Spring Security学习总结一

security.xml各种过滤器实战,常用九个如下一 链之 RememberMeProcessingFilter

1。使用 ，选上remember me后，一旦页面关闭或者服务器重启，还可以记得用户的登陆状态。<input type="checkbox" id="remember" name="j_remember_me">  Remember me2.设置 security.xml  <!-- 记住用户登录信息 -->    <bean id="rememberMeFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">        <property name="authenticationManager" ref="authenticationManager" />        <property name="rememberMeServices" ref="rememberMeServices" />    </bean>

 <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">        <property name="userDetailsService" ref="userDetailsService" />        <property name="parameter" value="j_remember_me" />      <!--与多选框名字相同-->        <property name="key" value="remember_Me" />        <property name="tokenValiditySeconds" value="31536000" />     <!--记住多长时间 ,这里是一年-->

登陆，登出中  <property name="rememberMeServices" ref="rememberMeServices" />    </bean>

 <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">        <property name="providers">            <list>                <ref bean="rememberMeAuthenticationProvider" />            </list>        </property>    </bean>  <bean id="rememberMeAuthenticationProvider"        class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">        <property name="key" value="remember_Me" />    </bean>

二 链之 RememberMeProcessingFilter  安全拦截器   <!-- 基于URL的安全拦截器 -->    <bean id="securityInterceptor"        class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">        <property name="authenticationManager" ref="authenticationManager" />        <property name="accessDecisionManager" ref="accessDecisionManager" />        <property name="objectDefinitionSource">            <value>                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON                PATTERN_TYPE_APACHE_ANT                /admin/**=ROLE_ADMIN           <!-- 对admin目录只有Role_admin的角色可以访问-->                /user/**=ROLE_USER            </value>        </property>    </bean>

三。  链之 authenticationProcessingFilter 登陆验证  1.login.jsp<%      String error = request.getParameter("login_error");      if(error!=null) {        out.println("<p><font color=\"red\">");        out.println(error);        out.println("</font></p>");      }    %>     <form action="j_login.do" method="POST">      Username: <input type="text" name="j_username" />      Password: <input type="password" name="j_password">      <input name="submit" type="submit" value="Login">    </form>  <!-- 验证用户身份 -->    <bean id="authenticationProcessingFilter"        class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">        <property name="authenticationManager" ref="authenticationManager" />        <property name="authenticationFailureUrl" value="/login.jsp?login_error=Login%20failed." /> <!-- 失败后跳转页-->        <property name="defaultTargetUrl" value="/helloWorld.jsp" />   <!-- 成功后跳转页-->        <property name="filterProcessesUrl" value="/j_login.do" />  <!-- 重点，与action一致-->    </bean>

四。  链之 logoutFilter    <a href="j_logout.do">logout</a></p>

<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">        <!-- URL redirected to after logout登出后的指向页面 -->        <constructor-arg value="/helloWorld.jsp" />        <constructor-arg>            <list>                <ref bean="rememberMeServices" />   <!-- 登出后就不再记住用户的登陆了-->                <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />            </list>        </constructor-arg>        <property name="filterProcessesUrl" value="/j_logout.do" /><!-- 重点，要一致-->    </bean>

五 链之 exceptionFilter,如果用户未能被认证，AuthenticationException就会被抛出； 即使用户成功地通过了身份验证，他们仍可能不被授予访问某些受保护页面所必需的权限。这样，AcessDeniedException就会被抛出。<!-- 处理登录异常或权限异常的Filter -->    <bean id="exceptionFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">        <!-- 出现AuthenticationException时的登录入口 -->        <property name="authenticationEntryPoint">            <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">                <property name="loginFormUrl" value="/login.jsp" />                 <property name="forceHttps" value="false" /><!--为true,login.jsp页面会通过Https安全地进行显示-->            </bean>        </property>        <!-- 出现AccessDeniedException时的Handler -->        <property name="accessDeniedHandler">            <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl" />            <!-- 可选属性: property name="errorPage" value="/denied.html" -->        </property>    </bean>六 链之 HttpSessionContextIntegrationFilter ， 不知道有什么用处哪？？？？ <!-- 从Session中获得用户信息并放入SecurityContextHolder -->    <bean id="httpSessionContextIntegrationFilter"        class="org.acegisecurity.context.HttpSessionContextIntegrationFilter" />

———————————————————————————————————— <!-- 过滤器链-->    <bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">        <property name="filterInvocationDefinitionSource">            <value>                CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON                PATTERN_TYPE_APACHE_ANT        /**=channelProcessingFilterConcurrentSessionFilter .................httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,rememberMeFilter,AnonymousProcessingFilter,.................exceptionFilter,securityInterceptor            </value>        </property>    </bean> <!-- 认证管理器-->    <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">        <property name="providers">            <list>                <ref bean="daoAuthenticationProvider" />            </list>        </property>    </bean>    <!-- 基于DAO验证的AuthenticationProvider -->    <bean id="daoAuthenticationProvider"        class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">        <property name="userDetailsService" ref="userDetailsService" />    </bean>    <!-- 使用内存DAO,实际应用时可用JdbcDao代替 -->    <bean id="userDetailsService"        class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">        <property name="userMap">            <value>                admin=password,enabled,ROLE_ADMIN,ROLE_USER                test=test,enabled,ROLE_USER                guest=guest,disabled,ROLE_USER            </value>        </property>    </bean>    <!-- 决策管理器-->    <bean id="accessDecisionManager"        class="org.acegisecurity.vote.AffirmativeBased">        <property name="decisionVoters">            <list>                <bean class="org.acegisecurity.vote.RoleVoter" />            </list>        </property>        <property name="allowIfAllAbstainDecisions" value="false" />    </bean>

附件：spring的光盘\source\10Acegi\Spring_Acegi

补记：七 链之channelProcessingfilter  通道，login.jsp=REQUIRES_SECURE_CHANNEL    有安全映射的，表明login.jsp应该通过HTTPS进行发送.即跳到https://127.0.0.1:8443/ssh/login.jsp ,但是为什么显示出错？？？？？？？是要上网吗？

<bean id="channelProcessingFilter"  class="org.acegisecurity.securechannel.ChannelProcessingFilter">  <property name="filterInvocationDefinitionSource">   <value>    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON    PATTERN_TYPE_APACHE_ANT    /login.jsp=REQUIRES_SECURE_CHANNEL       /**=REQUIRES_INSECURE_CHANNEL   </value>  </property>  <property name="channelDecisionManager"   ref="channelDecisionManager">  </property> </bean> <bean id="channelDecisionManager"  class="org.acegisecurity.securechannel.ChannelDecisionManagerImpl">  <property name="channelProcessors">   <list>    <bean     class="org.acegisecurity.securechannel.SecureChannelProcessor" />    <bean     class="org.acegisecurity.securechannel.InsecureChannelProcessor" />   </list>  </property> </bean>

相关资源：Spring Security 学习总结1_3