Spring Secuirty与SSH整合

项目下载：点击下载

maven项目下载：点击下载

项目说明: Spring Security+SSH,通过数据库给用户授权认证

spring Security配置文件

spring-security.xml配置如下：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.sprin
4000
gframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-3.2.xsd       http://www.springframework.org/schema/security       http://www.springframework.org/schema/security/spring-security-3.2.xsd ">
    <!-- 指定登录页面不添加任何权限 -->
    <http security="none" pattern="/login.jsp" />
    <!-- 指定 访问js文件不需要任何权限,这个不配置,jquery(js)文件引入不了哦 -->
    <http security="none" pattern="/js/*.js" />
    <!-- 指定 登录处理action 不需要任何权限 -->
    <http security="none" pattern="/login.action" />
    <http auto-config="true">
        <!-- login-page 设置自定义登录页面 -->
        <!-- 认证成功处理：(1)用户直接访问登录页成功后,调转 默认到项目根目录,可以通过 default-target-url来设置 (2)用户访问其他页面如a.jsp,跳转到登录页,认证成功后到a.jsp;(3)也可通过设置always-use-default-target
            属性,只要认证成功就跳转到该页面 -->
        <form-login login-page="/login.jsp" username-parameter="username"
            password-parameter="password" />
        <!-- 指定任何页面都需要user权限(前面已经设置login.jsp不需要) -->
        <intercept-url pattern="/**" access="ROLE_ADMIN" />
    </http>
    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="userDetaisServiceImpl" />
    </authentication-manager>
    <beans:bean id="userDetaisServiceImpl" class="com.service.UserDetaisServiceImpl">
        <beans:property name="userDetailsDaoImpl" ref="userDetailsDaoImpl"></beans:property>
    </beans:bean>
    <beans:bean id="userDetailsDaoImpl" class="com.dao.UserDetailsDaoImpl">
        <beans:property name="sessionFactory" ref="sessionFactory"></beans:property>
    </beans:bean>
</beans:beans>

说明：
authentication-manager需要authencation-provider提供支持验证，不清楚的可以参考如下文章:http://wiki.jikexueyuan.com/project/spring-security/authenticationProvider.html

通过自己实现自己实现的UserDetaisServiceImpl类，需要实现UserDetailsService  接口，并实现其loadUserByUsername方法，来处理用户认证.

UserDetaisServiceImpl类代码如下：

package com.service;

import java.util.ArrayList;
import java.util.List;
import java.util.Set;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

import com.dao.UserDetailsDaoImpl;
import com.pojo.Role;
import com.pojo.User;

public class UserDetaisServiceImpl implements UserDetailsService {
private UserDetailsDaoImpl userDetailsDaoImpl;

public UserDetailsDaoImpl getUserDetailsDaoImpl() {
return userDetailsDaoImpl;
}

public void setUserDetailsDaoImpl(UserDetailsDaoImpl userDetailsDaoImpl) {
this.userDetailsDaoImpl = userDetailsDaoImpl;
}

public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
User user = userDetailsDaoImpl.findUser(username);
List<GrantedAuthority> authorities = null;
if (user != null) {
authorities = buildUserAuthority(user.getRoles());
return new org.springframework.security.core.userdetails.User(
user.getUsername(), user.getPassword(), authorities);
}
return null;
}

// 获取用户权限并转换成spring security能处理的权限类
private List<GrantedAuthority> buildUserAuthority(Set<Role> roles) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (Role role : roles) {
authorities.add(new SimpleGrantedAuthority(role.getRoleName()));
}
return authorities;
}

}

Action处理类

主要处理业务方法如下:

public void login() {
try {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
username, password);
// 认证验证,内部会调用 UserDetailsServiceImpl.loadUserByUsername()验证
Authentication authentication = authenticationManager
.authenticate(token);
SecurityContextHolder.getContext()
.setAuthentication(authentication);
this.getSession().setAttribute("SPRING_SECURITY_CONTEXT",
SecurityContextHolder.getContext());
this.getOut().print("success");
} catch (Exception e) {
e.printStackTrace();
this.getOut().print("error");
}
}

首先理解这段代码，我们要先知道认证过程，可以参考如下文章：http://wiki.jikexueyuan.com/project/spring-security/certification.html

UsernamePasswordAuthenticationToken 封装username和password，然后通过 authenticationManager认证授权得到新的Authentication对象，并保存到SecurityContext中，将SecurityContext保存到session中即可完成认证。