SpringSecurity3.x完整入門教程_第1頁
SpringSecurity3.x完整入門教程_第2頁
SpringSecurity3.x完整入門教程_第3頁
SpringSecurity3.x完整入門教程_第4頁
SpringSecurity3.x完整入門教程_第5頁
已閱讀5頁,還剩4頁未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

1、Spring Security 3.x 出來一段時(shí)間了,跟Acegi是大不同了,與2.x的版本也有一些小小的區(qū)別,網(wǎng)上有一些文檔,也有人翻譯Spring Security 3.x的guide,但通過閱讀guide,無法馬上就能很容易的實(shí)現(xiàn)一個(gè)完整的實(shí)例。我花了點(diǎn)兒時(shí)間,根據(jù)以前的實(shí)戰(zhàn)經(jīng)驗(yàn),整理了一份完整的入門教程,供需要的朋友們參考。1,建一個(gè)web project,并導(dǎo)入所有需要的lib,這步就不多講了。2,配置web.xml,使用Spring的機(jī)制裝載: contextConfigLocation classpath:applicationContext*.xml org.springfr

2、amework.web.context.ContextLoaderListener springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /* login.jsp 這個(gè)文件中的內(nèi)容我相信大家都很熟悉了,不再多說了。2,來看看applicationContext-security.xml這個(gè)配置文件,關(guān)于Spring Security的配置均在其中: !- 如果用戶的密碼采用加密的話,可以加點(diǎn)“鹽” - 3,來看看自定義filter的實(shí)現(xiàn):p

3、ackage com.robin.erp.fwk.security;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import org.springframework.securi

4、ty.access.SecurityMetadataSource;import ercept.AbstractSecurityInterceptor;import ercept.InterceptorStatusToken;import org.springframework.security.web.FilterInvocation;import erc

5、ept.FilterInvocationSecurityMetadataSource;public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter private FilterInvocationSecurityMetadataSource securityMetadataSource; / Methods / = /* * Method that is actually called by the filter chain. Simply delegates to

6、* the link #invoke(FilterInvocation) method. * * param request * the servlet request * param response * the servlet response * param chain * the filter chain * * throws IOException * if the filter chain fails * throws ServletException * if the filter chain fails */ public void doFilter(ServletReques

7、t request, ServletResponse response, FilterChain chain) throws IOException, ServletException FilterInvocation fi = new FilterInvocation(request, response, chain); invoke(fi); public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() return this.securityMetadataSource; public Class ge

8、tSecureObjectClass() return FilterInvocation.class; public void invoke(FilterInvocation fi) throws IOException, ServletException InterceptorStatusToken token = super.beforeInvocation(fi); try fi.getChain().doFilter(fi.getRequest(), fi.getResponse(); finally super.afterInvocation(token, null); public

9、 SecurityMetadataSource obtainSecurityMetadataSource() return this.securityMetadataSource; public void setSecurityMetadataSource( FilterInvocationSecurityMetadataSource newSource) this.securityMetadataSource = newSource; Override public void destroy() Override public void init(FilterConfig arg0) thr

10、ows ServletException 最核心的代碼就是invoke方法中的InterceptorStatusToken token = super.beforeInvocation(fi);這一句,即在執(zhí)行doFilter之前,進(jìn)行權(quán)限的檢查,而具體的實(shí)現(xiàn)已經(jīng)交給accessDecisionManager了,下文中會(huì)講述。4,來看看authentication-provider的實(shí)現(xiàn):package com.robin.erp.fwk.security;import java.util.ArrayList;import java.util.Collection;import org.spr

11、ingframework.dao.DataAccessException;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.GrantedAuthorityImpl;import org.springframework.security.core.userdetails.User;import org.springframework.security.core.userdetails.UserDetails;import org

12、.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;public class MyUserDetailService implements UserDetailsService Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException

