1.Spring Security 11个步骤为应用程序添加安全防护 2. 历史与现状 自2003年出现的Spring扩展插件Acegi Security发展而来。 目前最新 版本为3.x,已成为Spring的一部分。 为J2EE企业应用程序提供可靠的安全性服务。 3.Authentication vs. Authorization 区分概念验证与授权 验证 这 个用户是谁? 用户身份可靠吗? 授权 某用户A是否可以访问资源R 某用户A是否可以执行M操作 某用户A是否可以对资 源R执行M操作 4.SS中的验证特点 支持多种验证方式 支持多种加密格式 支持组件的扩展和替换 可以本地化 输出信息 5.SS中的授权特点 支持多种仲裁方式 支持组件的扩展和替换 支持对页面访问、方法访问、对象访问 的授权。 6.SS核心安全实现 Web安全 通过配置Servlet Filter激活SS中的过滤器链 实现 Session一致性验证 实现免登陆验证(Remember-Me验证) 提供一系列标签库进行页面元素的安全控制 方法安全 通 过AOP模式实现安全代理 Web安全与方法安全均可以使用表达式语言定义访问规则 7.配置SS 配置Web.xml,应用安全过滤器 配置Spring,验证与授权部分 在web页面 中获取用户身份 在web页面中应用安全标签库 实现方法级安全 8.配置web.xml Xml代码 收藏代码 1. <filter> 2. <filter-name>springSecurityFilterChain</filter-name> 3. <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 4. </filter> 5. <filter-mapping> 6. <filter-name>springSecurityFilterChain</filter-name> 7. <url-pattern>/*</url-pattern> 8. </filter-mapping> 9. <context-param> 10. <param-name>contextConfigLocation</param-name> 11. <param-value>classpath:spring.xml</param-value> 12. </context-param> 13. <listener> 14. <listener-class> 15. org.springframework.web.context.ContextLoaderListener 16. </listener-class> 17. </listener> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:spring.xml</param-value> </context-param> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> 9.Spring配置文件中设置命名空间 Xml代码 收藏代码 1. <?xml version="1.0" encoding="UTF-8"?> 2. <beans:beansxmlnsbeans:beansxmlns="http://www.springframework.org/schema/security" 3. xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4. xsi:schemaLocation="http://www.springframework.org/schema/beans 5. http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 6. http://www.springframework.org/schema/security 7. http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 8. </beans:beans> <?xml version="1.0" encoding="UTF-8"?> <beans:beansxmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> </beans:beans> 10.配置最基本的验证与授权 Xml代码 收藏代码 1. <http auto-config="true"> 2. <intercept-url pattern="/**" access="ROLE_USER" /> 3. </http> 4. <authentication-manager> 5. <authentication-provider> 6. <user-service> 7. <user name="tom" password="123" authorities="ROLE_USER, ROLE_A" /> 8. <user name="jerry" password="123" authorities="ROLE_USER, ROLE_B" /> 9. </user-service> 10. </authentication-provider> 11. </authentication-manager> <http auto-config="true"> <intercept-url pattern="/**" access="ROLE_USER" /> </http> <authentication-manager> <authentication-provider> <user-service> <user name="tom" password="123" authorities="ROLE_USER, ROLE_A" /> <user name="jerry" password="123" authorities="ROLE_USER, ROLE_B" /> </user-service> </authentication-provider> </authentication-manager> 11.通过数据库验证用户身份 Xml代码 收藏代码 1. <authentication-manager> 2. <authentication-provider> 3. <password-encoder hash=“md5”/> 4. <jdbc-user-service data-source-ref="dataSource"/> 5. </authentication-provider> 6. </authentication-manager> <authentication-manager> <authentication-provider> <password-encoder hash=“md5”/> <jdbc-user-service data-source-ref="dataSource"/> </authentication-provider> </authentication-manager> 数据表结构见SS说明手册附录A 12.完善web页面验证规则 Html代码 收藏代码 1. <http auto-config="true"> 2. <intercept-url pattern="/js/**" filters="none"/> 3. <intercept-url pattern="/css/**" filters="none"/> 4. <intercept-url pattern="/images/**" filters="none"/> 5. <intercept-url pattern="/a.jsp" access="ROLE_A" /> 6. <intercept-url pattern="/b.jsp" access="ROLE_B" /> 7. <intercept-url pattern="/c.jsp" access="ROLE_A, ROLE_B" /> 8. <intercept-url pattern="/**" access="ROLE_USER" /> 9. </http> <http auto-config="true"> <intercept-url pattern="/js/**" filters="none"/> <intercept-url pattern="/css/**" filters="none"/> <intercept-url pattern="/images/**" filters="none"/> <intercept-url pattern="/a.jsp" access="ROLE_A" /> <intercept-url pattern="/b.jsp" access="ROLE_B" /> <intercept-url pattern="/c.jsp" access="ROLE_A, ROLE_B" /> <intercept-url pattern="/**" access="ROLE_USER" /> </http> 13.