Spring Security3实现,权限动态获取

stbyruby

Spring Security3实现,权限动态获取




原文  http://blog.csdn.net/yangwei19680827/article/details/9359113

主题 网络安全 Spring HTML

　　采用Maven管理，Spring Mvc Jpa等技术
　　pom.xml





<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.wiker</groupId>
<artifactId>springSecurity</artifactId>
<packaging>war</packaging>
<version>0.0.1-SNAPSHOT</version>
<name>springSecurity Maven Webapp</name>
<url>http://maven.apache.org</url>
<properties>
<!-- 主要依赖库的版本定义 -->
<c3p0.version>0.9.1.2</c3p0.version>
<spring-hibernate3.version>2.0.8</spring-hibernate3.version>
<javax.transaction.version>1.1</javax.transaction.version>
<org.kohsuke.stapler.version>2.1-rev6</org.kohsuke.stapler.version>
<spring-web.version>3.2.3.RELEASE</spring-web.version>
<commons-lang.version>2.5</commons-lang.version>
<javax.xml.rpc.version>1.1</javax.xml.rpc.version>
<commons-email.version>1.1</commons-email.version>
<org.apache.axis.version>1.4</org.apache.axis.version>
<commons-fileupload.version>1.3</commons-fileupload.version>
<jdom.version>1.1</jdom.version>
<javax.servlet.jstl.version>1.2</javax.servlet.jstl.version>
<javax.servlet.api.version>2.5</javax.servlet.api.version>
<jxl.version>2.6.12</jxl.version>
<javax.activation.version>1.1.1</javax.activation.version>
<javax.mail.version>1.4.5</javax.mail.version>
<spring.version>3.2.3.RELEASE</spring.version>
<hibernate.version>4.1.8.Final</hibernate.version>
<hibernate.core.version>4.1.8.Final</hibernate.core.version>
<spring-data-jpa.version>1.2.0.RELEASE</spring-data-jpa.version>
<commons-dbcp.version>1.4</commons-dbcp.version>
<sitemesh.version>2.4.2</sitemesh.version>
<hibernate-validator.version>4.3.0.Final</hibernate-validator.version>
<jackson.version>2.1.2</jackson.version>
<jackson-asl.version>1.9.5</jackson-asl.version>
<slf4j.version>1.7.2</slf4j.version>
<log4j.version>1.2.17</log4j.version>
<commons-lang3.version>3.1</commons-lang3.version>
<guava.version>13.0.1</guava.version>
<quartz.version>1.5.2</quartz.version>
<freemarker.version>2.3.19</freemarker.version>
<httpclient.version>4.2.2</httpclient.version>
<commons-httpclient.version>3.0.1</commons-httpclient.version>
<joda-time.version>2.1</joda-time.version>
<junit.version>4.11</junit.version>
<testng.version>6.3</testng.version>
<mockito.version>1.9.5</mockito.version>
<selenium.version>2.28.0</selenium.version>
<jetty.version>7.6.8.v20121106</jetty.version>
<h2.version>1.3.170</h2.version>
<codec.version>1.6</codec.version>
<dom4j.version>1.6.1</dom4j.version>
<lombok.version>0.11.0</lombok.version>
<wro4j.version>1.4.7</wro4j.version>
<wro4j.extensions.version>1.4.7</wro4j.extensions.version>
<commons-io.version>2.4</commons-io.version>
<commons-collections.version>3.2.1</commons-collections.version>
<gson.version>2.2.2</gson.version>
<pinyin4j.version>2.5.0</pinyin4j.version>
<wicked-charts.version>1.4.3</wicked-charts.version>
<batik-all.version>1.8pre-r1084380</batik-all.version>
<rhino.version>1.7R4</rhino.version>
<thumbnailator.version>[0.4, 0.5)</thumbnailator.version>
<struts2.core.version>2.3.14.3</struts2.core.version>
<wsdl4j.version>1.5.1</wsdl4j.version>
<aspectjrt.version>1.7.1</aspectjrt.version>
<velocity.version>1.7</velocity.version>
<antlr.version>2.7.6</antlr.version>
<jchardet.version>1.0</jchardet.version>
<google-collection.version>1.0</google-collection.version>
<json-lib.version>2.4</json-lib.version>
<urlrewritefilter.version>4.0.3</urlrewritefilter.version>
<!-- Plugin的属性定义 -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<jdk.version>1.6</jdk.version>
<server.url>http://localhost:8080/manager/html</server.url>
<server.user>admin</server.user>
<server.password>admin</server.password>
<jdbc.driver.groupId>mysql</jdbc.driver.groupId>
<jdbc.driver.artifactId>mysql-connector-java</jdbc.driver.artifactId>
<jdbc.driver.version>5.1.21</jdbc.driver.version>
</properties>
<dependencies>
<dependency>
<groupId>com.google.collections</groupId>
<artifactId>google-collections</artifactId>
<version>${google-collection.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- <dependency> <groupId>org.apache.axis2</groupId> <artifactId>axis2</artifactId>
<version>${org.apache.axis2.version}</version> </dependency> -->
<dependency>
