概念:
Spring Security是spring采用AOP思想,基于servlet过滤器实现的安全框架。它提供了完善的认证机制和方法级的 授权功能。是一款非常优秀的权限管理框架。
导入相关jar包
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>5.4.0</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>5.4.0</version>
</dependency>
配置web.xml文件
<!--Spring Security过滤器链,注意过滤器名称必须叫springSecurityFilterChain-->
<filter> <filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<!--拦截路径-->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
配置spring-security.xml文件
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<!--配置springsecurity-->
<!--
auto-config="true" 表示自动加载springsecurity的配置文件
use-expressions="true" 表示使用spring的el表达式来配置springsecurity
-->
<security:http auto-config="true" use-expressions="true">
<!--拦截器-->
<!--pattern="/**" 表示拦截所有资源
access="hasAnyRole('ROLE_USER')" 表示只有ROLE_USER角色才能访问资源
-->
<security:intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')"/>
</security:http>
<!--设置Spring Security认证用户信息的来源-->
<!--springsecurity默认的认证必须是加密的,加上(noop) 表示不加密认证。-->
<security:authentication-manager>
<security:authentication-provider>
<security:user-service>
<security:user name="user" password="{noop}user" authorities="ROLE_USER"/>
<security:user name="admin" password="{noop}admin" authorities="ROLE_ADMIN"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>
</beans>
QQ截图20200930205943.jpg
springsecurity过滤器链加载原理
QQ截图20201002160445.jpg
QQ截图20201002160519.jpg
QQ截图20201002160601.jpg
QQ截图20201002160714.jpg
QQ截图20201002160857.jpg
QQ截图20201002161402.jpg
QQ截图20201002163823.jpg
QQ截图20201002164959.jpg
<!--去掉csfr拦截的过滤器-->
<security:csrf disabled="true"/>
html页面
<%@taglib uri= "http://www.springframework.org/tags" prefix=" security"%>
<form action="${pageContext.request.contextPath}/login" method="post">
<security:csrfInput/> //在认证form表单内携带token
去掉csfr拦截的过滤器表示就没有起到过滤作用,从而导致${pageContext.request.contextPath}/login可以直接访问,而如果
QQ截图20201002170212.jpg
QQ截图20201002204901.jpg
QQ截图20201002205948.jpg
QQ截图20201002212810.jpg
QQ截图20201002214953.jpg
QQ截图20201002215348.jpg
QQ截图20201002215534.jpg
QQ截图20201002215640.jpg
QQ截图20201002215956.jpg
QQ截图20201002220342.jpg
QQ截图20201002220722.jpg
QQ截图20201002221000.jpg
QQ截图20201002221357.jpg
QQ截图20201002221606.jpg
QQ截图20201002222022.jpg
QQ截图20201002222422.jpg
此上操作有SpringSecurity过滤器加载原理,使用自定义认证页面,关闭csrf拦截
SpringSecurity的csfr防护措施,SpringSecurity注销功能,SpringSecurity认证流程分析
QQ截图20201008185552.jpg
QQ截图20201008192622.jpg
QQ截图20201008195847.jpg
QQ截图20201008212256.jpg
QQ截图20201008212331.jpg
SpringSecurity用数据库信息做认证完成
QQ截图20201008195847.jpg
QQ截图20201008225825.jpg
**
虽然failer.jsp可以直接访问,但是别的页面还是不能访问的
**
QQ截图20201008230723.jpg
QQ截图20201008225955.jpg
QQ截图20201008230035.jpg
QQ截图20201008230134.jpg
QQ截图20201008230155.jpg
QQ截图20201008230221.jpg
QQ截图20201008230301.jpg
springsecurity的加密认证完成了!!!
