亚洲精品日韩专区silk ,亚洲成A∨人片天堂网无码,亚洲国产成人私人影院

taochen — Mon, 25 Jan 2010 08:29:00 GMT

接着来�?br /> 2.�q��o器的配置�Q?br /> 我们已经配置了那些过滤器了，但是要跟spring context中的对象对应�Q�于是乎�Q�做了如下配�|�：
          class="org.springframework.security.web.context.SecurityContextPersistenceFilter">

          class="org.springframework.security.web.authentication.logout.LogoutFilter" >

          class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">



          class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter">

          class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">

          class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">



          class="org.springframework.security.web.session.SessionManagementFilter">

          class="org.springframework.security.web.access.ExceptionTranslationFilter">


          class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">




          class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">

          class="org.springframework.security.core.userdetails.memory.UserAttribute">







          class="org.springframework.security.core.authority.GrantedAuthorityImpl">

          class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">

          class="org.springframework.security.access.vote.AffirmativeBased">






          class="com.saveworld.authentication.web.access.expression.MyWebExpressionVoter">

          class="com.saveworld.authentication.web.access.intercept.MyFilterInvocationSecurityMetadataSource">

ref="expressionHandler" />

class="org.springframework.security.web.util.AntUrlPathMatcher" >

          class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">

�q�里做几点说明：
   (1) 数据库中的权限相关的表：
            ROLES
      AUTHORITIES
            USER_AUTHS
            ROLE_AUTHS
            USERS
       �q�里的表�l�构�q�不是最�l�的�Q�所以就不发上来误导兄弟姐妹们了�?br />        关键是看我们如何加蝲�q�些持久化的东西�?br />        �q�个��p��看看filterSecurityInterceptor了，它里面��用了一个securityMetadataSource�Q�本地的securityMetadataSource实现代码�Q?br />       public class MyFilterInvocationSecurityMetadataSource extends DefaultFilterInvocationSecurityMetadataSource{
    private final static Log logger = LogFactory.getLog(ExpressionBasedFilterInvocationSecurityMetadataSource.class);
    private DataSource datasource;

    public MyFilterInvocationSecurityMetadataSource(UrlMatcher urlMatcher,
                                                    DataSource datasource,
                                                    WebSecurityExpressionHandler expressionHandler) {
        super(urlMatcher, processMap(initializeFromDb(datasource,null),expressionHandler.getExpressionParser()));
    }

    //This method is usefulless for now!
    //Because this method is used for parsing the expression kind
    private static LinkedHashMap> processMap(
            LinkedHashMap> requestMap, ExpressionParser parser) {
        Assert.notNull(parser, "SecurityExpressionHandler returned a null parser object");

        LinkedHashMap> requestToExpressionAttributesMap =
            new LinkedHashMap>(requestMap);

        for (Map.Entry> entry : requestMap.entrySet()) {
            RequestKey request = entry.getKey();
            Assert.isTrue(entry.getValue().size() == 1, "Expected a single expression attribute for " + request);
            ArrayList attributes = new ArrayList(1);
            String expression = entry.getValue().toArray(new ConfigAttribute[1])[0].getAttribute();
            logger.debug("Adding web access control expression '" + expression + "', for " + request);
            try {
                //Replacing WebExpressionConfigAttribute with MyWebExpressionConfigAttribute
                //which is defined locally!
                attributes.add(new MyWebExpressionConfigAttribute(parser.parseExpression(expression)));
            } catch (ParseException e) {
                throw new IllegalArgumentException("Failed to parse expression '" + expression + "'");
            }

            requestToExpressionAttributesMap.put(request, attributes);
        }

        return requestToExpressionAttributesMap;
    }

    private static LinkedHashMap> initializeFromDb(DataSource datasource,LinkedHashMap> configMap){
        LinkedHashMap> result =
            new LinkedHashMap>();
        Connection conn = null;
        Statement stmt = null;
        ResultSet rs   = null;
        try {
            conn = datasource.getConnection();
            stmt = conn.createStatement();
            StringBuilder sql = new StringBuilder("SELECT b.AUTHORITYPATTERN ,'hasRole('||chr(39)||a.ROLENAME||chr(39)||')' rolename ")
                                             .append(" FROM ROLES a,AUTHORITIES b,ROLE_AUTHS c ")
                                             .append(" WHERE a.rolename = c.rolename AND b.authorityname = c.authorityname");

            rs = stmt.executeQuery(sql.toString());
            String roles = "";
            RequestKey key = null;
            List value = null;
            while(rs != null && rs.next()){
                key = new RequestKey(rs.getString(1));
                roles = rs.getString(2);
                String[] roleArray = roles.split(",|\\s+|;");
                value = new ArrayList();
                for(String role : roleArray){
                    ConfigAttribute config = new SecurityConfig(role);
                    value.add(config);
                }
                result.put(key, value);
            }
            //just for test
        } catch (SQLException e) {
            e.printStackTrace();
        } finally{
            try{
                rs.close();
                stmt.close();
                conn.close();
            }catch(SQLException e){
                e.printStackTrace();
            }
        }
        return result;
    }



    public boolean supports(Class clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }

    public DataSource getDatasource() {
        return datasource;
    }

    public void setDatasource(DataSource datasource) {
        this.datasource = datasource;
    }
}
(2) expressionHandler:
     �q�个东西要单独说��_��我这里用的是表达式来��用戯��色的�Q�所以，我用org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler来处理了�Q�还有其他的方式�Q�就是直接用角色�q�行判断�Q�那样会更好�Q�这里就不描�q�C��Q?br />