<groupId>org.apache.axis</groupId>
<artifactId>axis</artifactId>
<version>${org.apache.axis.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>${commons-lang.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-aop</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context-support</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-core</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.18</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjrt</artifactId>
<version>${aspectjrt.version}</version>
</dependency>
<dependency>
<groupId>wsdl4j</groupId>
<artifactId>wsdl4j-qname</artifactId>
<version>${wsdl4j.version}</version>
</dependency>
<dependency>
<groupId>org.aspectj</groupId>
<artifactId>aspectjweaver</artifactId>
<version>${aspectjrt.version}</version>
</dependency>
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib</artifactId>
<version>2.2.2</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>asm</groupId>
<artifactId>asm</artifactId>
<version>3.3.1</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-entitymanager</artifactId>
<version>${hibernate.version}</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
<version>${hibernate.core.version}</version>
</dependency>
<dependency>
<groupId>javax.xml.rpc</groupId>
<artifactId>javax.xml.rpc-api</artifactId>
<version>${javax.xml.rpc.version}</version>
</dependency>
<!-- spring data access -->
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-jpa</artifactId>
<version>${spring-data-jpa.version}</version>
<exclusions>
<exclusion>
<groupId>junit</groupId>
<artifactId>junit-dep</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>net.sf.json-lib</groupId>
<artifactId>json-lib</artifactId>
<version>${json-lib.version}</version>
<classifier>jdk15</classifier>
</dependency>
<dependency>
<groupId>org.tuckey</groupId>
<artifactId>urlrewritefilter</artifactId>
<version>${urlrewritefilter.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>javax.annotation-api</artifactId>
<version>1.2</version>
</dependency>
<!-- dbcp connection pool -->
<dependency>
<groupId>commons-dbcp</groupId>
<artifactId>commons-dbcp</artifactId>
<version>${commons-dbcp.version}</version>
<scope>runtime</scope>
</dependency>
<!-- PERSISTENCE end -->
<!-- WEB begin -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>jdom</groupId>
<artifactId>jdom</artifactId>
<version>${jdom.version}</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>jstl</artifactId>
<version>${javax.servlet.jstl.version}</version>
</dependency>
<dependency>
<groupId>net.sourceforge.jexcelapi</groupId>
<artifactId>jxl</artifactId>
<version>${jxl.version}</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>${javax.servlet.api.version}</version>
<scope>provided</scope>
</dependency>
<!-- JSR303 BeanValidator -->
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>${hibernate-validator.version}</version>
</dependency>
<!-- pinyin4j begin -->
<!-- <dependency> <groupId>pinyin4j</groupId> <artifactId>pinyin4j</artifactId>
<version>${pinyin4j.version}</version> </dependency> -->
<!-- pinyin4j end -->
<!-- JSON begin -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.module</groupId>
<artifactId>jackson-module-jaxb-annotations</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-core-asl</artifactId>
<version>${jackson-asl.version}</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
<version>${jackson-asl.version}</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-jaxrs</artifactId>
<version>${jackson-asl.version}</version>
</dependency>
<dependency>
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-xc</artifactId>
<version>${jackson-asl.version}</version>
</dependency>
<dependency>
<groupId>com.google.code.gson</groupId>
<artifactId>gson</artifactId>
<version>${gson.version}</version>
</dependency>
<dependency>
<groupId>quartz</groupId>
<artifactId>quartz</artifactId>
<version>${quartz.version}</version>
</dependency>
<!-- JSON end -->
<!-- LOGGING begin -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>
<version>${slf4j.version}</version>
<scope>runtime</scope>
</dependency>
<!-- common-logging 实际调用slf4j -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>${slf4j.version}</version>
<scope>runtime</scope>
