- 浏览: 51577 次
- 性别:
- 来自: 大连
最新评论
先看一下spring security 官方对以下几个类或接口的解释,因为这个几个类在程序中会使用到;
ConfigAttribute:Stores a security system related configuration attribute.
SecurityConfig:ConfigAttribute的实现类。
GrantedAuthority:Represents an authority granted to an Authentication object.
GrantedAuthorityImpl:GrantedAuthority的实现类。
UserDetails:Provides core user information.
Authentication:Represents
the token for an authentication request or for an authenticated
principal once the request has been processed by the
AuthenticationManager.authenticate(Authentication) method.
UserDetailsService:Core interface which loads user-specific data.
FilterInvocationSecurityMetadataSource:Marker
interface for SecurityMetadataSource implementations that are designed
to perform lookups keyed on FilterInvocations.
AccessDecisionManager:Makes a final access control (authorization) decision.
定义四张表:用户表、角色表、资源表、组织机构表(可选)
首先需要在web.xml文件中添加以下配置:
- <filter>
- <filter-name>springSecurityFilterChain</filter-name>
- <filter-class>
- org.springframework.web.filter.DelegatingFilterProxy
- </filter-class>
- </filter>
- <filter-mapping>
- <filter-name>springSecurityFilterChain</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
接着配置spring security的配置文件:
- <? xml version = "1.0" encoding = "UTF-8" ?>
- < beans:beans xmlns = "http://www.springframework.org/schema/security"
- xmlns:beans = "http://www.springframework.org/schema/beans"
- xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation ="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.0.xsd">
- <!-- access-denied-page:定义没有权限时跳转的页面 ;use-expressions:true表示使用表达式定义忽略拦截资源列表-->
- < http auto-config = "true" access-denied-page = "/accessDenied.do" use-expressions = "true" >
- <!-- 忽略拦截资源定义 -->
- < intercept-url pattern = "/showLogin.do*" filters = "none" />
- < intercept-url pattern = "/scripts/**" filters = "none" />
- < intercept-url pattern = "/images/**" filters = "none" />
- < intercept-url pattern = "/styles/**" filters = "none" />
- < intercept-url pattern = "/dwr/**" filters = "none" />
- <!-- isAuthenticated()表示只有通过验证的用户才能访问 -->
- < intercept-url pattern = "/**" access = "isAuthenticated()" />
- < intercept-url pattern = "/main.do*" access = "isAuthenticated()" />
- <!-- max-sessions=1:禁止2次登陆;ession-fixation-protection="none":防止伪造sessionid攻击,用户登录成功后会销毁用户当前的session,-->
- <!-- 创建新的session并把用户信息复制到新session中 ;invalid-session-url:定义session超时跳转页面 -->
- < session-management invalid-session-url = "/timeout.jsp" session-fixation-protection = "none" >
- < concurrency-control max-sessions = "1" />
- </ session-management >
- <!-- 表单验证 -->
- < form-login login-page = "/showLogin.do" authentication-failure-url = "/showLogin.do?error=true" always-use-default-target = "true" default-target-url = "/login.do?error=false" />
- <!-- 退出系统跳转页面 -->
- < logout invalidate-session = "true" logout-success-url = "/showLogin.do" />
- <!-- 免登陆验证 -->
- < remember-me />
- <!-- 自定义拦截器(这里和spring security2的配置有点不同) -->
- < custom-filter before = "FILTER_SECURITY_INTERCEPTOR" ref = "securityFilter" />
- </ http >
- < beans:bean id = "securityFilter" class = "xxx.xxx.xxx.commons.permissionengine.web.security.FilterSecurityInterceptor" >
- < beans:property name = "authenticationManager" ref = "authenticationManager" />
- < beans:property name = "accessDecisionManager" ref = "securityAccessDecisionManager" />
- < beans:property name = "securityMetadataSource" ref = "securityMetadataSource" />
- </ beans:bean >
- < authentication-manager alias = "authenticationManager" >
- < authentication-provider user-service-ref = "securityUserDetailService" >
- <!-- 密码采用MD5算法加密 -->
- < password-encoder hash = "md5" />
- </ authentication-provider >
- </ authentication-manager >
- <!-- 用户拥有的权限 -->
- < beans:bean id = "securityUserDetailService" class = "xxx.xxx.xxx.commons.permissionengine.web.security.SecurityUserDetailService" />
- <!-- 用户是否拥有所请求资源的权限 -->
- < beans:bean id = "securityAccessDecisionManager" class = "xxx.xxx.xxx.commons.permissionengine.web.security.SecurityAccessDecisionManager" />
- <!-- 资源与权限对应关系 -->
- < beans:bean id = "securityMetadataSource" class = "xxx.xxx.xxx.commons.permissionengine.web.security.SecurityMetadataSource" />
- </ beans:beans >
接着需要写一个类实现UserDetails接口,这个并不是我们系统的用户,它只是一个VO,
用于保存从spring security上下文环境中获取到登录用户,因为从spring security上下文环境中获取登录用户的返回值就是UserDetails的实现类:
- package xxx.xxx.xxx.commons.permissionengine.entity;
- import java.util.Collection;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.userdetails.UserDetails;
- public class UserDetailInfo implements UserDetails {
- private static final long serialVersionUID = 6137804370301413132L;
- private String userName;
- private String password;
- private Collection<GrantedAuthority> authorities;
- public UserDetailInfo() {}
- @Override
- public Collection<GrantedAuthority> getAuthorities() {
- return authorities;
- }
- @Override
- public String getPassword() {
- return password;
- }
- @Override
- public String getUsername() {
- return userName;
- }
