使用 security 2.0 和extjs 3.0实现web登录

1开发环境说明

本例使用MyEclipse 6.5作为开发工具，jdk1.5作为编译工具，tomcat6.0作为web运行服务器。

2开发步骤

2.1搭建web项目

关于搭建web项目相关的文档网上有很多，在此略过。搭建成功后项目结构如下图

 

项目依赖的jar包如下图

 

2.2编辑登录页面

2.2.1 index.jsp源码

本项目中把index.jsp作为登录页面。代码如下：

<%@ taglib prefix='c' uri='http://.sun.com/jstl/core_rt' %>

<%@ page import="org.springframework.security.ui.AbstractProcessingFilter" %>

<%@ page import="org.springframework.security.ui.webapp.AuthenticationProcessingFilter" %>

<%@ page import="org.springframework.security.AuthenticationException" %>

<c:set var="ctx" value="${pageContext.request.contextPath}"/>

<%

    String path = request.getContextPath();

    String basePath = request.getScheme() + "://"

           + request.getServerName() + ":" + request.getServerPort()

           + path + "/";

    String strLocale = request.getParameter("locale");  

%>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

  <head>

    <title>Spring Security + ExtJS Login</title>

   

    <!-- Ext JS files -->

    <link rel="stylesheet" type="text/css" href="${ctx}/ext-3.0.0/resources/css/ext-all.css"/>

    <script src="${ctx}/ext-3.0.0/adapter/ext/ext-base.js"></script>

    <script src="${ctx}/ext-3.0.0/ext-all.js"></script>

    <!-- login form -->

    <script src="${ctx}/js/login.js"></script>

   

  </head>

  <body>

  <br><br><br><br><br>

    <center>

    <div id="login"></div>

    </center>

  </body>

</html>

 

2.2.2 index.jsp源码说明

在Index.jsp文件中，代码“<link rel="stylesheet" type="text/css" href="${ctx}/ext-3.0.0/resources/css/ext-all.css" />”是引用extjs的样式。代码“<script src="${ctx}/ext-3.0.0/adapter/ext/ext-base.js"></script>”是加载extjs基本包。

代码“<script src="${ctx}/ext-3.0.0/ext-all.js"></script>”是加载extjs核心包。

代码“<script src="${ctx}/js/login.js"></script>”extjs登录表单。关于login.js的内容，将会在后面小节中介绍。

2.2.3 login.js源码

login.js文件中定义的就是extjs登录表单。代码如下：

Ext.onReady(function(){

    Ext.QuickTips.init();

    var login = new Ext.FormPanel({

       labelWidth:80,

       url:'j_spring_security_check',

       frame:true,

       title:'Please Login',

       defaultType:'textfield',

       width:300,

       height:150,

       monitorValid:true,

       items:[{

           fieldLabel:'Username',

           name:'j_username',

           allowBlank:false

       },{

           fieldLabel:'Password',

           name:'j_password',

           inputType:'password',

           allowBlank:false

       }],

       buttons:[{

           text:'Login',

           formBind: true,

           handler:function(){

           login.getForm().submit({

              method:'POST',

              success:function(){

              Ext.Msg.alert('Status', 'Login Successful!', function(btn, text){

                  if (btn == 'ok'){

                     window.location = 'main.action';

                  }

              });

           },

           failure:function(form, action){

              if(action.failureType == 'server'){

                  obj = Ext.util.JSON.decode(action.response.responseText);

                  Ext.Msg.alert('Login Failed!', obj.errors.reason);

              }else{

                  Ext.Msg.alert('Warning!', 'Authentication server is unreachable : ' + action.response.responseText);

              }

              login.getForm().reset();

           }

           });

       }

       }]

    });

    login.render('login');

});

 

2.2.4 index.js源码说明

在index.js中定义了一个login表单，url：'j_spring_security_check'对应spring security的登录验证地址。表单里放了两个输入域'j_username'、'j_password'，分别对应用户名和密码。表单中还有一个登录按钮'Login'，点击按钮提交到后台执行登录验证。验证成功跳转到'main.action'，验证失败则提示失败信息。'main.action'是在spring mvc中定义访问地址。具体见2.3节，配置spring mvc.

2.3配置spring mvc

本项目中的spring mvc用到2个文件，src目录下com.loiane.controller.MainController.java和WEB-INF目录下的spring-security-extjs-login-servlet.xml。

2.3.1 spring-security-extjs-login-servlet.xml源码

<?xml version="1.0" encoding="UTF-8"?>

 

<beans xmlns="http://www.springframework.org/schema/beans"

       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

       xsi:schemaLocation="http://www.springframework.org/schema/beans

       http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">

 

    <bean name="/*.action" class="com.loiane.controller.MainController">

    </bean>

     

</beans>

 

2.3.2 spring-security-extjs-login-servlet.xml源码说明

spring-security-extjs-login-servlet.xml用于URL地址映射，把类似"/*.action"的请求地址映射到com.loiane.controller.MainController.java控制器类做进一步处理，文件中有一句代码：“<bean name="/*.action" class="com.loiane.controller.MainController"></bean>”。

