Code ví dụ Spring Security login với JDBC, Database MySQL.
Ở bài này mình sẽ thực hiện ví dụ sử dụng Spring JDBC kết nối với MySQL để xác thực với Spring Security.
Các công nghệ sử dụng:
Tạo Database
spring-security.sql
Tạo database “spring-security”
Tạo table users chứa thông tin username, password và enabled (enabled = 1 tức là account đã được active)
CREATE TABLE `spring-security`.`users` (
`id` INT NOT NULL AUTO_INCREMENT,
`username` VARCHAR(45) NULL,
`password` VARCHAR(255) NULL,
`enabled` INT NULL,
PRIMARY KEY (`id`),
UNIQUE INDEX `username_UNIQUE` (`username` ASC));
- CREATE TABLE `spring-security`.`users` (
- `id` INT NOT NULL AUTO_INCREMENT,
- `username` VARCHAR(45) NULL,
- `password` VARCHAR(255) NULL,
- `enabled` INT NULL,
- PRIMARY KEY (`id`),
- UNIQUE INDEX `username_UNIQUE` (`username` ASC));
CREATE TABLE `spring-security`.`users` (
`id` INT NOT NULL AUTO_INCREMENT,
`username` VARCHAR(45) NULL,
`password` VARCHAR(255) NULL,
`enabled` INT NULL,
PRIMARY KEY (`id`),
UNIQUE INDEX `username_UNIQUE` (`username` ASC));
Tạo table role chứa thông tin các role.
CREATE TABLE `spring-security`.`role` (
`id` INT NOT NULL AUTO_INCREMENT,
`name` VARCHAR(45) NULL,
PRIMARY KEY (`id`));
- CREATE TABLE `spring-security`.`role` (
- `id` INT NOT NULL AUTO_INCREMENT,
- `name` VARCHAR(45) NULL,
- PRIMARY KEY (`id`));
CREATE TABLE `spring-security`.`role` (
`id` INT NOT NULL AUTO_INCREMENT,
`name` VARCHAR(45) NULL,
PRIMARY KEY (`id`));
Tạo table users_roles thực hiện mapping để biết user nào có những role nào
CREATE TABLE `spring-security`.`users_roles` (
`id` INT NOT NULL AUTO_INCREMENT,
`user` INT NULL,
`role` INT NULL,
PRIMARY KEY (`id`),
INDEX `_idx` (`user` ASC),
INDEX `dfdf_idx` (`role` ASC),
CONSTRAINT `user`
FOREIGN KEY (`user`)
REFERENCES `spring-security`.`users` (`id`)
ON DELETE NO ACTION
ON UPDATE NO ACTION,
CONSTRAINT `role`
FOREIGN KEY (`role`)
REFERENCES `spring-security`.`role` (`id`)
ON DELETE NO ACTION
ON UPDATE NO ACTION);- CREATE TABLE `spring-security`.`users_roles` (
- `id` INT NOT NULL AUTO_INCREMENT,
- `user` INT NULL,
- `role` INT NULL,
- PRIMARY KEY (`id`),
- INDEX `_idx` (`user` ASC),
- INDEX `dfdf_idx` (`role` ASC),
- CONSTRAINT `user`
- FOREIGN KEY (`user`)
- REFERENCES `spring-security`.`users` (`id`)
- ON DELETE NO ACTION
- ON UPDATE NO ACTION,
- CONSTRAINT `role`
- FOREIGN KEY (`role`)
- REFERENCES `spring-security`.`role` (`id`)
- ON DELETE NO ACTION
- ON UPDATE NO ACTION);
CREATE TABLE `spring-security`.`users_roles` (
`id` INT NOT NULL AUTO_INCREMENT,
`user` INT NULL,
`role` INT NULL,
PRIMARY KEY (`id`),
INDEX `_idx` (`user` ASC),
INDEX `dfdf_idx` (`role` ASC),
CONSTRAINT `user`
FOREIGN KEY (`user`)
REFERENCES `spring-security`.`users` (`id`)
ON DELETE NO ACTION
ON UPDATE NO ACTION,
CONSTRAINT `role`
FOREIGN KEY (`role`)
REFERENCES `spring-security`.`role` (`id`)
ON DELETE NO ACTION
ON UPDATE NO ACTION);Tạo 2 tài khoản kai/123456 và sena/123456
INSERT INTO `users` VALUES (1,'kai','{noop}123456',1),(2,'sena','{noop}123456',1);- INSERT INTO `users` VALUES (1,'kai','{noop}123456',1),(2,'sena','{noop}123456',1);
INSERT INTO `users` VALUES (1,'kai','{noop}123456',1),(2,'sena','{noop}123456',1);Tạo 2 role là ROLE_ADMIN và ROLE_USER
INSERT INTO `role` VALUES (1,'ROLE_ADMIN'),(2,'ROLE_USER');
- INSERT INTO `role` VALUES (1,'ROLE_ADMIN'),(2,'ROLE_USER');
INSERT INTO `role` VALUES (1,'ROLE_ADMIN'),(2,'ROLE_USER');
Thiết lập role = “ROLE_ADMIN”, “ROLE_USER” cho tài khoản ‘kai’, và role = “ROLE_USER” cho tài khoản ‘sena’
INSERT INTO `users_roles` VALUES (1,1,1),(2,1,2),(4,2,2);
- INSERT INTO `users_roles` VALUES (1,1,1),(2,1,2),(4,2,2);
INSERT INTO `users_roles` VALUES (1,1,1),(2,1,2),(4,2,2);
Tạo Maven Project.
Thư viện sử dụng:
- <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
- <modelVersion>4.0.0</modelVersion>
- <groupId>stackjava.com</groupId>
- <artifactId>SpringSecurityJDBC</artifactId>
- <version>0.0.1-SNAPSHOT</version>
- <packaging>war</packaging>
- <properties>
- <spring.version>5.0.2.RELEASE</spring.version>
- <spring.security.version>5.0.2.RELEASE</spring.security.version>
- <jstl.version>1.2</jstl.version>
- </properties>
- <dependencies>
- <!-- Spring MVC -->
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-webmvc</artifactId>
- <version>${spring.version}</version>
- </dependency>
