前言
開始花了兩三天的時(shí)間學(xué)Spring Security,還是云山霧罩的,大受打擊。于是重新總結(jié)一下,飛越迷霧,梳理思路,寫這樣一篇文字。網(wǎng)上有個(gè)雷鋒寫了Spring Security2 學(xué)習(xí)精講:http://www.javaeye.com/topic/319965里面包含可以運(yùn)行的代碼,如果你對(duì)spring scurity感興趣,可以快速瀏覽一下下面的筆記,然后debug code,然后再看看筆記。Spring Security的內(nèi)容遠(yuǎn)比筆記復(fù)雜,我只是根據(jù)自己的理解挑重要的記錄并整理一下。把sample code也當(dāng)作筆記的一部分,那個(gè)code還是比較精簡(jiǎn)地,更重要的是實(shí)用。
官方提供的sample code包居然沒(méi)有源代碼,faint, google半天找到http://grepcode.com/snapshot/repo1.maven.org/maven2/org.springframework.security/spring-security-samples-contacts/2.0.0 當(dāng)然,如果你會(huì)用git的話也可以自己check out code, 不過(guò)我沒(méi)用過(guò)git這種高級(jí)貨。
正文
跟權(quán)限有關(guān)的兩個(gè)概念是 認(rèn)證 和 授權(quán), 先上個(gè)圖:
Run-As Manager 和 After-Invocation Manager不重要
The actual implementation of a security interceptor will depend on what resource is being secured. If you’re securing a URL in a web application, the security interceptor will be implemented as a servlet filter. But if you’re securing a method invocation, aspects will be used to enforce security.
這篇只說(shuō)Authentication Manager:
認(rèn)證是通過(guò)AuthenticationManager來(lái)管的,
public interface AuthenticationManager {
public Authentication authenticate(Authentication authentication)
throws AuthenticationException;
}
The authenticate() method will attempt to authenticate the user using the org.acegisecurity.Authentication object (which carries the principal and credentials). If successful, the authenticate() method returns a complete Authentication object, including information about the user’s granted authorities (which will be considered by the authorization manager).
具體的工作是交給各個(gè) authentication provider來(lái)做的:
這里provider manager包含多個(gè)具體的providers:
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="daoAuthenticationProvider"/>
<ref bean="ldapAuthenticationProvider"/>
</list>
</property>
</bean>
ProviderManager is given its list of authentication providers through its providers property.
以DaoAuthenticationProvider舉例:
<bean id="authenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService"
ref="userDetailsService"/>
</bean>
它會(huì)要求一個(gè)UserDetailsService, 跟它相關(guān)的是UserDetails接口
UserDetailsService接口是個(gè)簡(jiǎn)單的接口
public interface UserDetailsService {
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException;
}
UserDetails接口如下:
public interface UserDetails extends Serializable {
GrantedAuthority[] getAuthorities();
String getPassword();
String getUsername();
boolean isAccountNonExpired();
boolean isAccountNonLocked();
boolean isCredentialsNonExpired();
boolean isEnabled();
}
解釋一下getAuthorities:該方法返回一個(gè)GrantedAuthority[]數(shù)組對(duì)象,GrantedAuthority是用戶權(quán)限信息對(duì)象,這個(gè)對(duì)象中定義了一個(gè)獲取用戶權(quán)限描述信息的getAuthority()方法。
需要注意Authentication對(duì)象才是Spring Security使用的進(jìn)行安全訪問(wèn)控制用戶信息安全對(duì)象。實(shí)際上,Authentication對(duì)象有未認(rèn)證和已認(rèn)證兩種狀態(tài),在作為參數(shù)傳入認(rèn)證管理器(AuthenticationManager)的authenticate方法時(shí),是一個(gè)未認(rèn)證的對(duì)象,它從客戶端獲取用戶的身份信息(如用戶名,密碼),可以是從一個(gè)登錄頁(yè)面,也可以從Cookie中獲取,并由系統(tǒng)自動(dòng)構(gòu)造成一個(gè)Authentication對(duì)象。而這里提到的UserDetails代表一個(gè)用戶安全信息的源(從數(shù)據(jù)庫(kù),LDAP服務(wù)器,CA中心返回),Spring Security要做的就是將這個(gè)未認(rèn)證的Authentication對(duì)象和UserDetails進(jìn)行匹配,成功后將UserDetails中的用戶權(quán)限信息拷貝到Authentication中組成一個(gè)完整的Authentication對(duì)象,共其它組件共享。
下一篇: 總結(jié)Spring Security之 關(guān)于授權(quán),保護(hù)web和保護(hù)方法
參考:
Spring in Action
Spring Security學(xué)習(xí)總結(jié): http://www.tkk7.com/redhatlinux/archive/2008/08/20/223148.html
Spring Security2 學(xué)習(xí)精講: http://www.javaeye.com/topic/319965