1、导入spring-security的jar包 或者是在maven中导入依赖作者选择的是在maven中导入依赖(这边的前提是在spring项目中集成spring-security框架用于认证)用maven导入依赖:在pom.xml中配置(作者的spring是5.0+的版本)<dependencies>
<dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-web</artifactId><version>${spring.security.version}</version></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-config</artifactId><version>${spring.security.version}</version></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-core</artifactId><version>${spring.security.version}</version></dependency><dependency><groupId>org.springframework.security</groupId><artifactId>spring-security-taglibs</artifactId><version>${spring.security.version}</version></dependency>
</dependencies>
2、在web.xml中配置<!-- 配置加载类路径的配置文件 --><context-param><param-name>contextConfigLocation</param-name><param-value>classpath:applicationContext.xml,classpath:spring-security.xml</param-value></context-param>
<!--springSecurity配置--><filter><filter-name>springSecurityFilterChain</filter-name><filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class></filter>
<!--springSecurity的配置-->
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"xmlns:security="http://www.springframework.org/schema/security"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/spring-beans.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/security/spring-security.xsd">a)、<!--配置不拦截的资源auto-config="true" 不用自己编写登陆的页面,框架提供默认的登陆页面use-expressions="false" 是否使用SPEL表达式--><security:http pattern="/login.jsp" security="none"/><security:http pattern="failer.jsp" security="none"/><security:http pattern="/css/" security="none"/><security:http pattern="/images/" security="none"/><security:http pattern="/img/" security="none"/><security:http pattern="/plugins" security="none"/>b)、<!--配置具体的原则--><security:http auto-config="true" use-expressions="false"><!--配置具体的拦截规则 patten="请求的路径规则" access="访问系统的人" 必须要有ROLE_USER角色--><security:intercept-url pattern="/" access="ROLE_USER_ADMIN"/>
<!--定义跳转的具体的页面--> <security:form-login login-page="/login.jsp" login-processing-url="/login.do" default-target-url="/index.jsp" authentication-failure-url="/failer.jsp" authentication-success-forward-url="/pages/main.jsp"/> <!--关闭跨域请求--> <security:csrf disabled="true"/> <!--退出--> <security:logout invalidate-session="true" logout-url="/logout.do" logout-success-url="/login.jsp"/> </security:http> c)、<!--配置数据库中的用户名和密码--> <security:authentication-manager> <security:authentication-provider user-service-ref="userService"> <!--配置加密方式--> <security:password-encoder ref="passwordEnCoder"/> </security:authentication-provider> </security:authentication-manager> <!--配置加密的类--> <bean id="passwordEnCoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
</beans>
4、创建自己的UserDao接口和一个继承了UserDetailsService这个接口的UserService接口并创建一个UserServiceImpl类实现UserService接口a)、重写这个方法:public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {方法中处理自己的用户封装成UserDetailsUser user = new User(userInfo.getUsername(),userInfo.getPassword(),userInfo.getStatus()==0?true:false,true,true,true,getAuthority(userInfo.getRoles()));return user;}和这个方法:public List<SimpleGrantedAuthority> getAuthority(List<Role> roles){作用就是返回一个List集合,集合中装入的是角色描述return list;}5、spring-security源码解析web.xml配置文件的上图配置的名称是默认的不可更改而这个filter对应的具体类是这个类的作用是用于干嘛的呢?这个类的父类是继承了filter所以这个类的具体作用应该是在doFilter中在此中我们可以看到传入了一个FilterChain对象但是这个对象又干了什么呢?此时赋值为了本类中的此变量this.delegate; 往上看我们看到了此变量是一个Filter
以上我们看到当为空之后就调用了本类中的initDelegate进行赋值这边通过加载配置文件获取Bean对象6、FilterChainProxy实现加载所有Filter的实现类获取到所需要加载的所有Filter这个SecurityFilters枚举定义所有需要加载的Filter
通过jar包spring-security-config-5.0.1.RELEASE.jar可以翻出spring.handlers相对应这边更具体的说明了需要加载的所有Filter