亚洲精品无码午夜福利中文字幕,67pao强力打造67194在线午夜亚洲 ,亚洲AV一宅男色影视

Spring Security 3.x 完整入門教程

本Blog所有內容不得隨意轉載，版權屬于作者所有。如需轉載請與作者聯系（ fastzch@163.com QQ：9184314）。
未經許可的轉載，本人保留一切法律權益。

Spring Security 3.x 出來一段時間了，跟Acegi是大不同了，與2.x的版本也有一些小小的區別，網上有一些文檔，也有人翻譯Spring Security 3.x的guide，但通過閱讀guide，無法馬上就能很容易的實現一個完整的實例。

我花了點兒時間，根據以前的實戰經驗，整理了一份完整的入門教程，供需要的朋友們參考。
1，建一個web project，并導入所有需要的lib，這步就不多講了。
2，配置web.xml，使用Spring的機制裝載：

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee

http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<context-param>

<param-name>contextConfigLocation</param-name>

<param-value>classpath:applicationContext*.xml</param-value>

</context-param>

<listener-class>

org.springframework.web.context.ContextLoaderListener

</listener-class>

</listener>

<filter-name>springSecurityFilterChain</filter-name>

<filter-class>

org.springframework.web.filter.DelegatingFilterProxy

</filter-class>

</filter>

<filter-mapping>

<filter-name>springSecurityFilterChain</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<welcome-file-list>

<welcome-file>login.jsp</welcome-file>

</welcome-file-list>

</web-app>

這個文件中的內容我相信大家都很熟悉了，不再多說了。

2，來看看applicationContext-security.xml這個配置文件，關于Spring Security的配置均在其中：

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"

xmlns:beans="http://www.springframework.org/schema/beans"

xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

xsi:schemaLocation="http://www.springframework.org/schema/beans

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

http://www.springframework.org/schema/security

http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<intercept-url pattern="/login.jsp" filters="none" />

<form-login login-page="/login.jsp"

authentication-failure-url="/login.jsp?error=true"

default-target-url="/index.jsp" />

<http-basic />

<custom-filter before="FILTER_SECURITY_INTERCEPTOR"

ref="myFilter" />

</http>

<!-- 一個自定義的filter，必須包含authenticationManager,accessDecisionManager,securityMetadataSource三個屬性，

我們的所有控制將在這三個類中實現，解釋詳見具體配置 -->

<beans:bean id="myFilter" class="com.robin.erp.fwk.security.MyFilterSecurityInterceptor">

<beans:property name="authenticationManager"

ref="authenticationManager" />

<beans:property name="accessDecisionManager"

ref="myAccessDecisionManagerBean" />

<beans:property name="securityMetadataSource"

ref="securityMetadataSource" />

</beans:bean>

<authentication-manager alias="authenticationManager">

<authentication-provider

user-service-ref="myUserDetailService">

<!-- 如果用戶的密碼采用加密的話，可以加點“鹽”

<password-encoder hash="md5" />

-->

</authentication-provider>

</authentication-manager>

<beans:bean id="myUserDetailService"

class="com.robin.erp.fwk.security.MyUserDetailService" />

<beans:bean id="myAccessDecisionManagerBean"

class="com.robin.erp.fwk.security.MyAccessDecisionManager">

</beans:bean>

<beans:bean id="securityMetadataSource"

class="com.robin.erp.fwk.security.MyInvocationSecurityMetadataSource" />

</beans:beans>

3，來看看自定義filter的實現：

package com.robin.erp.fwk.security;

import java.io.IOException;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import org.springframework.security.access.SecurityMetadataSource;

import org.springframework.security.access.intercept.AbstractSecurityInterceptor;

import org.springframework.security.access.intercept.InterceptorStatusToken;

import org.springframework.security.web.FilterInvocation;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor

implements Filter {

private FilterInvocationSecurityMetadataSource securityMetadataSource;

// ~ Methods

// ========================================================================================================

/**

* Method that is actually called by the filter chain. Simply delegates to

* the {@link #invoke(FilterInvocation)} method.