</dependency>
<!-- java.util.logging 实际调用slf4j -->
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jul-to-slf4j</artifactId>
<version>${slf4j.version}</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>${log4j.version}</version>
</dependency>
<dependency>
<groupId>org.lazyluke</groupId>
<artifactId>log4jdbc-remix</artifactId>
<version>0.2.7</version>
<scope>runtime</scope>
</dependency>
<!-- LOGGING end -->
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
<version>${commons-lang3.version}</version>
</dependency>
<dependency>
<groupId>org.kohsuke.stapler</groupId>
<artifactId>json-lib</artifactId>
<version>${org.kohsuke.stapler.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>${spring-web.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-hibernate3</artifactId>
<version>${spring-hibernate3.version}</version>
</dependency>
<dependency>
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>${codec.version}</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
<version>${commons-io.version}</version>
</dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
<version>${commons-collections.version}</version>
</dependency>
<dependency>
<groupId>commons-fileupload</groupId>
<artifactId>commons-fileupload</artifactId>
<version>${commons-fileupload.version}</version>
</dependency>
<!-- GENERAL UTILS end -->
<!-- OTHER TOOLS begin -->
<!-- httpclient -->
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>${httpclient.version}</version>
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>commons-httpclient</groupId>
<artifactId>commons-httpclient</artifactId>
<version>${commons-httpclient.version}</version>
</dependency>
<!-- template engine -->
<!-- <dependency> <groupId>org.freemarker</groupId> <artifactId>freemarker</artifactId>
<version>${freemarker.version}</version> </dependency> -->
<!-- third party dependencies -->
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>${lombok.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>dom4j</groupId>
<artifactId>dom4j</artifactId>
<version>${dom4j.version}</version>
</dependency>
<!-- email -->
<dependency>
<groupId>javax.mail</groupId>
<artifactId>mail</artifactId>
<version>${javax.mail.version}</version>
</dependency>
<dependency>
<groupId>commons-email</groupId>
<artifactId>commons-email</artifactId>
<version>${commons-email.version}</version>
</dependency>
<dependency>
<groupId>javax.activation</groupId>
<artifactId>activation</artifactId>
<version>${javax.activation.version}</version>
</dependency>
<dependency>
<groupId>javax.transaction</groupId>
<artifactId>jta</artifactId>
<version>${javax.transaction.version}</version>
</dependency>
<dependency>
<groupId>org.apache.velocity</groupId>
<artifactId>velocity</artifactId>
<version>${velocity.version}</version>
</dependency>
<dependency>
<groupId>c3p0</groupId>
<artifactId>c3p0</artifactId>
<version>${c3p0.version}</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<version>${mockito.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-all</artifactId>
<version>${mockito.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>${spring.version}</version>
<scope>test</scope>
</dependency>
<!-- h2 -->
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>${h2.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>antlr</groupId>
<artifactId>antlr</artifactId>
<version>${antlr.version}</version>
</dependency>
<dependency>
<groupId>net.sourceforge.jchardet</groupId>
<artifactId>jchardet</artifactId>
<version>${jchardet.version}</version>
</dependency>
<dependency>
<groupId>xml-apis</groupId>
<artifactId>xml-apis</artifactId>
<version>1.4.01</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-taglibs</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>3.9</version>
<exclusions>
<exclusion>
<artifactId>xml-apis</artifactId>
<groupId>xml-apis</groupId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<finalName>springSecurity</finalName>
<plugins>
<plugin>
<groupId>org.mortbay.jetty</groupId>
<artifactId>maven-jetty-plugin</artifactId>
<configuration>
<scanIntervalSeconds>10</scanIntervalSeconds>
<webAppConfig>
<contextPath>/springSecurity</contextPath>
</webAppConfig>
</configuration>
</plugin>
</plugins>
</build>
</project>

