spring Scurity终于测试OK了,复杂的功能还待深入研究!发布出来一起探讨吧!
就是因 为研究它,我的个天啦!头都大了一圈!还待修改完整版!我的目标不是每个项目拿到它就能使用!到时再说啦。。。
虽然只是一个登陆,但里面的知识真是太广了!什么md5 盐值 加密 生成,cookie 生成序列保存数据库,
sessionID防护的一大堆安全,资源权限分配和保护 等。。。值得一学的框架!
sql 脚本也在项目一起
项目源码下载:http://download.csdn.net/detail/liangrui1988/5916359
官方文档:http://static.springsource.org/spring-security/site/docs/3.0.x/reference/springsecurity.html
jar 下载 http://www.springsource.org/download/community
项目图片:
部分代码:
applicationContext-security2.xml
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 使用security="none"忽略所有过滤器会提升性能,而是用匿名登录功能可以实现权限操作的一致性, 具体应用时还需要大家根据实际情况自行选择了。 <http pattern="/" security="none"/> --> <http pattern="/image" security="none"/> <!--entry-point-ref="" 未登录的切入点 servlet-api-provision="true" 默认启用 保存没有登录之前的请求 access-denied-page="" 被拦截之后的页面--> <http auto-config="true" entry-point-ref="myAuthenticationEntryPoint" access-denied-page="/error/page403.jsp" > <!-- 在配置文件中使用auto-config="true"就会启用匿名登录功能。在启用匿名登录之后, 如果我们希望允许未登录就可以访问一些资源,可以在进行如下配置。 IS_AUTHENTICATED_ANONYMOUSLY=ROLE_ANONYMOUS--> <intercept-url pattern="/" access="ROLE_ANONYMOUS"/> <anonymous username="游客"/> <!-- 只要登 陆的用户都可以访问项目资源 除了受保护的次源 --> <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> <!-- 自定义过滤器 在之前执行 --> <custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" /> <!-- 切换用户 --> <custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" /> <!-- 获取 ip --> <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrentSessionFilter"/> <!-- 用户退出 session无效 --> <logout invalidate-session="true" logout-url="/j_spring_security_logout" /> <!-- 保存cookie 保存用户名密码多长时间--> <!--60*60*24*7=604800= 一个星期的秒数 --> <remember-me key="myApp" token-validity-seconds="604800" data-source-ref="authoritiesData" /> <!-- 用户登陆 默认跳转页面 and 失败面页 --> <form-login default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true"/> <!-- 防御会话伪造 none,migrateSession和newSession。默认使用的是migrationSession, <session-management session-fixation-protection="migrateSession"/>--> <!-- 会话管理 默认30分钟 ,空闲30分钟后,自动销毁 session-authentication-strategy 会话认证策略 session-authentication-strategy-ref="currentControllerStrategy" --> <session-management invalid-session-url="/login.jsp" session-authentication-strategy-ref="currentControllerStrategy"/> <!-- <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management> --> <!-- 允许同时登陆几个,如果溢出这个数则报异常 --> <!-- error-if-maximum-exceeded="true"=不允许把在线用户踢出去--> </http> <!--注意必须放在用来验证权限的FilterSecurityInterceptor之后,这样可以控制当前用户是否拥有切换用户的权限 --> <beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter" autowire="byType"> <beans:property name="targetUrl" value="/manager.jsp"/> </beans:bean> <!-- 未登录的切入点 --> <beans:bean id="myAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <beans:property name="loginFormUrl" value="/login.jsp"></beans:property> </beans:bean> <!-- 认证管理 --> <authentication-manager> <authentication-provider> <!-- md5加密 --> <password-encoder hash="md5"> <!-- 盐值加密 --> <salt-source user-property="username"/> </password-encoder> <!-- 数据库是自定义的,所以要修改sql查询语句 用户信息 和 权限信息 --> <jdbc-user-service data-source-ref="authoritiesData" users-by-username-query="select username,password,status as enabled from user where username=?" authorities-by-username-query="select u.username,r.name as authority from user u join user_role ur on u.id=ur.user_id join role r on r.id=ur.role_id where u.username=?"/> </authentication-provider> </authentication-manager> <!-- 过虑拦截器 作用:就是把自定义的数据库查询字段 封装成security规范 的字段--> <beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor" autowire="byType"> <beans:property name="securityMetadataSource" ref="filterInvocationSecurityMetadataSource" /> <beans:property name="authenticationManager" ref="org.springframework.security.authenticationManager"/> </beans:bean> <!