- <!-- Spring Security -->
- <dependency>
- <groupId>org.springframework.security</groupId>
- <artifactId>spring-security-web</artifactId>
- <version>${spring.security.version}</version>
- </dependency>
- <dependency>
- <groupId>org.springframework.security</groupId>
- <artifactId>spring-security-config</artifactId>
- <version>${spring.security.version}</version>
- </dependency>
- <!-- Spring JDBC -->
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-jdbc</artifactId>
- <version>${spring.version}</version>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-tx</artifactId>
- <version>${spring.version}</version>
- </dependency>
- <!-- MySQL -->
- <dependency>
- <groupId>mysql</groupId>
- <artifactId>mysql-connector-java</artifactId>
- <version>5.1.45</version>
- </dependency>
-
- <!-- JSP - Servlet Lib -->
- <dependency>
- <groupId>javax.servlet.jsp</groupId>
- <artifactId>jsp-api</artifactId>
- <version>2.2</version>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>servlet-api</artifactId>
- <version>2.5</version>
- <scope>provided</scope>
- </dependency>
- <!-- jstl for jsp page -->
- <dependency>
- <groupId>jstl</groupId>
- <artifactId>jstl</artifactId>
- <version>${jstl.version}</version>
- </dependency>
- </dependencies>
- </project>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>stackjava.com</groupId>
<artifactId>SpringSecurityJDBC</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<spring.version>5.0.2.RELEASE</spring.version>
<spring.security.version>5.0.2.RELEASE</spring.security.version>
<jstl.version>1.2</jstl.version>
</properties>
<dependencies>
<!-- Spring MVC -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<!-- Spring JDBC -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- MySQL -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.45</version>
</dependency>
<!-- JSP - Servlet Lib -->
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<!-- jstl for jsp page -->
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>${jstl.version}</version>
</dependency>
</dependencies>
</project><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>stackjava.com</groupId>
<artifactId>SpringSecurityJDBC</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<spring.version>5.0.2.RELEASE</spring.version>
<spring.security.version>5.0.2.RELEASE</spring.security.version>
<jstl.version>1.2</jstl.version>
</properties>
<dependencies>
<!-- Spring MVC -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- Spring Security -->
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>${spring.security.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>${spring.security.version}</version>
</dependency>
<!-- Spring JDBC -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-jdbc</artifactId>
<version>${spring.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-tx</artifactId>
<version>${spring.version}</version>
</dependency>
<!-- MySQL -->
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.45</version>
</dependency>
<!-- JSP - Servlet Lib -->
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>jsp-api</artifactId>
<version>2.2</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
<version>2.5</version>
<scope>provided</scope>
</dependency>
<!-- jstl for jsp page -->
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>${jstl.version}</version>
</dependency>
</dependencies>
</project>
File web.xml
- <?xml version="1.0" encoding="UTF-8"?>
- <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns="http://java.sun.com/xml/ns/javaee"
- xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
- version="2.5">
- <display-name>SpringSecurityJDBC</display-name>
- <!-- SPRING MVC -->
- <servlet>
- <servlet-name>spring-mvc</servlet-name>
- <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
- <init-param>
- <param-name>contextConfigLocation</param-name>
- <param-value></param-value>
- </init-param>
- <load-on-startup>1</load-on-startup>
- </servlet>
- <servlet-mapping>
- <servlet-name>spring-mvc</servlet-name>
- <url-pattern>/</url-pattern>
- </servlet-mapping>
-
- <!-- Loads Spring Security config file -->
- <context-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>
- /WEB-INF/spring-mvc-servlet.xml,
- /WEB-INF/spring-security.xml
- </param-value>
- </context-param>