自定义验证配置 Xml代码 收藏代码 1. <!-- 指 定登陆页面、成功页面、失败页面--> 2. <form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp" /> 3. <!-- 尝 试访问没有权限的页面时跳转的页面 --> 4. <access-denied-handler error-page="/accessDenied.jsp"/> 5. <!-- 使 用记住用户名、密码功能,指定数据源和加密的key --> 6. <remember-me data-source-ref="dataSource" /> 7. <!-- logout 页面,logout后清除session --> 8. <logout invalidate-session="true" logout-success-url="/login.jsp" /> 9. <!-- session 失 效后跳转的页面,最大登陆次数 --> 10. <session-management invalid-session-url="/sessionTimeout.htm"> 11. <concurrency-control max-sessions="1" expired-url="/sessionTimeout.htm" /> 12. </session-management> 13. </http> <!-- 指 定登陆页面、成功页面、失败页面--> <form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp" /> <!-- 尝 试访问没有权限的页面时跳转的页面 --> <access-denied-handler error-page="/accessDenied.jsp"/> <!-- 使 用记住用户名、密码功能,指定数据源和加密的key --> <remember-me data-source-ref="dataSource" /> <!-- logout 页面,logout后清除session --> <logout invalidate-session="true" logout-success-url="/login.jsp" /> <!-- session 失 效后跳转的页面,最大登陆次数 --> <session-management invalid-session-url="/sessionTimeout.htm"> <concurrency-control max-sessions="1" expired-url="/sessionTimeout.htm" /> </session-management> </http> 可以使用SS自带的登陆页面作为login.jsp的模板 14.本地化消息输出 拷贝本地化资源文件后,在配置文件中加载该文件: Xml代码 收藏代码 1. <!-- 加载错误信息资源文件 --> 2. <beans:bean id="messageSource" 3. class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> 4. <beans:property name="basename" value="classpath:messages"/> 5. </beans:bean> <!-- 加载错误信息资源文件 --> <beans:bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> <beans:property name="basename" value="classpath:messages"/> </beans:bean> 资 源文件在SS核心包:spring-security-core-3.0.2.RELEASE.jar的orgspringframeworksecurity目录 中 15.在web页面中获取用户信息 方式 一:Java代码 Java代码 收藏代码 1. Authentication auth = SecurityContextHolder.getContext().getAuthentication(); 2. Collection<GrantedAuthority> col = auth.getAuthorities(); Authentication auth = SecurityContextHolder.getContext().getAuthentication(); Collection<GrantedAuthority> col = auth.getAuthorities(); 方 式二:标签库 Html代码 收藏代码 1. <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> 2. <sec:authentication property="name“/> 3. <sec:authentication property="authorities“/> <%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %> <sec:authentication property="name“/> <sec:authentication property="authorities“/> 16.在web页面进行元素安全控制 方式一 Html代码 收藏代码 1. <sec:authorizeifAnyGrantedsec:authorizeifAnyGranted="ROLE_A"> 2. <a href="a.jsp">你可以访问a.jsp</a> 3. </sec:authorize> 4. <sec:authorizeifNotGrantedsec:authorizeifNotGranted="ROLE_A"> 5. 你不可以访问a.jsp 6. </sec:authorize> <sec:authorizeifAnyGranted="ROLE_A"> <a href="a.jsp">你可以访问a.jsp</a> </sec:authorize> <sec:authorizeifNotGranted="ROLE_A"> 你不可以访问a.jsp </sec:authorize> 方式二 Html代码 收藏代码 1. <sec:authorizeurlsec:authorizeurl="/a.jsp"> 2. <a href="a.jsp">你可以访问a.jsp</a> 3. </sec:authorize> <sec:authorizeurl="/a.jsp"> <a href="a.jsp">你可以访问a.jsp</a> </sec:authorize> 17.全局方法安全控制 Xml代码 收藏代码 1. <global-method-security pre-post-annotations="enabled"> 2. <protect-pointcut expression="execution(* com.xasxt.*Service.add*(..))" access="ROLE_A"/> 3. <protect-pointcut expression="execution(* com.xasxt.