一:单独启用配置思路: spring-security.xml: 1.配置路径对应的权限 2.配置用户权限授权
web.xml: 1.配置spring-security过滤器 2.配置spring-security监听器,防止session固话攻击和session并发控制
二:spring-security集成cas配置思路: spring-security-cas.xml: 1.配置路径对应的权限 2.把cas的认证配置集成到这里来(即登录认证路径、认证成功回调地址、ticket校验路径、登出session监听、登出路径,登出成功回调路径等,不在web.xml配置了) 3.角色授权,即用户授权
web.xml不变
一:单独启用配置
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.2.xsd "> <!--不需要权限的资源--> <http pattern="/images/**" security="none"/> <!--权限过滤--> <http auto-config="true" use-expressions="true"> <!-- 开启防止CSRF攻击 请求页面要携带指定参数:<input name="${_csrf.parameterName}" type="hidden" value="${_csrf.token}" /> --> <csrf /> <!-- 所有带有admin的请求都需要Admin权限 hasRole:拥有什么角色才可以访问 --> <intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/> <intercept-url pattern="/" access="hasRole('ROLE_ADMIN')"/> <intercept-url pattern="/index.jsp" access="hasRole('ROLE_ADMIN')"/> <!-- login-page:自定义登录页面 login-processing-url:登录校验请求URL default-target-url:默认登录成功后跳转的地址 authentication-failure-url:登录失败跳转的地址 username-parameter:自定义登录页面,请求的用户名参数(用于后面查数据库校验作用) password-parameter:自定义登录页面,请求的密码参数(用于后面查数据库校验作用) --> <form-login login-page="/login" login-processing-url="/j_spring_security_check" default-target-url="/admin/welcome" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password"/> <!-- 退出 logout-success-url:退出成功跳转URL logout-url:退出请求URL --> <logout logout-success-url="/login?logout" logout-url="/j_spring_security_logout" /> </http> <!--授权管理--> <authentication-manager> <!--<!–提供账号密码–> <authentication-provider> <!– 硬编码方式提供账号密码 authorities:赋予什么角色 –> <!–<user-service> <user name="admin" authorities="ROLE_ADMIN" password="123456" disabled="false"/> </user-service>–> <!–查数据库方式–> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username, password, enabled from users where username=?"/> </authentication-provider>--> <!--自定义登录校验器--> <authentication-provider user-service-ref="loginValidation"/> </authentication-manager> <beans:bean class="cn.test.security.LoginValidation" id="loginValidation" /> </beans:beans>
根据需要,放开注释部分。
/** * spring-security自定义登录校验器,必须实现UserDetailsService */ public class LoginValidation implements UserDetailsService { @Autowired private UserService userService; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { cn.test.model.User user = userService.getUserByUsername(username); List<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>(); authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN")); User user1 = new User(user.getUsername(), user.getPassword(),authorities); return user1; //集成cas后 /*List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); authorities.add(new SimpleGrantedAuthority("ROLE_USER")); return new User(username,"",authorities);*/ } }web.xml添加:
<!--springsecurity过滤器,做资源权限的拦截和验证--> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- springsecurity监听 防止session固话攻击和session并发控制 --> <listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener>二:spring-security集成cas配置
上面的spring-security.xml全删除,改为spring-security-cas.xml
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!--过滤不需要的权限的URL--> <http pattern="/images/**" security="none"></http> <!-- entry-point-ref 入口点引用 --> <http use-expressions="false" entry-point-ref="casProcessingFilterEntryPoint"> <intercept-url pattern="/**" access="ROLE_USER"/> <csrf disabled="true"/> <!-- custom-filter为过滤器, position 表示将过滤器放在指定的位置上,before表示放在指定位置之前 ,after表示放在指定的位置之后 --> <custom-filter ref="casAuthenticationFilter" position="CAS_FILTER" /> <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/> <custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/> </http> <!-- CAS入口点 开始 --> <beans:bean id="casProcessingFilterEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <!-- 单点登录服务器登录URL --> <beans:property name="loginUrl" value="https://www.sso.com:8443/cas/login"/> <beans:property name="serviceProperties" ref="serviceProperties"/> </beans:bean> <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <!-- service 配置自身工程的根地址+/login/cas /login/cas:是spring-security自身定义的,用于cas回调的URL --> <beans:property name="service" value="/login/cas"/> </beans:bean> <!-- CAS入口点 结束 --> <!-- 认证过滤器 开始 --> <beans:bean id="casAuthenticationFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <beans:property name="authenticationManager" ref="authenticationManager"/> </beans:bean> <!-- 认证管理器 --> <authentication-manager alias="authenticationManager"> <authentication-provider ref="casAuthenticationProvider"> </authentication-provider> </authentication-manager> <!-- 认证提供者 --> <beans:bean id="casAuthenticationProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <beans:property name="authenticationUserDetailsService"> <beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <beans:constructor-arg ref="userDetailsService" /> </beans:bean> </beans:property> <beans:property name="serviceProperties" ref="serviceProperties"/> <!-- ticketValidator 为票据验证器 --> <beans:property name="ticketValidator"> <beans:bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <beans:constructor-arg index="0" value="https://www.sso.com:8443/cas"/> </beans:bean> </beans:property> <beans:property name="key" value="an_id_for_this_auth_provider_only"/> </beans:bean> <!-- 认证类 --> <beans:bean id="userDetailsService" class="cn.test.security.LoginValidation"/> <!-- 认证过滤器 结束 --> <!-- 单点登出 开始 --> <!--检测登出 session做相应处理 过滤器--> <beans:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/> <!-- 经过此配置,当用户在地址栏输入本地工程 /logout/cas --> <beans:bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <beans:constructor-arg value="https://www.sso.com:8443/cas/logout?service=http://localhost:8080/images/2.jpeg"/> <beans:constructor-arg> <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/> </beans:constructor-arg> <!--本地登出URL spring-security自己定义退出登录本地要访问的URL--> <beans:property name="filterProcessesUrl" value="/logout/cas"/> </beans:bean> <!-- 单点登出 结束 --> </beans:beans>/** * spring-security自定义登录校验器,必须实现UserDetailsService */ public class LoginValidation implements UserDetailsService { @Autowired private UserService userService; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { /*cn.test.model.User user = userService.getUserByUsername(username); List<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>(); authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN")); User user1 = new User(user.getUsername(), user.getPassword(),authorities); return user1;*/ //集成cas后 List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); authorities.add(new SimpleGrantedAuthority("ROLE_USER")); return new User(username,"",authorities); } }
补充:访问数据库授权---添加SQL表
CREATE TABLE `users` ( `username` varchar(50) NOT NULL, `password` varchar(50) NOT NULL, `enabled` varchar(50) NOT NULL, PRIMARY KEY (`username`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; CREATE TABLE `authorities` ( `username` varchar(50) NOT NULL, `authority` varchar(50) NOT NULL, UNIQUE KEY `ix_auth_username` (`username`,`authority`), CONSTRAINT `fk_authorities_users` FOREIGN KEY (`username`) REFERENCES `users` (`username`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8;这里是简单使用配置。