* @param request

* the servlet request

* @param response

* the servlet response

* @param chain

* the filter chain

* @throws IOException

* if the filter chain fails

* @throws ServletException

* if the filter chain fails

public void doFilter(ServletRequest request, ServletResponse response,

FilterChain chain) throws IOException, ServletException {

FilterInvocation fi = new FilterInvocation(request, response, chain);

invoke(fi);

}

public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {

return this.securityMetadataSource;

}

public Class<? extends Object> getSecureObjectClass() {

return FilterInvocation.class;

}

public void invoke(FilterInvocation fi) throws IOException,

ServletException {

InterceptorStatusToken token = super.beforeInvocation(fi);

try {

fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

} finally {

super.afterInvocation(token, null);

}

public SecurityMetadataSource obtainSecurityMetadataSource() {

return this.securityMetadataSource;

}

public void setSecurityMetadataSource(

FilterInvocationSecurityMetadataSource newSource) {

this.securityMetadataSource = newSource;

}

@Override

public void destroy() {

}

@Override

public void init(FilterConfig arg0) throws ServletException {

}

最核心的代碼就是invoke方法中的InterceptorStatusToken token = super.beforeInvocation(fi);這一句，即在執行doFilter之前，進行權限的檢查，而具體的實現已經交給accessDecisionManager了，下文中會講述。

4，來看看authentication-provider的實現：

package com.robin.erp.fwk.security;

import java.util.ArrayList;

import java.util.Collection;

import org.springframework.dao.DataAccessException;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.security.core.authority.GrantedAuthorityImpl;

import org.springframework.security.core.userdetails.User;

import org.springframework.security.core.userdetails.UserDetails;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

public class MyUserDetailService implements UserDetailsService {

@Override

public UserDetails loadUserByUsername(String username)

throws UsernameNotFoundException, DataAccessException {

Collection<GrantedAuthority> auths=new ArrayList<GrantedAuthority>();

GrantedAuthorityImpl auth2=new GrantedAuthorityImpl("ROLE_ADMIN");

auths.add(auth2);

if(username.equals("robin1")){

auths=new ArrayList<GrantedAuthority>();

GrantedAuthorityImpl auth1=new GrantedAuthorityImpl("ROLE_ROBIN");

auths.add(auth1);

}

// User(String username, String password, boolean enabled, boolean accountNonExpired,

// boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {

User user = new User(username,

"robin", true, true, true, true, auths);

return user;

}

在這個類中，你就可以從數據庫中讀入用戶的密碼，角色信息，是否鎖定，賬號是否過期等，我想這么簡單的代碼就不再多解釋了。

5，對于資源的訪問權限的定義，我們通過實現FilterInvocationSecurityMetadataSource這個接口來初始化數據。

package com.robin.erp.fwk.security;

import java.util.ArrayList;

import java.util.Collection;

import java.util.HashMap;

import java.util.Iterator;

import java.util.Map;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.access.SecurityConfig;

import org.springframework.security.web.FilterInvocation;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

import org.springframework.security.web.util.AntUrlPathMatcher;

import org.springframework.security.web.util.UrlMatcher;

/**

* 此類在初始化時，應該取到所有資源及其對應角色的定義

* @author Robin

public class MyInvocationSecurityMetadataSource

implements FilterInvocationSecurityMetadataSource {

private UrlMatcher urlMatcher = new AntUrlPathMatcher();;

private static Map<String, Collection<ConfigAttribute>> resourceMap = null;

public MyInvocationSecurityMetadataSource() {

loadResourceDefine();

}

private void loadResourceDefine() {

resourceMap = new HashMap<String, Collection<ConfigAttribute>>();

Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();

ConfigAttribute ca = new SecurityConfig("ROLE_ADMIN");

atts.add(ca);

resourceMap.put("/index.jsp", atts);

resourceMap.put("/i.jsp", atts);

}

// According to a URL, Find out permission configuration of this URL.

public Collection<ConfigAttribute> getAttributes(Object object)

throws IllegalArgumentException {

// guess object is a URL.