*Service.delete*(..))" access="ROLE_B"/> 4. </global-method-security> <global-method-security pre-post-annotations="enabled"> <protect-pointcut expression="execution(* com.xasxt.*Service.add*(..))" access="ROLE_A"/> <protect-pointcut expression="execution(* com.xasxt.*Service.delete*(..))" access="ROLE_B"/> </global-method-security> 此 处使用了AspectJ中常用的切入点表达式(百度:AspectJ execution) 18.使用注解进行方法安全控制 Java代码 收藏代码 1. public class DemoService { 2. @PreAuthorize("hasRole('ROLE_A')") 3. public void methodA() { 4. } 5. @PreAuthorize("hasAnyRole('ROLE_A, ROLE_B')") 6. public void methodB() { 7. } 8. } public class DemoService { @PreAuthorize("hasRole('ROLE_A')") public void methodA() { } @PreAuthorize("hasAnyRole('ROLE_A, ROLE_B')") public void methodB() { } } hasRole 与hasAnyRole为SS通用内置表达式(google : spring security Common Built- In Expressions) 下一步做什么??? 采用更安全的验证方式 采用安全的数据传输方式 实现动态授权 自 定义验证与授权部件 实现数据级安全 本Blog所有内容不得随意转载,版权属于作者所有。如需转载请与作者联系( [email protected] QQ:9184314)。 未经许可的转载,本人保留一切法律权益。 一直以来,发现有某些人完全不尊重我的劳动成果,随意转载,提醒一下那些人小心哪天惹上官司。 Spring Security 3.x 出来一段时间了,跟Acegi是大不同了,与2.x的版本也有一些小小的区别,网上有一些文档,也有人翻译Spring Security 3.x的guide,但通过阅读guide,无法马上就能很容易的实现一个完整的实例。 我花了点儿时间,根据以前的实战经验,整理了一份完整的入门教程,供需要的朋友们参考。 1,建一个web project,并导入所有需要的lib,这步就不多讲了。 2,配置web.xml,使用Spring的机制装载: Xml代码 收藏代码 1. <?xml version="1.0" encoding="UTF-8"?> 2. <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" 3. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 4. xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 5. http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> 6. <context-param> 7. <param-name>contextConfigLocation</param-name> 8. <param-value>classpath:applicationContext*.xml</param-value> 9. </context-param> 10. 11. <listener> 12. <listener-class> 13. org.springframework.web.context.ContextLoaderListener 14. </listener-class> 15. </listener> 16. 17. <filter> 18. <filter-name>springSecurityFilterChain</filter-name> 19. <filter-class> 20. org.springframework.web.filter.DelegatingFilterProxy 21. </filter-class> 22. </filter> 23. <filter-mapping> 24. <filter-name>springSecurityFilterChain</filter-name> 25. <url-pattern>/*</url-pattern> 26. </filter-mapping> 27. 28. 29. <welcome-file-list> 30. <welcome-file>login.jsp</welcome-file> 31. </welcome-file-list> 32. </web-app> <?xml version="1.0" encoding="UTF-8"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:applicationContext*.xml</param-value> </context-param> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <welcome-file-list> <welcome-file>login.jsp</welcome-file> </welcome-file-list> </web-app> 这个文件中的内容我相信大家都很熟悉了,不再多说了。 来看看applicationContext-security.xml这个配置文件,关于Spring Security的配置均在其中: Xml代码 收藏代码 1. <?xml version="1.0" encoding="UTF-8"?> 2. <beans:beans xmlns="http://www.springframework.org/schema/security" 3. xmlns:beans="http://www.springframework.org/schema/beans" 4. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 5. xsi:schemaLocation="http://www.springframework.org/schema/beans 6. http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 7. http://www.springframework.org/schema/security 8. http://www.springframework.org/schema/security/spring-security-3.0.xsd"> 9. 10. <http access-denied-page="/403.jsp"><!-- 当访问被拒绝时,会转到403.jsp --> 11. <intercept-url pattern="/login.jsp" filters="none" /> 12. <form-login login-page="/login.jsp" 13. authentication-failure-url="/login.jsp?error=true" 14. default-target-url="/index.jsp" /> 15. <logout logout-success-url="/login.jsp" /> 16. <http-basic /> 17. <!-- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前 --> 18. <custom-filter before="FILTER_SECURITY_INTERCEPTOR" 19. ref="myFilter" /> 20. </http> 21. 22. <!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性, 23. 我们的所有控制将在这三个类中实现,解释详见具体配置 --> 24. <beans:bean id="myFilter" class="com.robin.erp.fwk.security.MyFilterSecurityInterceptor"> 25. <beans:property name="authenticationManager" 26. ref="authenticationManager" /> 27. <beans:property name="accessDecisionManager" 28. ref="myAccessDecisionManagerBean" /> 29. <beans:property name="securityMetadataSource" 30. ref="securityMetadataSource" /> 31. </beans:bean> 32. 33. <!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 --> 34. <authentication-manager alias="authenticationManager"> 35. <authentication-provider 36. user-service-ref="myUserDetailService"> 37. <!-- 如果用户的密码采用加密的话,可以加点“盐” 38. <password-encoder hash="md5" /> 39. --> 40. </authentication-provider> 41. </authentication-manager> 42. <beans:bean id="myUserDetailService" 43. class="com.robin.erp.fwk.security.MyUserDetailService" /> 44. 45. <!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 --> 46. <beans:bean id="myAccessDecisionManagerBean" 47. class="com.robin.erp.fwk.security.MyAccessDecisionManager"> 48. </beans:bean> 49. 50. <!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 --> 51. <beans:bean id="securityMetadataSource" 52. class="com.robin.erp.fwk.security.MyInvocationSecurityMetadataSource" /> 53. 54. </beans:beans> <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http access-denied-page="/403.jsp"><!-- 当访问被拒绝时,会转到403.jsp --> <intercept-url pattern="/login.jsp" filters="none" /> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true" default-target-url="/index.jsp" /> <logout logout-success-url="/login.jsp" /> <http-basic /> <!-- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前 --> <custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilter" /> </http> <!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性, 我们的所有控制将在这三个类中实现,解释详见具体配置 --> <beans:bean id="myFilter" class="com.robin.erp.fwk.security.MyFilterSecurityInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="accessDecisionManager" ref="myAccessDecisionManagerBean" /> <beans:property name="securityMetadataSource" ref="securityMetadataSource" /> </beans:bean> <!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 --> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="myUserDetailService"> <!-- 如果用户的密码采用加密的话,可以加点“盐” <password-encoder hash="md5" /> --> </authentication-provider> </authentication-manager> <beans:bean id="myUserDetailService" class="com.robin.erp.fwk.security.MyUserDetailService" /> <!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 --> <beans:bean id="myAccessDecisionManagerBean" class="com.robin.erp.fwk.security.MyAccessDecisionManager"> </beans:bean> <!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 --> <beans:bean id="securityMetadataSource" class="com.robin.erp.fwk.security.MyInvocationSecurityMetadataSource" /> </beans:beans> 来看看自定义filter的实现: Java代码 收藏代码 1. package com.robin.erp.fwk.security; 2. import java.io.IOException; 3. 4. import javax.servlet.Filter; 5. import javax.servlet.FilterChain; 6. import javax.servlet.FilterConfig; 7. import javax.servlet.ServletException; 8. import javax.servlet.ServletRequest; 9. import javax.servlet.ServletResponse; 10. 11. import org.springframework.security.access.SecurityMetadataSource; 12. import org.springframework.security.access.intercept.AbstractSecurityInterceptor; 13. import org.springframework.security.access.intercept.InterceptorStatusToken; 14. import org.springframework.security.web.FilterInvocation; 15. import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; 16. 