-- 替换原有功能的切入点 从数据库里查询出数据 资源==角色 注入数据库源 和查询结果的sql语句 把受保护的资源(jsp页面)写入到数据库中 需要这样的配置--> <beans:bean id="filterInvocationSecurityMetadataSource" class="accp.util.JdbcFilterInvocationDefinitionSourceFactoryBean"> <beans:property name="dataSource" ref="authoritiesData"/> <beans:property name="resourceQuery" value=" select re.res_string,r.name from role r join resc_role rr on r.id=rr.role_id join resc re on re.id=rr.resc_id order by re.priority "/> </beans:bean> <!-- 提示信息 国际化--> <beans:bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> <beans:property name="basename" value="classpath:messages_zh_CN"/> </beans:bean> <!-- 获取用户 ip 和用户绑定,(如是果设了最大会话为1,不用担心没注销用户,无法再登陆!) 这样在同一个电脑是可以重复登陆, --> <beans:bean id="concurrentSessionFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <beans:property name="sessionRegistry" ref="sessionRegistry"/> </beans:bean> <beans:bean id="sessionRegistry" class="accp.myFilter.SmartSessionRegistry"/> <beans:bean id="currentControllerStrategy" class="accp.myFilter.SmartConcurrentSessionControlStrategy"> <beans:constructor-arg ref="sessionRegistry"/> <!-- 允许同时登陆几个,如果溢出这个数则报异常 --> <!-- error-if-maximum-exceeded="true"=不允许把在线用户踢出去 --> <beans:property name="exceptionIfMaximumExceeded" value="true"/> <beans:property name="maximumSessions" value="1"/> </beans:bean> <!-- 记录日志 --> <beans:bean class="accp.myFilter.AuditListener"/> </beans:beans>
applicationContext-action.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd "> <!--*************************注入services层接口到action******************************--> <!-- 用户action 注入services接口 --> <bean id="userAction" class="accp.action.UserAction"> <property name="services" ref="userServices"/> <property name="baseUserServices" ref="baseServices"/> <property name="baseRoleServices" ref="baseServices"/> </bean> <!-- registerAction 注入services接口 --> <bean id="userRegisterAction" class="accp.action.RegisterAction"> <property name="services" ref="userServices"/> <property name="baseUserServices" ref="baseServices"/> <property name="baseRoleServices" ref="baseServices"/> </bean> <!-- resc action --> <bean id="rescAction" class="accp.action.RescAction"> <property name="rescServices" ref="rescServices"/> <property name="baseRescServices" ref="baseServices"/> <property name="baseRoleServices" ref="baseServices"/> </bean> <!-- role action --> <bean id="roleAction" class="accp.action.RoleAction"> <property name="roleServices" ref="roleServices"/> <property name="baseRoleServices" ref="baseServices"/> <property name="baseRescServices" ref="baseServices"/> </bean> </beans>
applicationContext-service.xml
<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd "> <!--*************************hibernateTemplate******************************--> <!-- BaseDaoImpl注入 hibernateTemplate--> <bean id="baseDao" class="accp.dao.imple.BaseDaoImpl"> <property name="hibernateTemplate" ref="hibernateTemplate"/> </bean> <!-- RescDaoImpl注入 hibernateTemplate || parent父类是谁 同样实现的继承关系--> <bean id="rescDao" class="accp.dao.imple.RescDaoImpl" parent="baseDao"> <!-- <property name="hibernateTemplate" ref="hibernateTemplate" /> --> </bean> <!-- RoleDaoImpl注入 hibernateTemplate--> <bean id="roleDao" class="accp.dao.imple.RoleDaoImpl" parent="baseDao"> </bean> <!-- UserDaoImpl注入 hibernateTemplate --> <bean id="userDao" class="accp.dao.imple.UserDaoImpl" parent="baseDao"> <!-- <property name="hibernateTemplate" ref="hibernateTemplate" /> --> </bean> <!--*************************注入dao层接口到services层******************************--> <!