Other jar s in spring security provide other advanced authentication technologies, such as LDAP authentication, OpenID authentication, implementation options in authentication, etc. But here, I'll focus on Web application authentication.

In the servlet configuration xml file or application context xml, you need to specify the following URL in xsi: schemaLocation * of the * < beans... > tag.

<beans xmlns="http://www.springframework.org/schema/beans"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 

    xmlns:security="http://www.springframework.org/schema/security"

    xsi:schemaLocation="
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.1.xsd">
....
....
....
</beans>

To enable Spring Security, you need to add the following filters to / WEB-INF / Web xml.

<!-- Enable Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
 
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Therefore, in the * tag, you need to define filter name and filter class *, just as you define servlet name and servlet class for your application. But filter name and filter class are fixed here.

In the * * tag, you can define the path that should pass the spring security check, usually a regular expression.

The spring securityfilterchain filter, DelegatingFilterProxy, is the filter and interceptor corresponding to the servlet delegation. Our special actions are performed inside the interceptor, such as authentication and authorization.

Spring security configuration:

You need to define the following tags under the * < beans... >... < / beans > * tag in the application context xml file (or servlet config xml file).

<security:http auto-config="true" use-expressions="true">
    <!-- Interceptor urls -->
    <security:intercept-url pattern="/login**" access="permitAll" />
    <security:intercept-url pattern="/resources/**" access="permitAll" />
    <security:intercept-url pattern="/**" access="hasRole('USER')" />
    <security:intercept-url pattern="/admin**" access="hasRole('ADMIN')" />
    
    <security:form-login />
            
    <!-- Logout -->
    <security:logout logout-success-url="/logout" />
</security:http>

In the * < security: http... > tag, add the resource to be protected. As shown above, I defined four interceptors * using the < security: intercept URL > tag.

Here, I have several checks, which URLs allow all users (including anonymous users) to access, and which URLs are limited to certain user roles.

For example:

In the above code snippet, any page at the beginning of the "/ login" and "/ resources /" paths can be accessed by everyone, including anonymous users.

The "/ ADMIN" path can only be accessed by users with the ADMIN role, and so on

Spring security DH provides a default built-in login page with two text boxes for entering user names and passwords and a submit button for submitting credentials for authentication. You do not need to design a login form for your application. Once the user opens the application URL on their browser, spring security checks whether the user is not logged in, and then redirects the user to the default login form provided by spring security.

If you need a custom login page, you can configure spring security to use a custom login page. You can use the < security: form login > tag to define a custom login form page within the < security: http >... < / Security: http > tag. The following is a configuration example.

<security:http auto-config="true" use-expressions="true">

    <security:intercept-url pattern="/login**" access="permitAll" />
    <security:intercept-url pattern="/resources/**" access="permitAll" />
    <security:intercept-url pattern="/**" access="hasRole('USER')" />
    <security:intercept-url pattern="/admin**" access="hasRole('ADMIN')" />

    <!-- Login Form -->
    <security:form-login 

        login-page="/login"

        default-target-url="/"

        authentication-failure-url="/login?error=1" 

        username-parameter="username"

        password-parameter="password" />
         
    <!-- Logout -->
    <security:logout logout-success-url="/logout" />
        
</security:http>

In the < security: form login... > tag,

• In "login page", you can specify a custom login page URL path.
• In "default target URL", you can specify the URL that the user should navigate after successful login.
• In "authentication failure URL", you can specify the URL that users should navigate after login failure.
• "Username parameter" and "password parameter" - these are optional. By default, spring security accepts the parameter names "j_username" and "j_password" as username and password in the login form. If you want to specify any other name for the user name and password input fields in the login form, you can specify the custom parameter name in these two attributes in the < security: form login... > tag.

In the < security: logout... > tag,

• In "logout success URL", you can specify which page URL path the user should jump to after logging out.

last

CodeChina open source project: [analysis of Java interview questions of front-line large manufacturers + core summary learning notes + latest explanation Video]

Source project: [analysis of Java interview questions of front-line large factories + core summary learning notes + latest explanation Video]]( https://codechina.csdn.net/m0_60958482/java-p7)**

[external chain picture transferring... (img-8hu4mpw0-163082025195)]