17. public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor 18. implements Filter { 19. 20. private FilterInvocationSecurityMetadataSource securityMetadataSource; 21. 22. // ~ Methods 23. // ======================================================================================================== 24. 25. /** 26. * Method that is actually called by the filter chain. Simply delegates to 27. * the {@link #invoke(FilterInvocation)} method. 28. * 29. * @param request 30. * the servlet request 31. * @param response 32. * the servlet response 33. * @param chain 34. * the filter chain 35. * 36. * @throws IOException 37. * if the filter chain fails 38. * @throws ServletException 39. * if the filter chain fails 40. */ 41. public void doFilter(ServletRequest request, ServletResponse response, 42. FilterChain chain) throws IOException, ServletException { 43. FilterInvocation fi = new FilterInvocation(request, response, chain); 44. invoke(fi); 45. } 46. 47. public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() { 48. return this.securityMetadataSource; 49. } 50. 51. public Class<? extends Object> getSecureObjectClass() { 52. return FilterInvocation.class; 53. } 54. 55. public void invoke(FilterInvocation fi) throws IOException, 56. ServletException { 57. InterceptorStatusToken token = super.beforeInvocation(fi); 58. try { 59. fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); 60. } finally { 61. super.afterInvocation(token, null); 62. } 63. } 64. 65. public SecurityMetadataSource obtainSecurityMetadataSource() { 66. return this.securityMetadataSource; 67. } 68. 69. public void setSecurityMetadataSource( 70. FilterInvocationSecurityMetadataSource newSource) { 71. this.securityMetadataSource = newSource; 72. } 73. 74. @Override 75. public void destroy() { 76. } 77. 78. @Override 79. public void init(FilterConfig arg0) throws ServletException { 80. } package com.robin.erp.fwk.security; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import org.springframework.security.access.SecurityMetadataSource; import org.springframework.security.access.intercept.AbstractSecurityInterceptor; import org.springframework.security.access.intercept.InterceptorStatusToken; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter { private FilterInvocationSecurityMetadataSource securityMetadataSource; // ~ Methods // ======================================================================================================== /** * Method that is actually called by the filter chain. Simply delegates to * the {@link #invoke(FilterInvocation)} method. * * @param request * the servlet request * @param response * the servlet response * @param chain * the filter chain * * @throws IOException * if the filter chain fails * @throws ServletException * if the filter chain fails */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { FilterInvocation fi = new FilterInvocation(request, response, chain); invoke(fi); } public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() { return this.securityMetadataSource; } public Class<? extends Object> getSecureObjectClass() { return FilterInvocation.class; } public void invoke(FilterInvocation fi) throws IOException, ServletException { InterceptorStatusToken token = super.beforeInvocation(fi); try { fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); } finally { super.afterInvocation(token, null); } } public SecurityMetadataSource obtainSecurityMetadataSource() { return this.securityMetadataSource; } public void setSecurityMetadataSource( FilterInvocationSecurityMetadataSource newSource) { this.securityMetadataSource = newSource; } @Override public void destroy() { } @Override public void init(FilterConfig arg0) throws ServletException { } 最核心的代码就是invoke方法中的InterceptorStatusToken token = super.beforeInvocation(fi);这一句,即在执行doFilter之前,进行权限的检查,而具体的实现已经交给 accessDecisionManager了,下文中会讲述。 