Security学习笔记1
1.Spring Security权限验证是基于filter实现的,所以首先行在web.xml文件中增加如下代码:
<filter>
??<filter-name>springSecurityFilterChain</filter-name>
??<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
?</filter>
?<filter-mapping>
??<filter-name>springSecurityFilterChain</filter-name>
??<url-pattern>/*</url-pattern>
?</filter-mapping>
其中DelegatingFilterProxy用于代理applicationcontext.xml中定义的一个filter bean,springSecurityFilterChain是applicationcontext.xml中这个filter bean的名字,不能再使用这个名字定义其它bean,其是由security命名空间<http>配置自动生成.
2.配置<http>元素,典型配置如下:
<http auto-config="true">
??????? <form-login login-page="/notLogin.jsp"
??????? ???authentication-failure-url="/loginFailure.jsp"
??????? ???default-target-url="/security/security!isLogin.action" />
??????? <logout logout-success-url="/security/security!isLogin.action" />
??????? <remember-me user-service-ref="userDetailsService"/>
??? </http>
其中auto-config="true"等同于
<http>
??? <intercept-url pattern="/**" access="ROLE_USER" />
??? <form-login />
??? <anonymous />
??? <http-basic />
??? <logout />
??? <remember-me />
? </http>
当使用auto-config="true"时同时得配置<remember-me>的UserDetailsService,如上面的代码引用一个定义好的bean.
3.通过<authentication-provider>提供自定义的验证逻辑,可以通过其子元素<password-encoder>提供密码加密,如下代码所示:
<authentication-provider user-service-ref="userDetailsService">
??????? <password-encoder hash="md5"/>
??? </authentication-provider>
你也可以通过< 4.为<authentication-manager>配置别名,当你在其它地方需要引用此bean时为其配置别名是很有必要的,此bean为自动生成的.如下 <authentication-manager alias="authenticationManager"/>