2.3.3 com.loiane.controller.MainController.java源码

package com.loiane.controller;

 

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.springframework.web.servlet.ModelAndView;

import org.springframework.web.servlet.mvc.multiaction.MultiActionController;

 

public class MainController extends MultiActionController  {

         public ModelAndView main(HttpServletRequest request,

                            HttpServletResponse response) throws Exception {

                   return new ModelAndView("main.jsp");

         }

}

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2.3.4 com.loiane.controller.MainController.java源码说明

com.loiane.controller.MainController.java继承

org.springframework.web.servlet.mvc.multiaction.MultiActionController.java类，跳转到main.jsp。

2.3.5 main.jsp源码

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"

    pageEncoding="ISO-8859-1"%>

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<title>Spring Security + ExtJS Login</title>

</head>

<body>

<h1>You are successfully authenticated!</h1>

</body>

</html>

 

2.4配置spring security

本项目中的spring security用到2个文件，src目录下com.loiane.security.MyAuthenticationProcessingFilter.java和WEB-INF目录下的applicationContext-security.xml。

2.4.1 applicationContext-security.xml源码

<?xml version="1.0" encoding="UTF-8"?>

 <beans xmlns="http://www.springframework.org/schema/beans"

    xmlns:security="http://www.springframework.org/schema/security"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd

http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

    <security:global-method-security />

    <security:http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">

       <security:intercept-url pattern="/index.jsp" filters="none" />

       <security:intercept-url pattern="/*.action" access="ROLE_USER" />

    </security:http>

    <bean id="authenticationProcessingFilter" class="com.loiane.security.MyAuthenticationProcessingFilter">

       <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />

       <property name="defaultTargetUrl" value="/main.html" />

       <property name="authenticationManager" ref="authenticationManager" />

    </bean>   

 

 

<security:authentication-manager alias="authenticationManager" />

 

    <bean id="authenticationProcessingFilterEntryPoint"

        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">

       <property name="loginFormUrl" value="/index.jsp" />

       <property name="forceHttps" value="false" />

    </bean>

 

    <!--

    Usernames/Passwords are

        admin/111111

        dianne/111111

        scott/111111

        peter/111111

    These passwords are from spring security app example   

    -->

    <security:authentication-provider>

        <security:password-encoder hash="md5"/>

        <security:user-service>

            <security:user name=" admin " password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />

            <security:user name="dianne" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER,ROLE_TELLER" />

            <security:user name="scott" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER" />

            <security:user name="peter" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER" />

        < /security:user-service>

    </security:authentication-provider>

</beans>

 

2.4.2 applicationContext-security.xml源码说明

在applicationContext-security.xml文件中配置登录权限验证。

<security:http auto-config="false" entry-point-ref="authenticationProcessingFilterEntryPoint">

       <security:intercept-url pattern="/index.jsp" filters="none" />

       <security:intercept-url pattern="/*.action" access="ROLE_USER" />

    </security:http>

这段配置表示：我们要保护应用程序中的/*.action的URL，只有拥有ROLE_USER角色的用户才能访问。任何角色的用户都可以访问/index.jsp。你可以使用多个<intercept-url>元素为不同URL的集合定义不同的访问需求，它们会被归入一个有序队列中，每次取出最先匹配的一个元素使用。所以你必须把期望使用的匹配条件放到最上边。entry-point-ref="authenticationProcessingFilterEntryPoint"表示定义一个权限验证的入口authenticationProcessingFilterEntryPoint。

 

<bean id="authenticationProcessingFilter" class="com.loiane.security.MyAuthenticationProcessingFilter">

       <security:custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />

       <property name="defaultTargetUrl" value="/main.html" />

       <property name="authenticationManager" ref="authenticationManager" />

    </bean>

这段配置定义自定义权限处理过滤器com.loiane.security.MyAuthenticationProcessingFilter，defaultTargetUrl指定验证成功或失败后转向的页面，authenticationManager引用权限管理器。

 

<bean id="authenticationProcessingFilterEntryPoint"      class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">

       <property name="loginFormUrl" value="/index.jsp" />

       <property name="forceHttps" value="false" />

    </bean>

这段配置定义权限验证入口，指定登录页面为/index.jsp，不使用https协议。

 

<security:authentication-provider>

        <security:password-encoder hash="md5"/>

        <security:user-service>

            <security:user name="admin" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />

            <security:user name="dianne" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER,ROLE_TELLER" />

            <security:user name="scott" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER" />

            <security:user name="peter" password="96e79218965eb72c92a549dd5a330112" authorities="ROLE_USER" />

        < /security:user-service>

    </security:authentication-provider>

</beans>

这段配置定义了4个用户，密码使用md5加密，admin密码为111111拥有ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER三个角色、dianne密码为111111拥有ROLE_USER,ROLE_TELLER两个角色、scott密码为111111拥有ROLE_USER角色、peter密码为111111拥有ROLE_USER角色。