- <!-- Creates the Spring Container shared by all Servlets and Filters -->
- <listener>
- <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
- </listener>
- <listener>
- <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
- </listener>
- <!-- Spring Security -->
- <filter>
- <filter-name>springSecurityFilterChain</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>springSecurityFilterChain</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- </web-app>
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>SpringSecurityJDBC</display-name>
<!-- SPRING MVC -->
<servlet>
<servlet-name>spring-mvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-mvc</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Loads Spring Security config file -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-mvc-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app><?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>SpringSecurityJDBC</display-name>
<!-- SPRING MVC -->
<servlet>
<servlet-name>spring-mvc</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value></param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>spring-mvc</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<!-- Loads Spring Security config file -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-mvc-servlet.xml,
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<!-- Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
File cấu hình Spring
- <?xml version="1.0" encoding="UTF-8"?>
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:context="http://www.springframework.org/schema/context"
- xmlns:mvc="http://www.springframework.org/schema/mvc"
- xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
- http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
- <context:component-scan base-package="stackjava.com.springsecurityjdbc" />
- <mvc:annotation-driven />
-
- <bean
- class="org.springframework.web.servlet.view.InternalResourceViewResolver">
- <property name="prefix">
- <value>/WEB-INF/views/jsp/</value>
- </property>
- <property name="suffix">
- <value>.jsp</value>
- </property>
- </bean>
- <bean id="dataSource"
- class="org.springframework.jdbc.datasource.DriverManagerDataSource">
- <property name="driverClassName" value="com.mysql.jdbc.Driver" />
- <property name="url"
- value="jdbc:mysql://localhost:3306/spring-security" />
- <property name="username" value="root" />
- <property name="password" value="admin1234" />
- </bean>
- </beans>
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<context:component-scan base-package="stackjava.com.springsecurityjdbc" />
<mvc:annotation-driven />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/views/jsp/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url"
value="jdbc:mysql://localhost:3306/spring-security" />
<property name="username" value="root" />
<property name="password" value="admin1234" />
</bean>
</beans><?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-4.3.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-4.3.xsd">
<context:component-scan base-package="stackjava.com.springsecurityjdbc" />
<mvc:annotation-driven />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/views/jsp/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url"
value="jdbc:mysql://localhost:3306/spring-security" />
<property name="username" value="root" />
<property name="password" value="admin1234" />
</bean>
</beans>
File cấu hình Spring Security
- <?xml version="1.0" encoding="UTF-8"?>
- <beans:beans xmlns="http://www.springframework.org/schema/security"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
- <http auto-config="true">
- <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
- <intercept-url pattern="/user**" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')" />
-
- <form-login login-page="/login" login-processing-url="/j_spring_security_login"
- default-target-url="/user" authentication-failure-url="/login?error"
- username-parameter="username" password-parameter="password" />
-
- <logout logout-url="/j_spring_security_logout"
- logout-success-url="/logout" delete-cookies="JSESSIONID" />
- </http>
- <authentication-manager>
- <authentication-provider>
- <jdbc-user-service data-source-ref="dataSource"
- users-by-username-query="select username,password, enabled from users where username=?"
