Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架
要想使用他我先的加依赖

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>5.0.1.RELEASE</version>
</dependency>
要做权限管理哪必须要拦截用户的请求，那么当然就有拦截器，那么就要在web.xml里面配置

<!--springSecurity委派过滤器-->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
这样所有的请求都要通过security的检测
哪他是怎样做权限管理的呢下面来看下  security 的配置文件
springSecurity.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/s ... spring-security.xsd">
    <!--放行一些资源-->
    <security:http pattern="/login.jsp" security="none"></security:http>
    <security:http pattern="/failer.jsp" security="none"></security:http>
    <security:http pattern="/css/**" security="none"></security:http>
    <security:http pattern="/img/**" security="none"></security:http>
    <security:http pattern="/plugins/**" security="none"></security:http>


    <security:http auto-config="true" use-expressions="false">
        <security:intercept-url pattern="/**" access="ROLE_USER"></security:intercept-url>
        <!--配置登陆表单-->
        <security:form-login
                login-page="/login.jsp"
                login-processing-url="/login"
                default-target-url="/index.jsp"
                authentication-failure-url="/failer.jsp"
                username-parameter="username"
                password-parameter="password"
        ></security:form-login>

        <!--退出配置-->
        <security:logout
                invalidate-session="true"
                logout-url="/logout"
                logout-success-url="/login.jsp" ></security:logout>
        <!--关闭跨域请求-->
        <security:csrf disabled="true"></security:csrf>
    </security:http>

    <!--登陆认证连接数据库，执行service方法-->
    <security:authentication-manager>
        <!--引用容器中的UserService对象,此对象一定要实现接口UserDetailsService-->
        <security:authentication-provider user-service-ref="userServiceImpl"></security:authentication-provider>
    </security:authentication-manager>
</beans>
从下面这行代码可以看出他是基于URL 来控制的  
<security:intercept-url pattern="/**" access="ROLE_USER"></security:intercept-url>

Spring Security是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架
要想使用他我先的加依赖

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-core</artifactId>
    <version>5.0.1.RELEASE</version>
</dependency>
要做权限管理哪必须要拦截用户的请求，那么当然就有拦截器，那么就要在web.xml里面配置

<!--springSecurity委派过滤器-->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
这样所有的请求都要通过security的检测
哪他是怎样做权限管理的呢下面来看下  security 的配置文件
springSecurity.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/s ... spring-security.xsd">
    <!--放行一些资源-->
    <security:http pattern="/login.jsp" security="none"></security:http>
    <security:http pattern="/failer.jsp" security="none"></security:http>
    <security:http pattern="/css/**" security="none"></security:http>
    <security:http pattern="/img/**" security="none"></security:http>
    <security:http pattern="/plugins/**" security="none"></security:http>


    <security:http auto-config="true" use-expressions="false">
        <security:intercept-url pattern="/**" access="ROLE_USER"></security:intercept-url>
        <!--配置登陆表单-->
        <security:form-login
                login-page="/login.jsp"
                login-processing-url="/login"
                default-target-url="/index.jsp"
                authentication-failure-url="/failer.jsp"
                username-parameter="username"
                password-parameter="password"
        ></security:form-login>

        <!--退出配置-->
        <security:logout
                invalidate-session="true"
                logout-url="/logout"
                logout-success-url="/login.jsp" ></security:logout>
        <!--关闭跨域请求-->
        <security:csrf disabled="true"></security:csrf>
    </security:http>

    <!--登陆认证连接数据库，执行service方法-->
    <security:authentication-manager>
        <!--引用容器中的UserService对象,此对象一定要实现接口UserDetailsService-->
        <security:authentication-provider user-service-ref="userServiceImpl"></security:authentication-provider>
    </security:authentication-manager>
</beans>
从下面这行代码可以看出他是基于URL 来控制的  
<security:intercept-url pattern="/**" access="ROLE_USER"></security:intercept-url>