taochen 2010-01-25 16:29 发表评论

SpringSecurity使用记录�Q�六�Q?- 本地配置一

taochen — Mon, 25 Jan 2010 07:56:00 GMT

按照SpringSecurity的文档，我们可以使用namespace的配�|�方式（前篇中已�l�说明）�?br /> 但是�Q�我们这里的需求有点蹊��P��是通过spring context�q�行权限配置太不方便�Q�你��x��能让人家客户通过spring xml来配�|�权限吗�Q�不能，坚决不能�Q�所以，我就单步跟踪获取里面的东西（�q�种�Ҏ��比直接看代码快点�Q�而且可以知道里面的逻辑�l�构�Q�）
那就开始吧�Q?br /> 1.配置FilterChainProxy�Q?br /> SpringSecurity的验证过�E�是通过一�p�d��的filter来实现的�?br /> �q�种chain的设计模式比较经典，可以说相当经典！
看看代码实现�Q?br /> 上篇中说�q�，默认的配�|�要�?lt;filter-name>springSecurityFilterChain�Q�那�q�个springSecurityFilterChain是怎么来用的呢�Q?br /> public class DelegatingFilterProxy extends GenericFilterBean {
... ... ...
protected void initFilterBean() throws ServletException {
        // If no target bean name specified, use filter name.
        if (this.targetBeanName == null) {
            this.targetBeanName = getFilterName();
        }

        // Fetch Spring root application context and initialize the delegate early,
        // if possible. If the root application context will be started after this
        // filter proxy, we'll have to resort to lazy initialization.
        synchronized (this.delegateMonitor) {
            WebApplicationContext wac = findWebApplicationContext();
            if (wac != null) {
                this.delegate = initDelegate(wac);
            }
        }
    }
.....
}
不用��_��你会猜到我们没有配置�q�targetBeanName�q�个属性，所以，��有了this.targetBeanName = getFilterName();�q�样的话��׃��配置FilterChainProxy了，因�ؓFilterChainProxy在springContext中id是springSecurityFilterChain�Q�所以我们要通过自己的数据库方式配置的话�Q�就要琢��这个FilterChainProxy了！
所以，首先做点�q�样的配�|�吧�Q?br />

�q�个里面配置的id为myFilterChain�Q�所以要在web.xml里面做相应配�|�：

myFilterChain

org.springframework.web.filter.DelegatingFilterProxy

myFilterChain

而且�Q�尤为重要的是要配置上这些过滤器�Q?br /> filter-chain pattern="/**" filters="securityContextPersistenceFilter,logoutFilter,
                                             myUsernamePasswordAuthenticationFilter,
                                             basicAuthenticationFilter,
                                             requestCacheAwareFilter,
                                             securityContextHolderAwareRequestFilter,
                                             anonymousAuthenticationFilter,
                                             sessionManagementFilter,
                                             exceptionTranslationFilter,
                                             filterSecurityInterceptor"
针对�q�些�q��o器的用途，在spring security的文��中有详�l�描�q�ͼ��q�里不多说了�Q�在文��中的具体位置�?.2 FilterChainProxy�Q�看看这一章就会有感觉了，不过�l�知此事要躬行啊�Q?br /> 完成�q�些配置之后�Q�我们就��是把入口给搭徏好了�Q?br /> 鉴于文��幅�Q�换��C��接着说�?br />

taochen 2010-01-25 15:56 发表评论

taochen — Thu, 24 Dec 2009 12:05:00 GMT

�W�一�ơ配�|�和使用SpringSecurity�Q��L��要碰很多�ơ墙�Q?br /> 先说说个人理解的它里面比较有意义的架构�?br /> 里面有好多设计模式的影子�Q�策略模式，代理模式�Q�工厂模式，链条模式=====�Q�看到这些模式（除了工厂或单例）心里��L��会有些兴奋，�ȝ��是看��C��模式的真正练兵场�Q�跟兄弟们好好分享一�?(才看了一天！有不对之处，�q�望各位斧正�Q?
�{�略模式�Q�Strategy Pattern�Q?
主要说一下session相关的这个策略模式，以SessionAuthenticationStrategy接口的策略划分，�Ҏ��我们的session安全�{�略�Q�指定不同的�{�略�Q�现在看是这�U�布局�Q?br />

��层接口	SessionAuthenticationStrategy
具体实现	SessionFixationProtectionStrategy �Q�直接默认实玎ͼ�	NullAuthenticatedSessionStrategy �Q�空实现�Q?br />
二��实现	ConcurrentSessionControlStrategy

��d��比较�ȝ��Q�各位还是凑合着看吧�Q�说明一下：��层接口被下�?#8220;具体实现”两个�c�d��玎ͼ��?#8220;二��实现”实现SessionFixationProtectionStrategy。具体采用哪�U�策略要看我们的配置了！
代理模式�Q�Proxy�Q�：
很明昄��代理�c�，DelegatingFilterProxy和FilterChainProxy�Q�这两个�cȝ��着心里都痒痒的�Q�呵呵，�q�_��L��看代理模式呀什么的�Q�即时看着例子也不�t�实�Q�现在看到这两个东西�Q�心里突然有�U��^静的�Ȁ动！
�q�两个代理类以FilterChainProxy��Z��说明一下吧�Q�FilterChainProxy代理了权限验证Filters的工作，通过它来讉K��整个�q��o器串里面的过滤器�?br /> Chain模式�Q�这个也应该以FilterChainProxy�q�个�c�d��口来分析�Q�呵呵，有兴��的各位��通过�q�个来看看吧�Q?br />

taochen 2009-12-24 20:05 发表评论