- authorities-by-username-query="select users.username, role.name from users, role, users_roles
- where username =? and users.id = users_roles.user and users_roles.role = role.id " />
- </authentication-provider>
- </authentication-manager>
- </beans:beans>
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/user**" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')" />
<form-login login-page="/login" login-processing-url="/j_spring_security_login"
default-target-url="/user" authentication-failure-url="/login?error"
username-parameter="username" password-parameter="password" />
<logout logout-url="/j_spring_security_logout"
logout-success-url="/logout" delete-cookies="JSESSIONID" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select username,password, enabled from users where username=?"
authorities-by-username-query="select users.username, role.name from users, role, users_roles
where username =? and users.id = users_roles.user and users_roles.role = role.id " />
</authentication-provider>
</authentication-manager>
</beans:beans><?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd">
<http auto-config="true">
<intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/user**" access="hasRole('ROLE_ADMIN') or hasRole('ROLE_USER')" />
<form-login login-page="/login" login-processing-url="/j_spring_security_login"
default-target-url="/user" authentication-failure-url="/login?error"
username-parameter="username" password-parameter="password" />
<logout logout-url="/j_spring_security_logout"
logout-success-url="/logout" delete-cookies="JSESSIONID" />
</http>
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select username,password, enabled from users where username=?"
authorities-by-username-query="select users.username, role.name from users, role, users_roles
where username =? and users.id = users_roles.user and users_roles.role = role.id " />
</authentication-provider>
</authentication-manager>
</beans:beans>
*Lưu ý, như các bạn thấy trong file spring-sercurity.xml mình có gọi tới bean dataSource được định nghĩa trong file spring-mvc-servlet.xml nên trong file web.xml mình sẽ thực hiện load cấu hình ở file spring-mvc-servlet.xml trước file spring-security.xml
File Controller:
- package stackjava.com.springsecurityjdbc.controller;
- import org.springframework.stereotype.Controller;
- import org.springframework.ui.Model;
- import org.springframework.web.bind.annotation.RequestMapping;
- import org.springframework.web.bind.annotation.RequestParam;
- @Controller
- public class BaseController {
- @RequestMapping(value = { "/login", "/" })
- public String login(@RequestParam(value = "error", required = false) final String error, final Model model) {
- if (error != null) {
- model.addAttribute("message", "Login Failed!");
- }
- return "login";
- }
- @RequestMapping("/admin")
- public String admin() {
- return "admin";
- }
- @RequestMapping("/user")
- public String user() {
- return "user";
- }
- @RequestMapping("/logout")
- public String logout(final Model model) {
- model.addAttribute("message", "Logged out!");
- return "login";
- }
- }
package stackjava.com.springsecurityjdbc.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
@Controller
public class BaseController {
@RequestMapping(value = { "/login", "/" })
public String login(@RequestParam(value = "error", required = false) final String error, final Model model) {
if (error != null) {
model.addAttribute("message", "Login Failed!");
}
return "login";
}
@RequestMapping("/admin")
public String admin() {
return "admin";
}
@RequestMapping("/user")
public String user() {
return "user";
}
@RequestMapping("/logout")
public String logout(final Model model) {
model.addAttribute("message", "Logged out!");
return "login";
}
}package stackjava.com.springsecurityjdbc.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
@Controller
public class BaseController {
@RequestMapping(value = { "/login", "/" })
public String login(@RequestParam(value = "error", required = false) final String error, final Model model) {
if (error != null) {
model.addAttribute("message", "Login Failed!");
}
return "login";
}
@RequestMapping("/admin")
public String admin() {
return "admin";
}
@RequestMapping("/user")
public String user() {
return "user";
}
@RequestMapping("/logout")
public String logout(final Model model) {
model.addAttribute("message", "Logged out!");
return "login";
}
}
Các file view:
Trang login
- <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