　　applicationContext-dao.xml





<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:jdbc="http://www.springframework.org/schema/jdbc" xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:jpa="http://www.springframework.org/schema/data/jpa"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa.xsd"
default-lazy-init="true">
<description>Spring DAO Configration</description>

<!-- Spring Data Jpa配置 -->
<jpa:repositories base-package="com.wiker"
transaction-manager-ref="transactionManager"
entity-manager-factory-ref="entityManagerFactory" />
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<!-- Connection Info -->
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url" value="jdbc:mysql://127.0.0.1:3306/test" />
<property name="username" value="root" />
<property name="password" value="root" />
</bean>
<!-- 利用Spring的实体管理器工厂来创建JPA实体管理器 -->
<bean id="entityManagerFactory"
class="org.springframework.orm.jpa.LocalContainerEntityManagerFactoryBean">
<property name="dataSource" ref="dataSource" />
<property name="packagesToScan">
<list>
<value>com.wiker</value>
</list>
</property>
<property name="jpaVendorAdapter">
<bean class="org.springframework.orm.jpa.vendor.HibernateJpaVendorAdapter">
<property name="database" value="MYSQL" />
<property name="showSql" value="true" />
<property name="generateDdl" value="true" />
</bean>
</property>
</bean>
<context:component-scan base-package="com.wiker"></context:component-scan>
<context:annotation-config />
<!-- Jpa 事务配置 -->
<bean id="transactionManager" class="org.springframework.orm.jpa.JpaTransactionManager">
<property name="entityManagerFactory" ref="entityManagerFactory" />
</bean>
<!-- 使用annotation定义事务 -->
<tx:annotation-driven transaction-manager="transactionManager"
proxy-target-class="true" />

</beans>

　　applicationContext-service.xml





<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:jdbc="http://www.springframework.org/schema/jdbc" xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:tx="http://www.springframework.org/schema/tx" xmlns:jpa="http://www.springframework.org/schema/data/jpa"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
http://www.springframework.org/schema/jee http://www.springframework.org/schema/jee/spring-jee-3.1.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
http://www.springframework.org/schema/data/jpa http://www.springframework.org/schema/data/jpa/spring-jpa.xsd"
default-lazy-init="true">
<description>Spring Service Configration</description>
<!-- scan service class with @components -->
<context:component-scan base-package="com.wiker.security.service" />
<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="locations">
<list>
<value>classpath:application.properties</value>
</list>
</property>
</bean>
<!-- <bean name="propertyLoader"
class="com.urbanmania.spring.beans.factory.config.annotations.PropertyFileLoader">
<property name="resources">
<value>classpath:application.properties</value>
</property>
</bean>
<bean
class="com.urbanmania.spring.beans.factory.config.annotations.PropertyAnnotationAndPlaceholderConfigurer">
<property name="propertyLoaders">
<ref bean="propertyLoader" />
</property>
</bean> -->
</beans>

　　spring-security.xml





<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- 启用注解方式对方法的权限控制 -->
<security:global-method-security
pre-post-annotations="enabled" secured-annotations="enabled"
jsr250-annotations="enabled" proxy-target-class="true">
<!-- <security:protect-pointcut access="VIP"
expression="execution(* com.zf.service.VipService.*(..))" /> -->
</security:global-method-security>
<!--use-expressions="true" 的意思是开启表达式 access-denied-page的意思是，当验证权限失败后会跳转到的页面 -->
<security:http use-expressions="true" access-denied-page="/powermiss.jsp" entry-point-ref="authenticationProcessingFilterEntryPoint">
<!-- 对登录页面，所有的用户都可以访问 -->
<security:intercept-url pattern="/login.jsp*"
access="permitAll" />
<security:intercept-url pattern="/index.jsp*"
access="permitAll" />
<!-- <security:intercept-url pattern="/vip.jsp*"
access="hasRole('VIP')" />
<security:intercept-url pattern="/admin.jsp*"
access="hasRole('ADMIN')" />
对所有的资源，都必须要有COMM权限 才可以访问  
<security:intercept-url pattern="/*"
access="hasRole('COMM')" /> -->
<!-- 使用自己的过滤器 -->
<!-- 下面的配置表示将自己的过滤器放在FORM_LOGIN_FILTER过滤链的最前面（可以这样来验证登录验证码） -->
<security:custom-filter
ref="validateCodeAuthenticationFilter"  position="FORM_LOGIN_FILTER"
/>
<!-- 配置登录页面为login.jsp ，登录成功默认跳转到index.jsp，登录失败返回login.jsp并携带参数error=true -->
<!--         <security:form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" />  -->
<!-- 退出配置 -->
<security:logout invalidate-session="true"
logout-success-url="/login.jsp" logout-url="/auth/logout" />
</security:http>

<bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<property name="loginFormUrl" value="/login.jsp"></property>
</bean>
<!-- 验证码过滤器 -->
<bean id="validateCodeAuthenticationFilter"
class="com.wiker.security.controller.VolidateAuthCodeUsernamePasswordAuthenticationFilter">
<property name="authenticationSuccessHandler"
ref="loginLogAuthenticationSuccessHandler"></property>
<property name="authenticationFailureHandler"
ref="simpleUrlAuthenticationFailureHandler"></property>
<property name="authenticationManager" ref="authenticationManager"></property>
</bean>
<!-- 登录成功 -->
<bean id="loginLogAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/index.jsp"></property>
</bean>
<!-- 登录失败 -->
<bean id="simpleUrlAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/login.jsp?error=true"></property>
</bean>

<!-- 配置一个认证管理器 -->
<security:authentication-manager alias="authenticationManager">
<!-- 使用自定义的UserDetailService -->
<security:authentication-provider
user-service-ref="accountService">
<!-- 下面的内容就可注释掉了 -->
<!-- <security:user-service> -->
<!-- 这样的配置表示向系统中添加了一个用户 用户名和密码都为admin ,并且该用户拥有ROLE_USER角色（角色可以用逗号隔开） -->
<!-- <security:user name="admin" password="admin" authorities="ROLE_USER"/> -->
<!-- </security:user-service> -->
</security:authentication-provider>
</security:authentication-manager>

</beans>

　　spring-mvc.xml





<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">
<!-- 自动扫描且只扫描@Controller -->
<context:component-scan base-package="com.wiker.security.controller"
use-default-filters="false">
<context:include-filter type="annotation"
expression="org.springframework.stereotype.Controller" />
</context:component-scan>
<!-- Application Message Bundle -->
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basename" value="messages" />
</bean>
<!-- Json返回 乱码处理 -->
<bean
class="org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter">
<property name="messageConverters">
<list>
<bean
class="org.springframework.http.converter.ByteArrayHttpMessageConverter" />
<bean
class="org.springframework.http.converter.StringHttpMessageConverter">
<property name="supportedMediaTypes">
<list>
<value>text/plain;charset=UTF-8</value>
</list>
</property>
</bean>
<bean
class="org.springframework.http.converter.ResourceHttpMessageConverter" />
<bean
class="org.springframework.http.converter.xml.SourceHttpMessageConverter" />
<bean
class="org.springframework.http.converter.xml.XmlAwareFormHttpMessageConverter" />
<bean
class="org.springframework.http.converter.xml.Jaxb2RootElementHttpMessageConverter" />
</list>
</property>
</bean>

<mvc:annotation-driven />
<!-- 将无法mapping到Controller的path交给default servlet handler处理 -->
<mvc:default-servlet-handler />
<!-- 定义JSP文件的位置 -->
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix" value="/" />
<property name="suffix" value=".jsp" />
</bean>
<!-- Configure the multipart resolver for uploading -->
<bean id="multipartResolver"
class="org.springframework.web.multipart.commons.CommonsMultipartResolver" />

</beans>

　　web.xml





<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<context-param>
<param-name>javax.servlet.jsp.jstl.fmt.localizationContext</param-name>
<param-value>messages</param-value>
</context-param>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath*:/applicationContext-dao.xml,
classpath*:/applicationContext-service.xml,
classpath*:/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>encodingFilter</filter-name>
<filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>
<init-param>
<param-name>encoding</param-name>
<param-value>UTF-8</param-value>
</init-param>
<init-param>
<param-name>forceEncoding</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>encodingFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>springServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring-mvc.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>CaptchaServlet</servlet-name>
<servlet-class>
com.wiker.security.controller.CaptchaServlet
</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CaptchaServlet</servlet-name>
<url-pattern>/captchaServlet</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>springServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- spring security -->  
<filter>  
<filter-name>springSecurityFilterChain</filter-name>  
<filter-class>  
org.springframework.web.filter.DelegatingFilterProxy  
</filter-class>  
</filter>  
<filter-mapping>  
<filter-name>springSecurityFilterChain</filter-name>  
<url-pattern>/*</url-pattern>  
</filter-mapping>  