String url = ((FilterInvocation)object).getRequestUrl();

Iterator<String> ite = resourceMap.keySet().iterator();

while (ite.hasNext()) {

String resURL = ite.next();

if (urlMatcher.pathMatchesUrl(resURL, url)) {

return resourceMap.get(resURL);

}

return null;

}

public boolean supports(Class<?> clazz) {

return true;

}

public Collection<ConfigAttribute> getAllConfigAttributes() {

return null;

}

看看loadResourceDefine方法，我在這里，假定index.jsp和i.jsp這兩個資源，需要ROLE_ADMIN角色的用戶才能訪問。
這個類中，還有一個最核心的地方，就是提供某個資源對應的權限定義，即getAttributes方法返回的結果。注意，我例子中使用的是AntUrlPathMatcher這個path matcher來檢查URL是否與資源定義匹配，事實上你還要用正則的方式來匹配，或者自己實現一個matcher。

6，剩下的就是最終的決策了，make a decision，其實也很容易，呵呵。

package com.robin.erp.fwk.security;

import java.util.Collection;

import java.util.Iterator;

import org.springframework.security.access.AccessDecisionManager;

import org.springframework.security.access.AccessDeniedException;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.access.SecurityConfig;

import org.springframework.security.authentication.InsufficientAuthenticationException;

import org.springframework.security.core.Authentication;

import org.springframework.security.core.GrantedAuthority;

public class MyAccessDecisionManager implements AccessDecisionManager {

//In this method, need to compare authentication with configAttributes.

// 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here.

// 2, Check authentication has attribute in permission configuration (configAttributes)

// 3, If not match corresponding authentication, throw a AccessDeniedException.

public void decide(Authentication authentication, Object object,

Collection<ConfigAttribute> configAttributes)

throws AccessDeniedException, InsufficientAuthenticationException {

if(configAttributes == null){

return ;

}

System.out.println(object.toString()); //object is a URL.

Iterator<ConfigAttribute> ite=configAttributes.iterator();

while(ite.hasNext()){

ConfigAttribute ca=ite.next();

String needRole=((SecurityConfig)ca).getAttribute();

for(GrantedAuthority ga:authentication.getAuthorities()){

if(needRole.equals(ga.getAuthority())){ //ga is user's role.

return;

}

throw new AccessDeniedException("no right");

}

@Override

public boolean supports(ConfigAttribute attribute) {

// TODO Auto-generated method stub

return true;

}

@Override

public boolean supports(Class<?> clazz) {

return true;

}

在這個類中，最重要的是decide方法，如果不存在對該資源的定義，直接放行；否則，如果找到正確的角色，即認為擁有權限，并放行，否則throw new AccessDeniedException("no right");這樣，就會進入上面提到的403.jsp頁面。

參考資料：
1，Spring官方網站：http://www.springframework.org
2，文章所用的代碼，MyEclipse工程，去掉了lib，請自行下載Spring Security 3.x的包，并copy至對應目錄。工程源代碼
3，根據網絡上的資料，制作的CHM版的 Spring Security 3.x 參考手冊中文版
4，2009年3月，我在“IBM WebSphere技術專家沙龍（華南區廣州站）”演講時的PPT：《Spring Security--Protect your web application》，當時是Spring Security 2.x，很多原理是一樣，可作參考。

教程中為了盡可能不跟其它框架關聯上，所以去掉了訪問數據庫的部分，比如用戶信息和資源配置信息的讀取，直接寫死在代碼中了，大家可以根據自己的實際情況補充完整。

如有任何疑問，歡迎大家以評論的方式提問，也歡迎大家討論！

posted on 2010-03-10 12:38 Robin's Programming World 閱讀(59173) 評論(67) 編輯收藏所屬分類: Java

常用鏈接

留言簿(49)

隨筆分類(215)

隨筆檔案(181)

相冊

收藏夾

Friend Links

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜


只有注冊用戶登錄后才能發表評論。




網站導航: 博客園 IT新聞 Chat2DB C++博客博問管理
相關文章: Ubuntu環境下Apache2與Tomcat集成 Spring 3 MVC and JSON example Android Media Player 深入觀察 [轉]編寫高效的Android代碼 Android程序完全退出的三種方法使用ANT批量編譯Flex應用和模塊（Use ANT to batch compiling application and modules of Flex) Investigate getDeclaredMethod of Java Reflection Eclipse空心J圖標的含義 Memcached Study Notes BlazeDS自定義認證與權限控制