-- baseDao到业务层 parent="baseDao"--> <bean id="baseServices" class="accp.services.imple.BaseServicesImple" > <property name="basedao" ref="baseDao"/> </bean> <!-- user 方便真接调用基本操作类 hibernateTemplate--> <bean id="userServices" class="accp.services.imple.UserServicesImple"> <property name="userDao" ref="userDao"/> </bean> <!-- 角色 --> <bean id="roleServices" class="accp.services.imple.RoleServicesImple"> <property name="roleDao" ref="roleDao"/> </bean> <!-- 资源 --> <bean id="rescServices" class="accp.services.imple.RescServicesImple"> <property name="rescDao" ref="rescDao"/> </bean> </beans>
UserAction.java
package accp.action; import java.io.PrintWriter; import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Set; import javax.servlet.http.HttpServletResponse; import org.apache.struts2.ServletActionContext; import org.springframework.security.authentication.encoding.Md5PasswordEncoder; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; import accp.bean.Role; import accp.bean.User; import accp.services.BaseServices; import accp.services.RoleServices; import accp.services.UserServices; import com.opensymphony.xwork2.ActionSupport; /** * 用户管理Action * @author liangrui * @qq382453602 * */ public class UserAction extends ActionSupport { private User user; private List<User> listUser;//用户集合 private List<Role> roleList;//角色集合 private UserServices services;//用户接口 private BaseServices<User,Long> baseUserServices;//基本user业务 private BaseServices<Role,Long> baseRoleServices;//基本role业务 private String enabled;//是否生效 public List<Role> getRoleList() { return roleList; } public void setRoleList(List<Role> roleList) { this.roleList = roleList; } public void setBaseUserServices(BaseServices<User, Long> baseUserServices) { this.baseUserServices = baseUserServices; } public void setBaseRoleServices(BaseServices<Role, Long> baseRoleServices) { this.baseRoleServices = baseRoleServices; } public String getEnabled() { return enabled; } public void setEnabled(String enabled) { this.enabled = enabled; } public UserServices getServices() { return services; } public List<User> getListUser() { return listUser; } public void setListUser(List<User> listUser) { this.listUser = listUser; } public User getUser() { return user; } public void setUser(User user) { this.user = user; } public void setServices(UserServices services) { this.services = services; } /*************************login*********************************/ public String logins() throws Exception { System.out.println("login:"+user.getUsername()); User user2=services.getLogin(user); if(null==user2){ return "notUser"; } if("admin".equals(user2.getUsername())){ return "adminPage"; } System.out.println(user2.getUsername()); return SUCCESS; } /************************连接到admin.jsp页面***********************************/ public String fowaredAdmin() throws Exception { System.out.println("获取u p中-------...."); printUserInfo(); System.out.println("转到admin.jsp面面"); return "adminPage"; } /************************打印信息:用户名***********************************/ public void printUserInfo(){ System.out.println("获取principal 中"); String userName=""; //获取安全上下文内容 /*SecurityContext sc=SecurityContextHolder.getContext(); Authentication atc=sc.getAuthentication();//获取认证对象 //获取主体对象 Object obj=atc.getPrincipal(); if(obj instanceof UserDetails){ //获取用户详细内容对象 UserDetails ud=(UserDetails)obj; userName=ud.getUsername(); }else{ userName=obj.toString(); }*/ //api 原代码 Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal(); if (principal instanceof UserDetails) { userName = ((UserDetails)principal).getUsername(); } else { userName = principal.toString(); } System.out.println("u: "+userName); } /************************hello***********************************/ public String hello() throws Exception { //printUserInfo(); System.out.println("开始调用方法...."); String moedth=services.sayHello("刘备"); System.out.println(moedth); return "indexs"; } /************************bye***********************************/ public String bye() throws Exception { //printUserInfo(); System.out.println("开始调用方法.."); String moedth=services.sayBye("张飞"); System.out.println(moedth); return "indexs"; } /************************ajax判断是否有用户名**********************************/ public String ajaxIsUser() throws Exception { // TODO Auto-generated method stub System.out.println("ajax来了!开始行动...........: "+user.getUsername()); boolean b=services.getAjaxIsUserName(user.getUsername()); //获取响应对象 HttpServletResponse response=ServletActionContext.getResponse(); PrintWriter out = response.getWriter(); String bb=""; if(b)bb="true";else bb="false"; System.out.println("b: "+bb); out.print(bb); return null; } /************************显示所有用户信息**********************************/ public String showUserInfo() throws Exception { listUser=baseUserServices.getAll(new User()); return "showUser"; } /**************************删除用户****************************************/ public String deleteUser() throws Exception { try { System.out.println("du: id "+user.getId()); baseUserServices.delete(user); } catch (Exception e) { e.printStackTrace(); return "error"; } return "deleteUserOK"; } /**************************修改用户 查询信息 并显示************************************/ public String updateUser() throws Exception { try { user=baseUserServices.getTInId(user,user.getId()); //查询角色 System.out.println("开始查询role----"); roleList=baseRoleServices.getAll(new Role()); } catch (Exception e) { return "error"; } return "updateEidt"; } /**************************保存修改后的用户************************************/ public String updateSave() throws Exception { try { Md5PasswordEncoder md5 = new Md5PasswordEncoder(); String passwordMD5=md5.encodePassword(user.getPassword(), user.getUsername()); user.setPassword(passwordMD5); //封装角色集合 Set<Role> rolesSet=new HashSet<Role>(); //取到权限的对象 Set set=user.getRoles(); Iterator it=set.iterator(); while(it.hasNext()){ //根据id查询对象 Long roleID=Long.valueOf(it.next().toString()); //System.out.println(roleID); Role role=baseRoleServices.getTInId(new Role(),roleID); rolesSet.add(role); } user.setRoles(rolesSet);//将角色加入用户对象里 //是否生效 if(null==enabled){ user.setStatus(0); }else{ user.setStatus(1); } System.out.println(user.getId()+user.getUsername()+user.getPassword()); //通过传过来的角色id获取角色对象 baseUserServices.update(user); } catch (Exception e) { return "error"; } return "updateOk"; } /*********************通对对象条件查询****************************/ public String searchUser() throws Exception { if(null!=user){ listUser=baseUserServices.getTInName(user); } return "showUser"; } /*************************显示所有角色*************************/ public String displayRole() throws Exception { System.out.println("开始查询role----"); roleList=baseRoleServices.getAll(new Role()); return "addUsersAndShowRole"; } }
BaseServices.java
package accp.services; import java.io.Serializable; import java.util.List; import accp.dao.BaseDao; import accp.dao.imple.BaseDaoImpl; /** * * @author liangrui * @qq 382453602 * @param <T> 泛型类 * @param <PK> 主健 * 基本数据操作 业务层 * 都 可以来这时调用 增、删、改、查 */ public interface BaseServices<T,PK extends Serializable > /* extends BaseDao<T,PK>*/{ public PK save(T t); public void delete(T t); public void update(T t); /***根据对象 获取对象集合**/ public List<T> getAll(T t); /***通过id 获取对象集合**/ public T getTInId(T t,PK pk); /***根据名称 获取对象集合**/ public List<T> getTInName(T t) throws Exception; } BaseDao.java