</web-app>

　　index.jsp





<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>My JSP 'index.jsp' starting page</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">   
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css">
-->
</head>
<body>      
<h3>登录成功,欢迎您:<sec:authentication property="name" /></h3>      
<a href="<%=basePath%>admin.jsp">进入管理员页面</a>
<a href="<%=basePath%>vip.jsp">进入会员页面</a>
<a href="<%=basePath%>auth/logout">注销</a>  
</body>
</html>

　　index.jsp





<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme() + "://" + request.getServerName() + ":"
+ request.getServerPort() + path + "/";
%>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>My JSP 'index.jsp' starting page</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css">
-->
<style type="text/css">
div.error {
width: 260px;
border: 2px solid red;
background-color: yellow;
text-align: center;
}
div.hide {
display: none;
}
</style>
</head>
<body>
<div class="error ${param.error == true ? '' : 'hide'}">
登陆失败<br>
${sessionScope['SPRING_SECURITY_LAST_EXCEPTION'].message}
</div>
<h3>用户登录</h3>
<!-- from的action地址，以及用户名密码的name 。都是spring-security固定的。 -->
<form action="<%=basePath%>j_spring_security_check" method="post">
<p>
<label for="j_username">Username</label> <input id="j_username"
name="j_username" type="text" />
</p>
<p>
<label for="j_password">Password</label> <input id="j_password"
name="j_password" type="password" />
</p>
<p>
<label for="j_password">验证码：</label> <input id="j_password"
name="code" type="password" /> <IMG style="CURSOR: pointer"
onclick="this.src='captchaServlet?t='+(new Date().getTime());"
alt="看不清楚?请点击刷新验证码!" align='absmiddle' src="captchaServlet"
height="18" width="55">
</p>
<p>
<input type="checkbox" name="_spring_security_remember_me">两周之内不必登陆
</p>
<input type="submit" value="Login" />
</form>
</body>
</html>

　　powermiss.jsp





<%@ page language="java" import="java.util.*" pageEncoding="utf-8"%>
<%
String path = request.getContextPath();
String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<base href="<%=basePath%>">
<title>My JSP 'powermiss.jsp' starting page</title>
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="expires" content="0">   
<meta http-equiv="keywords" content="keyword1,keyword2,keyword3">
<meta http-equiv="description" content="This is my page">
<!--
<link rel="stylesheet" type="text/css" href="styles.css">
-->

</head>
<body>
<h1 style="color: red;">对不起，您无权访问该资源！</h1>
</body>
</html>

　　VolidateAuthCodeUsernamePasswordAuthenticationFilter.java





package com.wiker.security.controller;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.util.TextEscapeUtils;
/**
* @author Wiker Yong Email:<a href="mailto:wikeryong@gmail.com">wikeryong@gmail.com</a>
* @date 2013-7-15 下午5:56:54
* @version 1.0-SNAPSHOT
*/
public class VolidateAuthCodeUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{  
private boolean postOnly = true;  
private boolean allowEmptyValidateCode = false;  
private String sessionvalidateCodeField = DEFAULT_SESSION_VALIDATE_CODE_FIELD;  
private String validateCodeParameter = DEFAULT_VALIDATE_CODE_PARAMETER;  
public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";  
// session中保存的验证码  
public static final String DEFAULT_SESSION_VALIDATE_CODE_FIELD = "rand";  
// 输入的验证码  
public static final String DEFAULT_VALIDATE_CODE_PARAMETER = "code";  
@Override  
public Authentication attemptAuthentication(HttpServletRequest request,  
HttpServletResponse response) throws AuthenticationException {  
if (postOnly && !request.getMethod().equals("POST")) {  
throw new AuthenticationServiceException(  
"Authentication method not supported: "  
+ request.getMethod());  
}  
String username = obtainUsername(request);  
String password = obtainPassword(request);  
if (username == null) {  
username = "";  
}  
if (password == null) {  
password = "";  
}  
username = username.trim();  
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(  
username, password);  
// Place the last username attempted into HttpSession for views  
HttpSession session = request.getSession(false);  
if (session != null || getAllowSessionCreation()) {  
request.getSession().setAttribute(  
SPRING_SECURITY_LAST_USERNAME_KEY,  
TextEscapeUtils.escapeEntities(username));  
}  
// Allow subclasses to set the "details" property  
setDetails(request, authRequest);  
// check validate code  
if (!isAllowEmptyValidateCode())  
checkValidateCode(request);  
// 根据用户和密码查询  
return this.getAuthenticationManager().authenticate(authRequest);  
}  
/**
*  
* <li>比较session中的验证码和用户输入的验证码是否相等</li>
*  
*/  
protected void checkValidateCode(HttpServletRequest request) {  
String sessionValidateCode = obtainSessionValidateCode(request);  
String validateCodeParameter = obtainValidateCodeParameter(request);  
if (StringUtils.isEmpty(validateCodeParameter)  
|| !sessionValidateCode.equalsIgnoreCase(validateCodeParameter)) {  
throw new AuthenticationServiceException("验证码错误！");  
}  
}  
private String obtainValidateCodeParameter(HttpServletRequest request) {  
return request.getParameter(validateCodeParameter);  
}  
protected String obtainSessionValidateCode(HttpServletRequest request) {  
Object obj = request.getSession()  
.getAttribute(sessionvalidateCodeField);  
return null == obj ? "" : obj.toString();  
}  
public boolean isPostOnly() {  
return postOnly;  
}  
@Override  
public void setPostOnly(boolean postOnly) {  
this.postOnly = postOnly;  
}  
public String getValidateCodeName() {  
return sessionvalidateCodeField;  
}  
public void setValidateCodeName(String validateCodeName) {  
this.sessionvalidateCodeField = validateCodeName;  
}  
public boolean isAllowEmptyValidateCode() {  
return allowEmptyValidateCode;  
}  
public void setAllowEmptyValidateCode(boolean allowEmptyValidateCode) {  
this.allowEmptyValidateCode = allowEmptyValidateCode;  
}  
}