来看看authentication-provider的实现: Java代码 收藏代码 1. package com.robin.erp.fwk.security; 2. import java.util.ArrayList; 3. import java.util.Collection; 4. 5. import org.springframework.dao.DataAccessException; 6. import org.springframework.security.core.GrantedAuthority; 7. import org.springframework.security.core.authority.GrantedAuthorityImpl; 8. import org.springframework.security.core.userdetails.User; 9. import org.springframework.security.core.userdetails.UserDetails; 10. import org.springframework.security.core.userdetails.UserDetailsService; 11. import org.springframework.security.core.userdetails.UsernameNotFoundException; 12. 13. public class MyUserDetailService implements UserDetailsService { 14. 15. @Override 16. public UserDetails loadUserByUsername(String username) 17. throws UsernameNotFoundException, DataAccessException { 18. Collection<GrantedAuthority> auths=new ArrayList<GrantedAuthority>(); 19. GrantedAuthorityImpl auth2=new GrantedAuthorityImpl("ROLE_ADMIN"); 20. auths.add(auth2); 21. if(username.equals("robin1")){ 22. auths=new ArrayList<GrantedAuthority>(); 23. GrantedAuthorityImpl auth1=new GrantedAuthorityImpl("ROLE_ROBIN"); 24. auths.add(auth1); 25. } 26. 27. // User(String username, String password, boolean enabled, boolean accountNonExpired, 28. // boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) { 29. User user = new User(username, 30. "robin", true, true, true, true, auths); 31. return user; 32. } 33. 34. } package com.robin.erp.fwk.security; import java.util.ArrayList; import java.util.Collection; import org.springframework.dao.DataAccessException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.GrantedAuthorityImpl; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; public class MyUserDetailService implements UserDetailsService { @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { Collection<GrantedAuthority> auths=new ArrayList<GrantedAuthority>(); GrantedAuthorityImpl auth2=new GrantedAuthorityImpl("ROLE_ADMIN"); auths.add(auth2); if(username.equals("robin1")){ auths=new ArrayList<GrantedAuthority>(); GrantedAuthorityImpl auth1=new GrantedAuthorityImpl("ROLE_ROBIN"); auths.add(auth1); } // User(String username, String password, boolean enabled, boolean accountNonExpired, // boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) { User user = new User(username, "robin", true, true, true, true, auths); return user; } } 在这个类中,你就可以从数据库中读入用户的密码,角色信息,是否锁定,账号是否过期等,我想这么简单的代码就不再多解释了。 对于资源的访问权限的定义,我们通过实现FilterInvocationSecurityMetadataSource这个接口来初始化数据。 Java代码 收藏代码 1. package com.robin.erp.fwk.security; 2. import java.util.ArrayList; 3. import java.util.Collection; 4. import java.util.HashMap; 5. import java.util.Iterator; 6. import java.util.Map; 7. 8. import org.springframework.security.access.ConfigAttribute; 9. import org.springframework.security.access.SecurityConfig; 10. import org.springframework.security.web.FilterInvocation; 11. import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; 12. import org.springframework.security.web.util.AntUrlPathMatcher; 13. import org.springframework.security.web.util.UrlMatcher; 14. 