spring-security 4.x简单实现（持续更新）

（前提：项目中已经引入spring和springmvc，并且可以正常访问web）

1.pom文件引入spring-security依赖:

<!-- spring security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>4.0.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>4.0.2.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>4.0.2.RELEASE</version>
</dependency>

2.web.xml中配置spring-security的过滤器：

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.De
4000
legatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

3.web.xml中配置需要加载的所有spring配置文件：

<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:spring/applicationContext*.xml
</param-value>
</context-param>

4.新建spring-security配置文件 applicationContext-security.xml，配置内容如下：

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> 
<!--配置不需要进行安全校验的资源 -->
<http pattern="/static/**" security="none" />
<http pattern="/login" security="none" />
<http>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login" password-parameter="password" username-parameter="userName"
login-processing-url="/j_spring_security_check"
default-target-url="/login/index" always-use-default-target="true"/>
<logout invalidate-session="true" logout-success-url="/login" logout-url="/j_spring_security_logout"/>
<session-management invalid-session-url="/login" session-authentication-error-url="/login"/>
<csrf disabled="true" />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="admin" password="123456" authorities="ROLE_USER, ROLE_ADMIN" />
<user name="bob" password="bobspassword" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>

5.action（用到了springmvc）:

@Controller
@RequestMapping("/login")
public class LoginController {

@RequestMapping("")
public String login(){

return "login";
}

@RequestMapping("/index")
public String index(){

return "index";
}
}

6.jsp页面 login.jsp

<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>首页</title>
<body>
<div class="layout-middle login-box">
<div class="login-main">
<div class="login-logo"></div>
<div class="login-form">
<form action="${ctx}/j_spring_security_check" method="POST">
<ul>
<li class="inp-li">
<span class="title-sp"><i class="iconBL user"></i><em>用户名：</em></span>
<span class="cont-sp"><input name="userName" type="text" class="text-inp" autocorrect="off" autocapitalize="off" /></span>
</li>
<li class="inp-li">
<span class="title-sp"><i class="iconBL password"></i><em>密码：š</em></span>
<span class="cont-sp"><input name="password" type="password" class="text-inp" autocorrect="off" autocapitalize="off" /></span>
</li>
<li class="btn-li">
<span class="cont-sp"><input type="submit" value="登录" class="login-btn" onclick="window.location.href='login_password.html'; "></span>
</li>
</ul>
</form>
</div>
</div>
</div>
</body>
</html>

以上是最简配置

添加 登录成功之后的处理方法：

登录成功后将用户名存入session

<http>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login login-page="/login" password-parameter="password" username-parameter="userName"
login-processing-url="/j_spring_security_check"
default-target-url="/login/index" always-use-default-target="true"
<!-- 这里加上一条属性，并指向aleiyeAuthenticationSuccessHandler这个bean -->
authentication-success-handler-ref="aleiyeAuthenticationSuccessHandler"/>
<logout invalidate-session="true" logout-success-url="/login" logout-url="/j_spring_secur
9a73
ity_logout"/>
<session-management invalid-session-url="/login" session-authentication-error-url="/login"/>
<csrf disabled="true" />
</http>
<!-- 上面引用的bean在这 -->
<!--登陆成功的处理类,可以进行session的封装等-->
<beans:bean id="aleiyeAuthenticationSuccessHandler"
class="com.chartdemo.system.AleiyeAuthenticationSuccessHandler">
<beans:constructor-arg name="defaultTargetUrl" value="/login/index"/>
</beans:bean>

下面是这个bean的实现：

public class AleiyeAuthenticationSuccessHandler extends
AbstractAuthenticationTargetUrlRequestHandler implements
AuthenticationSuccessHandler {

public AleiyeAuthenticationSuccessHandler(String defaultTargetUrl) {
setDefaultTargetUrl(defaultTargetUrl);
}

@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException, ServletException {

//登录成功后将用户名存入session
HttpSession session = request.getSession();
session.setAttribute("userName", authentication.getName());
handle(request, response, authentication);
}
}