　　User.java





package com.wiker.security.dao.entity;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.List;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.JoinTable;
import javax.persistence.ManyToMany;
import javax.persistence.Table;
/**
* 用户Bean
* @author WikerYong  <a>Email:yw_312@foxmail.com<a/>
* @version 2011-11-9 上午10:03:18
*/
@Entity
@Table(name = "user")
public class User implements Serializable{
protected static final long serialVersionUID = -5204668503508016656L;
@Id  
@GeneratedValue(strategy = GenerationType.AUTO)  
protected Long id;
protected String username;
protected String password;
@ManyToMany  
@JoinTable(name="user_role" , joinColumns = {  
@JoinColumn(name = "userid")  
}, inverseJoinColumns = {@JoinColumn(name="roleid")})   
private List<Role> roles = new ArrayList<Role>();
public Long getId() {
return id;
}
public void setId(Long id) {
this.id = id;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public List<Role> getRoles() {
return roles;
}
public void setRoles(List<Role> roles) {
this.roles = roles;
}  
}

　　UserDao.java





package com.wiker.security.dao.repository;
import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
import org.springframework.data.repository.PagingAndSortingRepository;
import com.wiker.security.dao.entity.User;

/**
* @author Wiker Yong Email:<a href="mailto:wikeryong@gmail.com">wikeryong@gmail.com</a>
* @date 2013-6-19 上午11:11:52
* @version 1.0-SNAPSHOT
*/
public interface UserDao extends PagingAndSortingRepository<User,Long>,JpaSpecificationExecutor<User> {
User findByUsernameAndPassword(String username,String password);
User findByUsername(String username);
}

　　AccountService.java





package com.wiker.security.service;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.wiker.security.dao.entity.User;
import com.wiker.security.dao.repository.UserDao;

@Service
public class AccountService
implements UserDetailsService {
@Autowired
private UserDao userDao;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
User user = userDao.findByUsername(username);
UserDetails userDetail = null;
if (user != null) {
userDetail = new org.springframework.security.core.userdetails.User(username,
user.getPassword(), true, true, true, true, findUserAuthorities(user));
}
return userDetail;
}
/**
* 获取用户的权限
*
* @param user
* @return
*/
@SuppressWarnings("deprecation")
public Collection<GrantedAuthority> findUserAuthorities(User user) {
List<GrantedAuthority> autthorities = new ArrayList<GrantedAuthority>();
/*List<Role> roles = user.getRoles();
for (Role Role : roles) {
autthorities.add(new GrantedAuthorityImpl(Role.getRoleCode()));
}*/
autthorities.add(new GrantedAuthorityImpl("admin"));
return autthorities;
}
}