15. /** 16. * 17. * 此类在初始化时,应该取到所有资源及其对应角色的定义 18. * 19. * @author Robin 20. * 21. */ 22. public class MyInvocationSecurityMetadataSource 23. implements FilterInvocationSecurityMetadataSource { 24. private UrlMatcher urlMatcher = new AntUrlPathMatcher();; 25. private static Map<String, Collection<ConfigAttribute>> resourceMap = null; 26. 27. public MyInvocationSecurityMetadataSource() { 28. loadResourceDefine(); 29. } 30. 31. private void loadResourceDefine() { 32. resourceMap = new HashMap<String, Collection<ConfigAttribute>>(); 33. Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>(); 34. ConfigAttribute ca = new SecurityConfig("ROLE_ADMIN"); 35. atts.add(ca); 36. resourceMap.put("/index.jsp", atts); 37. resourceMap.put("/i.jsp", atts); 38. } 39. 40. // According to a URL, Find out permission configuration of this URL. 41. public Collection<ConfigAttribute> getAttributes(Object object) 42. throws IllegalArgumentException { 43. // guess object is a URL. 44. String url = ((FilterInvocation)object).getRequestUrl(); 45. Iterator<String> ite = resourceMap.keySet().iterator(); 46. while (ite.hasNext()) { 47. String resURL = ite.next(); 48. if (urlMatcher.pathMatchesUrl(url, resURL)) { 49. return resourceMap.get(resURL); 50. } 51. } 52. return null; 53. } 54. 55. public boolean supports(Class<?> clazz) { 56. return true; 57. } 58. 59. public Collection<ConfigAttribute> getAllConfigAttributes() { 60. return null; 61. } 62. 63. } package com.robin.erp.fwk.security; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.Iterator; import java.util.Map; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; import org.springframework.security.web.util.AntUrlPathMatcher; import org.springframework.security.web.util.UrlMatcher; /** * * 此类在初始化时,应该取到所有资源及其对应角色的定义 * * @author Robin * */ public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource { private UrlMatcher urlMatcher = new AntUrlPathMatcher();; private static Map<String, Collection<ConfigAttribute>> resourceMap = null; public MyInvocationSecurityMetadataSource() { loadResourceDefine(); } private void loadResourceDefine() { resourceMap = new HashMap<String, Collection<ConfigAttribute>>(); Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>(); ConfigAttribute ca = new SecurityConfig("ROLE_ADMIN"); atts.add(ca); resourceMap.put("/index.jsp", atts); resourceMap.put("/i.jsp", atts); } // According to a URL, Find out permission configuration of this URL. public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { // guess object is a URL. String url = ((FilterInvocation)object).getRequestUrl(); Iterator<String> ite = resourceMap.keySet().iterator(); while (ite.hasNext()) { String resURL = ite.next(); if (urlMatcher.pathMatchesUrl(url, resURL)) { return resourceMap.get(resURL); } } return null; } public boolean supports(Class<?> clazz) { return true; } public Collection<ConfigAttribute> getAllConfigAttributes() { return null; } } 看看loadResourceDefine方法,我在这里,假定index.jsp和i.jsp这两个资源,需要ROLE_ADMIN角色的用户才能访问。 这个类中,还有一个最核心的地方,就是提供某个资源对应的权限定义,即getAttributes方法返回的结果。注意,我例子中使用的是 AntUrlPathMatcher这个path matcher来检查URL是否与资源定义匹配,事实上你还要用正则的方式来匹配,或者自己实现一个matcher。 剩下的就是最终的决策了,make a decision,其实也很容易,呵呵。 Java代码 收藏代码 1. package com.robin.erp.fwk.security; 2. import java.util.Collection; 3. import java.util.Iterator; 4. 