spring-security学习

介绍：

Spring Security，这是一种基于Spring AOP和Servlet过滤器的安全框架。它提供全面的安全性解决方案，同时在Web请求级和方法调用级处理身份确认和授权。在Spring Framework基础上，Spring Security充分利用了依赖注入（DI，Dependency Injection）和面向切面技术。

web.xml配置：

添加spring-security到项目中。

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 
<!-- SpringSecurity必须的filter -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security.xml
/WEB-INF/applicationContext.xml
</param-value>
</context-param>

<servlet>
<servlet-name>spring</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
<servlet-name>spring</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

</web-app>

spring-security.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 
<!--  Spring-Security 的配置 -->
<!-- 注意开启use-expressions.表示开启表达式.
see:http://www.family168.com/tutorial/springsecurity3/html/el-access.html
-->
<!--  auto-config设置true，使用默认设置，默认生成登录页面和错误页面等，也可以自定义 -->
<security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" >

<security:intercept-url pattern="/auth/login" access="permitAll"/>
<security:intercept-url pattern="/main/admin" access="hasRole('ROLE_ADMIN')
4000
"/>
<security:intercept-url pattern="/main/common" access="hasRole('ROLE_USER')"/>

<security:form-login
login-page="/auth/login"
authentication-failure-url="/auth/login?error=true"
default-target-url="/main/common"/>

<security:logout
invalidate-session="true"
logout-success-url="/auth/login"
logout-url="/auth/logout"/>

</security:http>

<!-- 指定一个自定义的authentication-manager :customUserDetailsService -->
<security:authentication-manager>
<security:authentication-provider user-service-ref="customUserDetailsService">
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>

<!-- 对密码进行MD5编码 -->
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>

<!--
通过 customUserDetailsService,Spring会自动的用户的访问级别.
也可以理解成:以后我们和数据库操作就是通过customUserDetailsService来进行关联.
-->
<bean id="customUserDetailsService" class="org.liukai.tutorial.service.CustomUserDetailsService"/>

</beans>

用户验证：只有符合条件的用户才能访问响应的路径（或者方法）

内存：用户信息存在内存中，

数据库：用户信息存在数据库中，

CAS：通过CAS验证（百度）

LDAP:轻量级目录访问协议

介绍：