package accp.dao; import java.io.Serializable; import java.util.List; /** * * @author liangrui * @qq 382453602 * @param <T> 泛型类 * @param <PK> 主健 * 基本数据操作 代业务层 数据层 什么层层的 * 都 可以来这时调用 增、删、改、查 */ public interface BaseDao<T,PK extends Serializable> { public PK save(T t); public void delete(T t); public void update(T t); /***根据对象 获取对象集合**/ public List<T> getAll(T t); /***通过id 获取对象集合**/ public T getTInId(T t,PK pk); /***根据对象条件 获取对象集合**/ public List<T> getTInName(T t) throws Exception; } BaseDaoImpl.java
package accp.dao.imple; import java.io.Serializable; import java.lang.reflect.Field; import java.lang.reflect.ParameterizedType; import java.lang.reflect.Type; import java.util.ArrayList; import java.util.List; import java.util.Set; import accp.util.GenericsUtils; import org.springframework.orm.hibernate3.support.HibernateDaoSupport; import accp.dao.BaseDao; public class BaseDaoImpl<T,PK extends Serializable> extends HibernateDaoSupport implements BaseDao<T, PK> { private Class clas ; //得到类 public BaseDaoImpl(){ /** * 得到泛型的类 * 即 BaseDaoImpl<Users> 得到Users * 类的超类>>>现在类型的 论据 */ clas = GenericsUtils.getSuperClassGenricType(getClass()); } public PK save(T t) { //System.out.println("T:" +t.getClass().getSimpleName()); return (PK) this.getHibernateTemplate().save(t); } public void delete(T t) { this.getHibernateTemplate().delete(t); } public void update(T t) { this.getHibernateTemplate().update(t); } public List<T> getAll(T t) { // 根据对象 得到对像集合 String objName=t.getClass().getSimpleName();//得到 对象名 //System.out.println(objName); return this.getHibernateTemplate().find("from "+objName); } /********************通过id获取对象****************************/ public T getTInId(T t,PK pk) { /*String objName=clas.getClass().getSimpleName();//得到 对象名 System.out.println(clas +" : "+objName +" PK: "+pk);*/ return (T) this.getHibernateTemplate().get(t.getClass(),pk); } /************************************************************ *通过传送过来的对象值做为条件 查询 *并得到反回的集合 ************************************************************/ @SuppressWarnings("unchecked") public List<T> getTInName(T t) throws Exception { //得到对象的字段 就是查询条件 String objName=t.getClass().getSimpleName(); //拼接条件 StringBuffer hql=new StringBuffer("from "+objName); hql.append(" where 1=1"); Field [] objFileds =t.getClass().getDeclaredFields(); Object [] SqlParamter = null; List<Object> SqlParamters=new ArrayList<Object>(); for(int i=0;i<objFileds.length;i++){ Field fileld=objFileds[i]; fileld.setAccessible(true);//可进入的 Object objT=fileld.get(t); //得到值 if(!"".equals(objT)&&null!=objT){ if(fileld.getName().equals("id")){ if(Integer.parseInt(objT.toString())>0){//不为0 //如果是id则 则直接处理 return this.getHibernateTemplate(). find("from "+objName +" where id="+objT); } }else if(objT instanceof Set){//如果是集合 //可以断续追加对象 条件 }else{ System.out.println(fileld.getName()+" value: "+objT); hql.append(" and "+fileld.getName()+"=?"); SqlParamters.add(objT); //SqlParamter[i]=objT; } } } //如果没有任条件的对象 ,则返回所有数据 if(null==SqlParamters||SqlParamters.size()<=0){ return this.getHibernateTemplate().find("from "+objName); } //把集合中的数据 转入数组 SqlParamter=new Object[SqlParamters.size()]; for(int i=0;i<SqlParamters.size();i++){ SqlParamter[i]=SqlParamters.get(i); } //excute return this.getHibernateTemplate().find(hql.toString(),SqlParamter); } }