13、, DataAccessException Collection auths=new ArrayList(); GrantedAuthorityImpl auth2=new GrantedAuthorityImpl(ROLE_ADMIN); auths.add(auth2); if(username.equals(robin1) auths=new ArrayList(); GrantedAuthorityImpl auth1=new GrantedAuthorityImpl(ROLE_ROBIN); auths.add(auth1); / User(String username, Stri

14、ng password, boolean enabled, boolean accountNonExpired,/ boolean credentialsNonExpired, boolean accountNonLocked, Collection authorities) User user = new User(username, robin, true, true, true, true, auths); return user; 在這個(gè)類中,你就可以從數(shù)據(jù)庫中讀入用戶的密碼,角色信息,是否鎖定,賬號(hào)是否過期等,我想這么簡(jiǎn)單的代碼就不再多解釋了。5,對(duì)于資源的訪問權(quán)限的定義,我們通過實(shí)

15、現(xiàn)FilterInvocationSecurityMetadataSource這個(gè)接口來初始化數(shù)據(jù)。package com.robin.erp.fwk.security;import java.util.ArrayList;import java.util.Collection;import java.util.HashMap;import java.util.Iterator;import java.util.Map;import org.springframework.security.access.ConfigAttribute;import org.springframework.se

16、curity.access.SecurityConfig;import org.springframework.security.web.FilterInvocation;import ercept.FilterInvocationSecurityMetadataSource;import org.springframework.security.web.util.AntUrlPathMatcher;import org.springframework.security.web.util.UrlMatcher

17、;/* * * 此類在初始化時(shí),應(yīng)該取到所有資源及其對(duì)應(yīng)角色的定義 * * author Robin * */public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource private UrlMatcher urlMatcher = new AntUrlPathMatcher(); private static MapString, Collection resourceMap = null; public MyInvocationSecurityMetada

18、taSource() loadResourceDefine(); private void loadResourceDefine() resourceMap = new HashMapString, Collection(); Collection atts = new ArrayList(); ConfigAttribute ca = new SecurityConfig(ROLE_ADMIN); atts.add(ca); resourceMap.put(/index.jsp, atts); resourceMap.put(/i.jsp, atts); / According to a U

19、RL, Find out permission configuration of this URL. public Collection getAttributes(Object object) throws IllegalArgumentException / guess object is a URL. String url = (FilterInvocation)object).getRequestUrl(); Iterator ite = resourceMap.keySet().iterator(); while (ite.hasNext() String resURL = ite.

20、next(); if (urlMatcher.pathMatchesUrl(resURL, url) return resourceMap.get(resURL); return null; public boolean supports(Class clazz) return true; public Collection getAllConfigAttributes() return null; 看看loadResourceDefine方法,我在這里,假定index.jsp和i.jsp這兩個(gè)資源,需要ROLE_ADMIN角色的用戶才能訪問。這個(gè)類中,還有一個(gè)最核心的地方,就是提供某個(gè)資源對(duì)

21、應(yīng)的權(quán)限定義,即getAttributes方法返回的結(jié)果。注意,我例子中使用的是AntUrlPathMatcher這個(gè)path matcher來檢查URL是否與資源定義匹配,事實(shí)上你還要用正則的方式來匹配,或者自己實(shí)現(xiàn)一個(gè)matcher。6,剩下的就是最終的決策了,make a decision,其實(shí)也很容易,呵呵。package com.robin.erp.fwk.security;import java.util.Collection;import java.util.Iterator;import org.springframework.security.access.AccessDec

22、isionManager;import org.springframework.security.access.AccessDeniedException;import org.springframework.security.access.ConfigAttribute;import org.springframework.security.access.SecurityConfig;import org.springframework.security.authentication.InsufficientAuthenticationException;import org.springf

23、ramework.security.core.Authentication;import org.springframework.security.core.GrantedAuthority;public class MyAccessDecisionManager implements AccessDecisionManager /In this method, need to compare authentication with configAttributes. / 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here. / 2, Check authentication has attribute in permission configuration (configAttributes) / 3, If not match corresponding authentication, throw a AccessDeniedException. public void decide(Authentication authentication, Object obje

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

評(píng)論

0/150

提交評(píng)論