- <html>
- <head>
- <title>login</title>
- </head>
- <body>
- <h1>Spring MVC-Security Login Form</h1>
- <h2>${message}</h2>
- <form name='loginForm' action="<c:url value='j_spring_security_login' />" method='POST'>
- <table>
- <tr>
- <td>User:</td>
- <td><input type='text' name='username'></td>
- </tr>
- <tr>
- <td>Password:</td>
- <td><input type='password' name='password' /></td>
- </tr>
- <tr>
- <td colspan='2'><input name="submit" type="submit" value="login" /></td>
- </tr>
- </table>
- <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
- </form>
- </body>
- </html>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>login</title>
</head>
<body>
<h1>Spring MVC-Security Login Form</h1>
<h2>${message}</h2>
<form name='loginForm' action="<c:url value='j_spring_security_login' />" method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='username'></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit" value="login" /></td>
</tr>
</table>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>
</body>
</html><%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>login</title>
</head>
<body>
<h1>Spring MVC-Security Login Form</h1>
<h2>${message}</h2>
<form name='loginForm' action="<c:url value='j_spring_security_login' />" method='POST'>
<table>
<tr>
<td>User:</td>
<td><input type='text' name='username'></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit" value="login" /></td>
</tr>
</table>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
</form>
</body>
</html>
Trang admin, chỉ role = “ROLE_ADMIN” mới được truy cập
- <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
- <html>
- <head>
- <title>Admin Page</title>
- </head>
- <body>
- <h1>Admin Page</h1>
- <h2>Welcome: ${pageContext.request.userPrincipal.name}</h2>
- <form action="<c:url value="/j_spring_security_logout" />" method="post">
- <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
- <input type="submit" value="Logout" />
- </form>
- </body>
- </html>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Admin Page</title>
</head>
<body>
<h1>Admin Page</h1>
<h2>Welcome: ${pageContext.request.userPrincipal.name}</h2>
<form action="<c:url value="/j_spring_security_logout" />" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input type="submit" value="Logout" />
</form>
</body>
</html><%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>Admin Page</title>
</head>
<body>
<h1>Admin Page</h1>
<h2>Welcome: ${pageContext.request.userPrincipal.name}</h2>
<form action="<c:url value="/j_spring_security_logout" />" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input type="submit" value="Logout" />
</form>
</body>
</html>
Trang user, role = “ROLE_ADMIN” hoặc “ROLE_USER” có thể truy cập.
- <%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
- <html>
- <head>
- <title>User Page</title>
- </head>
- <body>
- <h1>User Page</h1>
- <h2>Welcome: ${pageContext.request.userPrincipal.name}</h2>
- <a href="<c:url value="/admin" />">Admin Page</a> <br/>
- <form action="<c:url value="/j_spring_security_logout" />" method="post">
- <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
- <input type="submit" value="Logout" />
- </form>
- </body>
- </html>
<%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>User Page</title>
</head>
<body>
<h1>User Page</h1>
<h2>Welcome: ${pageContext.request.userPrincipal.name}</h2>
<a href="<c:url value="/admin" />">Admin Page</a> <br/>
<form action="<c:url value="/j_spring_security_logout" />" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input type="submit" value="Logout" />
</form>
</body>
</html><%@taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core"%>
<html>
<head>
<title>User Page</title>
</head>
<body>
<h1>User Page</h1>
<h2>Welcome: ${pageContext.request.userPrincipal.name}</h2>
<a href="<c:url value="/admin" />">Admin Page</a> <br/>
<form action="<c:url value="/j_spring_security_logout" />" method="post">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />
<input type="submit" value="Logout" />
</form>
</body>
</html>
Demo:
Login với tài khoản kai/123456
Truy cập trang admin.jsp
Logout.
Login với tài khoản sena/123456
Truy cập trang admin.jsp
Vì tài khoản sena/123456 không có role = “ROLE_ADMIN” nên không thể truy cập trang admin.jsp.
Code ví dụ Spring Security login với JDBC, Database MySQL stackjava.com
Okay, done!
Download code ví dụ trên tại đây.
References:
https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#nsa-jdbc-user-service
