上一篇文章:Spring Security 4 退出 示例(带源码)
下一篇文章:
Spring Security 4 基于角色的登录例子(带源码)
原文地址:http://websystique.com/spring-security/spring-security-4-secure-view-layer-using-taglibs/
【剩余文章,将尽快翻译完毕,敬请期待。 翻译by 明明如月 QQ 605283073】
本教程向你展示怎样创建安全视图层,Spring MVC web 应用中,使用Spring
Security 标签,基于用户角色显示或者隐藏部分jsp或者视图。
第一步,想使用Spring Security标签需要在pom.xml文件中添加 spring-security-taglibs依赖
<dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>4.0.1.RELEASE</version> </dependency>
下一步,在views或者jsp页面头添加包含标签
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags"%>
最后,我们可以使用Spring Security 表单式中hasRole,
hasAnyRole等标签,如下:
<%@ page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%> <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%> <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags"%> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Welcome page</title> </head> <body> Dear <strong>${user}</strong>, Welcome to Home Page. <a href="<c:url value="/logout" />">Logout</a> <br/> <br/> <div> <label>View all information| This part is visible to Everyone</label> </div> <br/> <div> <sec:authorize access="hasRole('ADMIN')"> <label><a href="#">Edit this page</a> | This part is visible only to ADMIN</label> </sec:authorize> </div> <br/> <div> <sec:authorize access="hasRole('ADMIN') and hasRole('DBA')"> <label><a href="#">Start backup</a> | This part is visible only to one who is both ADMIN & DBA</label> </sec:authorize> </div> </html
如果你需要根据角色 显示或者隐藏视图中的片段,可以参考上面的例子。
下面是本例中 Security Configuration 的配置:
package com.websystique.springsecurity.configuration; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; @Configuration @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception { auth.inMemoryAuthentication().withUser("bill").password("abc123").roles("USER"); auth.inMemoryAuthentication().withUser("admin").password("root123").roles("ADMIN"); auth.inMemoryAuthentication().withUser("dba").password("root123").roles("ADMIN","DBA"); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/", "/home").access("hasRole('USER') or hasRole('ADMIN') or hasRole('DBA')") .and().formLogin().loginPage("/login") .usernameParameter("ssoId").passwordParameter("password") .and().exceptionHandling().accessDeniedPage("/Access_Denied"); } }
上面配置对应的xml配置如下:
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd"> <http auto-config="true" > <intercept-url pattern="/" access="hasRole('USER') or hasRole('ADMIN') or hasRole('DBA')" /> <intercept-url pattern="/home" access="hasRole('USER') or hasRole('ADMIN') or hasRole('DBA')" /> <form-login login-page="/login" username-parameter="ssoId" password-parameter="password" authentication-failure-url="/Access_Denied" /> </http> <authentication-manager > <authentication-provider> <user-service> <user name="bill" password="abc123" authorities="ROLE_USER" /> <user name="admin" password="root123" authorities="ROLE_ADMIN" /> <user name="dba" password="root123" authorities="ROLE_ADMIN,ROLE_DBA" /> </user-service> </authentication-provider> </authentication-manager> </beans:beans>
controller
package com.websystique.springsecurity.controller; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; import org.springframework.stereotype.Controller; import org.springframework.ui.ModelMap; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @Controller public class HelloWorldController { @RequestMapping(value = { "/", "/home" }, method = RequestMethod.GET) public String homePage(ModelMap model) { model.addAttribute("user", getPrincipal()); return "welcome"; } @RequestMapping(value = "/Access_Denied", method = RequestMethod.GET) public String accessDeniedPage(ModelMap model) { model.addAttribute("user", getPrincipal()); return "accessDenied"; } @RequestMapping(value = "/login", method = RequestMethod.GET) public String loginPage() { return "login"; } @RequestMapping(value="/logout", method = RequestMethod.GET) public String logoutPage (HttpServletRequest request, HttpServletResponse response) { Authentication auth = SecurityContextHolder.getContext().getAuthentication(); if (auth != null){ new SecurityContextLogoutHandler().logout(request, response, auth); } return "redirect:/login?logout"; } private String getPrincipal(){ String userName = null; Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); if (principal instanceof UserDetails) { userName = ((UserDetails)principal).getUsername(); } else { userName = principal.toString(); } return userName; } }
其他代码和本系列其他文章一样。
部署 &启动
下载本项目的完整代码。在Servlet 3.0(Tomcat7/8)容器中构建和部署。
打开浏览器输入:localhost:8080/SpringSecuritySecureViewFragmentsUsingSecurityTaglibs/
将来到登录界面
输入USER 角色的账户
你将看到少量的信息
退出后 再用ADMIN角色的账户登陆
提交表单,你将看到ADMIN角色相关的操作
退出,用DBA 角色账户登陆
你将看到DBA角色 对应的页面
本文结束。 下一篇文章将教你怎样用基于用户权限的登录。也就是说,根据登录权限 登录后重定向到不同的urls
代码下载地址:http://websystique.com/?smd_process_download=1&download_id=1388