuthority > ();
GrantedAuthorityImpl auth2 = new GrantedAuthorityImpl( " ROLE_ADMIN " );
auths.add(auth2);
if (username.equals( " user1 " )) {
auths = new ArrayList < GrantedAuthority > ();
GrantedAuthorityImpl auth1 = new GrantedAuthorityImpl( " ROLE_ user" );
auths.add(auth1);
}
// User(String username, String password, boolean enabled, boolean accountNonExpired,
// boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {
User user = new User(username,
" user" , true , true , true , true , auths);
return user;
}
}
在这个类中,你就可以从数据库中读入用户的密码,角色信息,是否锁定,账号是否过期等,我想这么简单的代码就不再多解释了。
5,对于资源的访问权限的定义,我们通过实现FilterInvocationSecurityMetadataSource这个接口来初始化数据。
package com. user.erp.fwk.security;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.AntUrlPathMatcher;
import org.springframework.security.web.util.UrlMatcher;
/**
*
* 此类在初始化时,应该取到所有资源及其对应角色的定义
*
* @author user
*
*/
public class MyInvocationSecurityMetadataSource
implements FilterInvocationSecurityMetadataSource {
private UrlMatcher urlMatcher = new AntUrlPathMatcher();;
private static Map < String, Collection < ConfigAttribute >> resourceMap = null ;
public MyInvocationSecurityMetadataSource() {
loadResourceDefine();
}
private void loadResourceDefine() {
resourceMap = new HashMap < String, Collection < ConfigAttribute >> ();
Collection < ConfigAttribute > atts = new ArrayList < ConfigAttribute > ();
ConfigAttribute ca = new SecurityConfig( " ROLE_ADMIN " );
atts.add(ca);
resourceMap.put( " /index.jsp " , atts);
resourceMap.put( " /i.jsp " , atts);
}
// According to a URL, Find out permission configuration of this URL.
public Collection < ConfigAttribute > getAttributes(Object object)
throws IllegalArgumentException {
// guess object is a URL.
String url = ((FilterInvocation)object).getRequestUrl();
Iterator < String > ite = resourceMap.keySet().iterator();
while (ite.hasNext()) {
String resURL = ite.next();
if (urlMatcher.pathMatchesUrl(url, resURL)) {
return resourceMap.get(resURL);
}
}
return null ;
}
public boolean supports(Class <?> clazz) {
return true ;
}
public Collection < ConfigAttribute > getAllConfigAttributes() {
return null ;
}
}
看看loadResourceDefine方法,我在这里,假定index.jsp和i.jsp这两个资源,需要ROLE_ADMIN角色的用户才能访问。
这个类中,还有一个最核心的地方,就是提供某个资源对应的权限定义,即getAttributes方法返回的结果。注意,我例子中使用的是 AntUrlPathMatcher这个path matcher来检查URL是否与资源定义匹配,事实上你还要用正则的方式来匹配,或者自己实现一个matcher。
6,剩下的就是最终的决策了,make a decision,其实也很容易,呵呵。
package com. user.erp.fwk.security;
import java.util.Collection;
import java.util.Iterator;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
public class MyAccessDecisionManager implements AccessDecisionManager {
// In this method, need to compare authentication with configAttributes.
// 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here.
// 2, Check authentication has attribute in permission configuration (configAttributes)
// 3, If not match corresponding authentication, throw a AccessDeniedException.
public void decide(Authentication authentication, Object object,
Collection < ConfigAttribute > configAttributes)
throws AccessDeniedException, InsufficientAuthenticationException {
if (configAttributes == null ) {
return ;
}
System.out.println(object.toString()); // object is a URL.
Iterator < ConfigAttribute > ite = configAttributes.iterator();
while (ite.hasNext()) {
ConfigAttribute ca = ite.next();
String needRole = ((SecurityConfig)ca).getAttribute();
for (GrantedAuthority ga:authentication.getAuthorities()) {
if (needRole.equals(ga.getAuthority())) { // ga is user's role.
return ;
}
}
}
throw new AccessDeniedException( " no right " );
}
@Override
public boolean supports(ConfigAttribute attribute) {
// TODO Auto-generated method stub
return true ;
}
@Override
public boolean supports(Class <?> clazz) {
return true ;
}
}
在这个类中,最重要的是decide方法,如果不存在对该资源的定义,直接放行;否则,如果找到正确的角色,即认为拥有权限,并放行,否则throw new AccessDeniedException("no right");这样,就会进入上面提到的403.jsp页面。
相关文章推荐
- sublime中配置Java 环境
- Java NIO系列教程(十一) Pipe
- struts2和mybatis的多例和单例
- Spring安全权限管理(Spring Security)
- struts2 s:if标签以及 #,%{},%{#}的使用方法等在资料整理
- Java中英文混排字符串字节个数计算
- java 字符串截取
- SSH中 整合spring和proxool 连接池
- Java NIO系列教程(十) Java NIO DatagramChannel
- Java二分插入排序
- Java NIO系列教程(九) ServerSocketChannel
- 如何在SpringMVC中获取request对象
- java错误
- java 编译.java文件
- Java学习笔记--HashMap
- Java过滤器与SpringMVC拦截器之间的关系与区别
- java nio
- 用JAVA生成老电影海报
- 工具类——java在图片指定位置写字
- java给图片添加小图片和文本信息