2008年4月12日 edited by dingdangxiaoma
acegi安全是一個強大的,靈活的安全解決方案的企業軟件,并特別著重于應用,利用spring。用acegi安全,為用戶的應用與全面的認證,授權,例如基于職務的訪問控制,通道安全和人類用戶檢測能力。(google 對acegid的翻譯)
參考資料:http://www.tfo-eservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1-html.html
里面有一個例子:SpringAcegiTutorial,可以進行下載,并運行,做為一個實例,已經相當不錯了。
講述了admin ,user的登錄問題。及權限控件,acegi 的配置。
這個例子是spring mvc + spring acegi 的例子,閱讀前最好有spring mvc 的基礎。這里只摘錄簡單的配置說明。
<!-- ****** START ACEGI Security Configuration *******-->
<!-- ======================== FILTER CHAIN ======================= -->
<!-- if you wish to use channel security, add "channelProcessingFilter," in front
of "httpSessionContextIntegrationFilter" in the list below -->
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,formAuthenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
</value>
</property>
</bean>
<!-- Start Security filter config -->
<bean id="exceptionTranslationFilter"
class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref bean="formLoginAuthenticationEntryPoint" />
</property>
</bean>
<!-- Define filter to handle BASIC authentication -->
<bean id="basicProcessingFilter"
class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="authenticationEntryPoint">
<ref bean="authenticationEntryPoint" />
</property>
</bean>
<!-- Define realm for BASIC login-->
<bean id="authenticationEntryPoint"
class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
<property name="realmName">
<value>Spring Web Realm</value>
</property>
</bean>
<!-- Define filter to handle FORM authentication -->
<bean id="formAuthenticationProcessingFilter"
class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="filterProcessesUrl">
<value>/j_acegi_security_check</value>
</property>
<property name="authenticationFailureUrl">
<value>/loginFailed.html</value>
</property>
<property name="defaultTargetUrl">
<value>/</value>
</property>
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
</bean>
<!-- Define realm for FORM login-->
<bean id="formLoginAuthenticationEntryPoint"
class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl">
<value>/login.jsp</value>
</property>
<property name="forceHttps">
<value>false</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
</bean>
<!-- End Security filter config -->
<!-- Start Security interceptor config -->
<!-- Define authentication manager, decision manager and secure URL patterns -->
<bean id="filterSecurityInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="accessDecisionManager">
<ref bean="accessDecisionManager" />
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/secure/admin/*=ROLE_ADMIN
/secure/app/*=ROLE_USER
</value>
</property>
</bean>
<!-- End Security interceptor config -->
<!-- Start authentication config -->
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="daoAuthenticationProvider" />
</list>
</property>
</bean>
<bean id="daoAuthenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService">
<ref bean="userDetailsService" />
</property>
</bean>
<!-- Authentication using In-memory Dao -->
<bean id="userDetailsService"
class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
jklaassen=4moreyears,ROLE_ADMIN
bouerj=ineedsleep,ROLE_USER
</value>
</property>
</bean>
<!-- Authentication using JDBC Dao -->
<!--
<bean id="userDetailsService"
class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
</bean>
-->
<!-- End authentication config -->
<!-- Start authorization config -->
<bean id="accessDecisionManager"
class="org.acegisecurity.vote.UnanimousBased">
<property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property>
</bean>
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
<property name="rolePrefix">
<value>ROLE_</value>
</property>
</bean>
<!-- End authorization config -->
<!-- ****** END ACEGI Security Configuration *******-->
以上就是所有的源代碼配置在spring 的配置文件中。詳細的說明在官方的文檔上。
在上面的配置文件的方式是以in-memory 的方法,也就是在配置文件中指定登錄的用戶名及密碼。在實際的應用中,應用到數據庫或其它技術。
<bean id="userDetailsService"
class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
</bean>
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName">
<value>com.mysql.jdbc.Driver</value>
</property>
<property name="url">
<value>jdbc:mysql://localhost:3306/test</value>
</property>
<property name="username">
<value>root</value>
</property>
<property name="password">
<value>1</value>
</property>
</bean>
以上兩個bean的代碼就是把信息存儲到數據庫中。
sql 語句如下:
CREATE TABLE `users` (
`username` varchar(50) NOT NULL,
`password` varchar(50) NOT NULL,
`enabled` varchar(50) NOT NULL,
PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `users` VALUES ('dianne','emu','true');
INSERT INTO `users` VALUES ('marissa','koala','true');
INSERT INTO `users` VALUES ('peter','opal','true');
INSERT INTO `users` VALUES ('scott','wombat','true');
CREATE TABLE `authorities` (
`username` varchar(50) NOT NULL,
`authority` varchar(50) NOT NULL,
UNIQUE KEY `ix_auth_username` (`username`,`authority`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `authorities` VALUES ('dianne','ROLE_ADMIN');
INSERT INTO `authorities` VALUES ('marissa','ROLE_ADMIN');
INSERT INTO `authorities` VALUES ('marissa','ROLE_USER');
INSERT INTO `authorities` VALUES ('peter','ROLE_USER');
INSERT INTO `authorities` VALUES ('scott','ROLE_ADMIN');
ALTER TABLE `authorities`
ADD FOREIGN KEY (`username`) REFERENCES `users` (`username`);
所有的配置就是這些:
理解一下原理:
1。acegi的添加,可以在程序寫完之后再添加,配置靈活但并不簡單。
2.四個步驟:
安全是實施這四項檢查:
1 限制出入檢查(是以資源擔保? ) ;
2 現有的認證檢查(有用戶被認證? ) ;
3 如果沒有有效的登錄用戶:認證要求退房(都是正確的用戶名和密碼提供? ) ;
4 授權入住(不含用戶擁有所需的角色? ) ;
3.對于授權的處理,未授權的用戶無法進行訪問。應該設置 403.jsp未授權頁面。