package accp.services.imple; import java.io.Serializable; import java.util.Iterator; import java.util.List; import java.util.Set; import org.springframework.orm.hibernate3.support.HibernateDaoSupport; import accp.bean.Resc; import accp.bean.Role; import accp.bean.User; import accp.dao.UserDao; import accp.dao.imple.BaseDaoImpl; import accp.services.UserServices; /** * * @author liangrui * 基本操做可以调用BaseDao时的方法 * 用户业务处理层 * extends BaseDaoImpl<User,Integer> * */ public class UserServicesImple implements UserServices { private UserDao userDao;//用户数据层接口 public UserDao getUserDao() { return userDao; } public void setUserDao(UserDao userDao) { this.userDao = userDao; } public String sayHello(String name) { System.out.println("进来了!!!"); return "hello:"+name; } public String sayBye(String name) { // TODO Auto-generated method stub return "bay:"+name; } /**************ajax判断是否有重复名字*********************/ public boolean getAjaxIsUserName(String name) { return userDao.getAjaxIsUserName(name); } /***************************用户登陆***************************/ public User getLogin(User u) { // TODO Auto-generated method stub //List<User> list=super.getAll(u); List list=userDao.getAll(u); if(null==list||list.size()<=0){ return null; }else { return (User) list.get(0); } } /***register***/ public User saveUser(User u){ try { userDao.save(u); } catch (Exception e) { e.printStackTrace(); return null; } return u; } } struts_user.xml
<?xml version="1.0" encoding="UTF-8" ?> <!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN" "http://struts.apache.org/dtds/struts-2.3.dtd"> <struts> <package name="userPackage" namespace="/" extends="struts-default"> <!-- 用户 action --> <action name="user_*" class="userAction" method="{1}" > <result name="success">/userPage.jsp</result> <result name="adminPage">/admin.jsp</result> <result name="indexs">/index.jsp</result> <result name="ok">/userReg/ok.jsp</result> <result name="showUser">/admin/userAuthorities.jsp</result> <result name="error">/userReg/error.jsp</result> <result name="updateEidt">/userReg/updateEdit.jsp</result> <!-- --> <result name="deleteUserOK" type="redirectAction">user_showUserInfo.action</result> <result name="updateOk" type="redirectAction">user_showUserInfo.action</result> <result name="addUsersAndShowRole">/userReg/regsiter.jsp</result> </action> <action name="users_*" class="userRegisterAction" method="{1}"> <result name="ok">/userReg/ok.jsp</result> <result name="error">/userReg/error.jsp</result> <result name="input">/userReg/regsiter.jsp</result> <!--防止表单重提交 --> <result name="invalid.token">/userReg/alert.jsp</result> <interceptor-ref name="token"/> <interceptor-ref name="defaultStack"/> </action> </package> </struts> login.jsp
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>My JSP 'index.jsp' starting page</title> <style type="text/css"> .errorhide{display: none;} .error{display: block;} </style> </head> <body> <div style="1200px; text-align: center; margin-top: 150px;"> <div class="error${param.error==true ? '' : 'hide'}"> 登陆失败<br> <font color="red">${sessionScope['SPRING_SECURITY_LAST_EXCEPTION'].message}</font><br/> </div> <form action="${pageContext.request.contextPath}/j_spring_security_check" method="post" style="260px;text-align:center;"> <fieldset> <legend>登陆</legend> 用户: <input type="text" name="j_username" style="150px;" value="${sessionScope['SPRING_SECURITY_LAST_USERNAME']}"/><br /> 密码: <input type="password" name="j_password" style="150px;" /> <br /> <input type="checkbox" name="_spring_security_remember_me"/>一周之内不必登陆<br /> <input type="submit" value="登陆"/> <input type="reset" value="重置"/> </fieldset> </form> <br/> <a HREF="${pageContext.request.contextPath}/admin.jsp">ADMIN.JSP</a> <br/> <a HREF="${pageContext.request.contextPath}/userPage.jsp">userPage.jsp</a> <br/> <a href="j_spring_security_logout">注销用户</a> </div> </body> </html> 主要代码就这些吧!有兴趣的朋友可以下载源码,全部贴出来,累死个人