5. import org.springframework.security.access.AccessDecisionManager; 6. import org.springframework.security.access.AccessDeniedException; 7. import org.springframework.security.access.ConfigAttribute; 8. import org.springframework.security.access.SecurityConfig; 9. import org.springframework.security.authentication.InsufficientAuthenticationException; 10. import org.springframework.security.core.Authentication; 11. import org.springframework.security.core.GrantedAuthority; 12. 13. 14. public class MyAccessDecisionManager implements AccessDecisionManager { 15. 16. //In this method, need to compare authentication with configAttributes. 17. // 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here. 18. // 2, Check authentication has attribute in permission configuration (configAttributes) 19. // 3, If not match corresponding authentication, throw a AccessDeniedException. 20. public void decide(Authentication authentication, Object object, 21. Collection<ConfigAttribute> configAttributes) 22. throws AccessDeniedException, InsufficientAuthenticationException { 23. if(configAttributes == null){ 24. return ; 25. } 26. System.out.println(object.toString()); //object is a URL. 27. Iterator<ConfigAttribute> ite=configAttributes.iterator(); 28. while(ite.hasNext()){ 29. ConfigAttribute ca=ite.next(); 30. String needRole=((SecurityConfig)ca).getAttribute(); 31. for(GrantedAuthority ga:authentication.getAuthorities()){ 32. if(needRole.equals(ga.getAuthority())){ //ga is user's role. 33. return; 34. } 35. } 36. } 37. throw new AccessDeniedException("no right"); 38. } 39. 40. @Override 41. public boolean supports(ConfigAttribute attribute) { 42. // TODO Auto-generated method stub 43. return true; 44. } 45. 46. @Override 47. public boolean supports(Class<?> clazz) { 48. return true; 49. } 50. } package com.robin.erp.fwk.security; import java.util.Collection; import java.util.Iterator; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; public class MyAccessDecisionManager implements AccessDecisionManager { //In this method, need to compare authentication with configAttributes. // 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here. // 2, Check authentication has attribute in permission configuration (configAttributes) // 3, If not match corresponding authentication, throw a AccessDeniedException. public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException { if(configAttributes == null){ return ; } System.out.println(object.toString()); //object is a URL. Iterator<ConfigAttribute> ite=configAttributes.iterator(); while(ite.hasNext()){ ConfigAttribute ca=ite.next(); String needRole=((SecurityConfig)ca).getAttribute(); for(GrantedAuthority ga:authentication.getAuthorities()){ if(needRole.equals(ga.getAuthority())){ //ga is user's role. return; } } } throw new AccessDeniedException("no right"); } @Override public boolean supports(ConfigAttribute attribute) { // TODO Auto-generated method stub return true; } @Override public boolean supports(Class<?> clazz) { return true; } } 在这个类中,最重要的是decide方法,如果不存在对该资源的定义,直接放行;否则,如果找到正确的角色,即认为拥有权限,并放行,否则 throw new AccessDeniedException("no right");这样,就会进入上面提到的403.jsp页面。 参考资料: 1,Spring官方网站:http://www.springframework.org 2,文章所用的代码,MyEclipse工程,去掉了lib,请自行下载Spring Security 3.x的包,并copy至对应目录。工程源代码 3,根据网络上的资料,制作的CHM版的 Spring Security 3.x 参考手册中文版 4,2009年3月,我在“IBM WebSphere技术专家沙龙(华南区广州站)”演讲时的PPT:《Spring Security--Protect your web application》,当时是Spring Security 2.x,很多原理是一样,可作参考。 教程中为了尽可能不跟其它框架关联上,所以去掉了访问数据库的部分,比如用户信息和资源配置信息的读取,直接写死在代码中了,大家可以根据自己的实际情况补充完整。 如有任何疑问,欢迎大家以评论的方式提问,也欢迎大家讨论! ------------------------------------ 学习spring security 3一篇很好的文章,忍不住分享之。网上好多转载,已经分不清原作者的文章了,若有作者有反感转载请告之,立马处理掉。
【转】Spring_Security_3应用的11个步骤
猜你喜欢
转载自awaitdeng.iteye.com/blog/1022088
今日推荐
周排行