2.4.3 com.loiane.security.MyAuthenticationProcessingFilter.java源码

 

package com.loiane.security;

 

import java.io.IOException;

import java.io.Writer;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import javax.servlet.http.HttpServletResponseWrapper;

import org.springframework.security.Authentication;

import org.springframework.security.AuthenticationException;

import org.springframework.security.ui.webapp.AuthenticationProcessingFilter;

 

public class MyAuthenticationProcessingFilter extends AuthenticationProcessingFilter {

         protected void onSuccessfulAuthentication(HttpServletRequest request,

                            HttpServletResponse response, Authentication authResult)

         throws IOException {

                   super.onSuccessfulAuthentication(request, response, authResult);

                   HttpServletResponseWrapper responseWrapper = new HttpServletResponseWrapper(response);

                   Writer out = responseWrapper.getWriter();

                   String targetUrl = determineTargetUrl( request );

                   out.write("{success:true, targetUrl : \'" + targetUrl + "\'}");

                   out.close();

         }

 

         protected void onUnsuccessfulAuthentication( HttpServletRequest request,

                            HttpServletResponse response, AuthenticationException failed )

         throws IOException {

                   HttpServletResponseWrapper responseWrapper = new HttpServletResponseWrapper(response);

                   Writer out = responseWrapper.getWriter();

                   out.write("{ success: false, errors: { reason: 'Login failed. Try again.' }}");

                out.close();

         }

}

 

2.4.4 com.loiane.security.MyAuthenticationProcessingFilter.java源码说明

com.loiane.security.MyAuthenticationProcessingFilter.java继承于

org.springframework.security.ui.webapp.AuthenticationProcessingFilter.java类，重写了

onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult)和onUnsuccessfulAuthentication( HttpServletRequest request, HttpServletResponse response, AuthenticationException failed )方法。在onSuccessfulAuthentication()方法中返回验证成功后的跳转地址，在onUnsuccessfulAuthentication()方法中返回验证失败的信息。

2.5配置web.xml

2.5.1 web.xml源码

 

 

<?xml version="1.0" encoding="UTF-8"?>

<web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

    <display-name>spring-security-extjs-login</display-name>

    <context-param>

       <param-name>contextConfigLocation</param-name>

       <param-value>

           /WEB-INF/spring-security-extjs-login-servlet.xml

           /WEB-INF/applicationContext-security.xml

       </param-value>

    </context-param>

    <filter>

        <filter-name>springSecurityFilterChain</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

    </filter>

     <filter-mapping>

      <filter-name>springSecurityFilterChain</filter-name>

      <url-pattern>/*</url-pattern>

    </filter-mapping>

   

    <listener>    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

    </listener>

   

    <servlet>

    <servlet-name>spring-security-extjs-login</servlet-name>

    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

    <load-on-startup>1</load-on-startup>

  </servlet>

 

  <servlet-mapping>

    <servlet-name>spring-security-extjs-login</servlet-name>

    <url-pattern>*.action</url-pattern>

  </servlet-mapping>

 

  <welcome-file-list>

    <welcome-file>index.jsp</welcome-file>

  </welcome-file-list>

   

</web-app>

 

 

 

 

 

2.5.1 web.xml源码说明

<context-param>

       <param-name>contextConfigLocation</param-name>

       <param-value>

           /WEB-INF/spring-security-extjs-login-servlet.xml

           /WEB-INF/applicationContext-security.xml

       </param-value>

    </context-param>

    <filter>

这段代码配置spring使用的相关配置文件。/WEB-INF/spring-security-extjs-login-servlet.xml是关于spring mvc的相关配置。/WEB-INF/applicationContext-security.xml是关于登录权限验证相关的配置。

 

<filter>

        <filter-name>springSecurityFilterChain</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

    </filter>

     <filter-mapping>

      <filter-name>springSecurityFilterChain</filter-name>

      <url-pattern>/*</url-pattern>

    </filter-mapping>

   

这段代码配置spring过滤链。处理所有URL地址。

 

<listener>    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

    </listener>

 

这段代码注册spring监听器。

 

<servlet>

    <servlet-name>spring-security-extjs-login</servlet-name>

    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

    <load-on-startup>1</load-on-startup>

  </servlet>

 

  <servlet-mapping>

    <servlet-name>spring-security-extjs-login</servlet-name>

    <url-pattern>*.action</url-pattern>

  </servlet-mapping>

 

这段代码注册spring mvc，处理*.action的请求。

 

 

 

 

 

 

2.6运行效果

登录页面

 

登录页面-验证成功提示

 

登录页面-验证成功后跳转到main.jsp页面

 

 

登录页面-验证失败提示

 

 

3参考文档

http://loianegroner.com/2010/02/integrating-spring-security-with-extjs-login-page/#comments