- @Override
- public boolean isAccountNonExpired() {
- return true ;
- }
- @Override
- public boolean isAccountNonLocked() {
- return true ;
- }
- @Override
- public boolean isCredentialsNonExpired() {
- return true ;
- }
- @Override
- public boolean isEnabled() {
- return true ;
- }
- public String getUserName() {
- return userName;
- }
- public void setUserName(String userName) {
- this .userName = userName;
- }
- public void setPassword(String password) {
- this .password = password;
- }
- public void setAuthorities(Collection<GrantedAuthority> authorities) {
- this .authorities = authorities;
- }
- }
接着自定义一个继承了AbstractSecurityInterceptor的filter:
- package xxx.xxx.xxx.commons.permissionengine.web.security;
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import org.springframework.security.access.SecurityMetadataSource;
- import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
- import org.springframework.security.access.intercept.InterceptorStatusToken;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
- private FilterInvocationSecurityMetadataSource securityMetadataSource;
- @Override
- public void destroy() {
- // TODO Auto-generated method stub
- }
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
- FilterInvocation invocation = new FilterInvocation(request, response, filterChain);
- invoke(invocation);
- }
- public void invoke(FilterInvocation filterInvocation) throws IOException, ServletException {
- InterceptorStatusToken token = super .beforeInvocation(filterInvocation);
- try {
- filterInvocation.getChain().doFilter(filterInvocation.getRequest(), filterInvocation.getResponse());
- } finally {
- super .afterInvocation(token, null );
- }
- }
- @Override
- public void init(FilterConfig arg0) throws ServletException {
- // TODO Auto-generated method stub
- }
- @Override
- public Class<? extends Object> getSecureObjectClass() {
- return FilterInvocation. class ;
- }
- @Override
- public SecurityMetadataSource obtainSecurityMetadataSource() {
- return this .securityMetadataSource;
- }
- public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
- this .securityMetadataSource = securityMetadataSource;
- }
- public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
- return this .securityMetadataSource;
- }
- }
接着定义一个类,实现了UserDetailsService接口,主要用于获取登录用户信息和用户所具有的角色
- package xxx.xxx.xxx.commons.permissionengine.web.security;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.Set;
- import javax.annotation.Resource;
- import org.springframework.dao.DataAccessException;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.authority.GrantedAuthorityImpl;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.core.userdetails.UserDetailsService;
- import org.springframework.security.core.userdetails.UsernameNotFoundException;
- import xxx.xxx.xxx.commons.permissionengine.entity.Role;
- import xxx.xxx.xxx.commons.permissionengine.entity.User;
- import xxx.xxx.xxx.commons.permissionengine.entity.UserDetailInfo;
- import xxx.xxx.xxx.commons.permissionengine.service.IUserService;
- public class SecurityUserDetailService implements UserDetailsService {
- private IUserService userService;
- /**
- * 获取登录用户信息并添加到security上下文环境
- */
- @Override
- public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException, DataAccessException {
- //定义存放用户角色信息的集合
- Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
- //通过已经经过验证的登录用户的用户名查找登录用户信息
- User user = userService.findUserByProperty("name" , name);
- //定义一个userDetailInfo对象,该类实现了spring security UserDetails接口,因为已经经过验证的登录用户会保持在
- //spring security上下文环境中,通过该上下文环境获取登录用户信息返回的是UserDetails类型,因此需要定义一个类实现该接口
- UserDetailInfo userDetailInfo = null ;
- if (user != null ) {
- //获取登录用户信息的角色列表
- Set<Role> roles = user.getRoles();
- for (Role role : roles) {
- //利用角色用户具有的角色的编号构造一个GrantedAuthority对象,并把该对象添加到集合中
- GrantedAuthorityImpl grantedAuthorityImpl = new GrantedAuthorityImpl( "ROLE_" +role.getNo());
- authorities.add(grantedAuthorityImpl);
- }
- userDetailInfo = new UserDetailInfo();
- userDetailInfo.setUserName(user.getName());
- userDetailInfo.setPassword(user.getPassword());
- //把角色信息添加到userDetailInfo对象中
- userDetailInfo.setAuthorities(authorities);
- }
- return userDetailInfo;
- }
- @Resource (name = "userService" )
- public void setUserService(IUserService userService) {
- this .userService = userService;
- }
- }
再接着定义一个实现了FilterInvocationSecurityMetadataSource的类:
- package xxx.xxx.xxx.commons.permissionengine.web.security;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.HashMap;
- import java.util.Iterator;
- import java.util.Map;
- import javax.annotation.Resource;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- import org.springframework.security.web.util.AntUrlPathMatcher;
- import org.springframework.security.web.util.UrlMatcher;
- import xxx.xxx.xxx.commons.permissionengine.service.IMenuService;
- /**
- * 资源源数据管理器
- * @author Keven
- *
- */
- public class SecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
- private IMenuService menuService;
- //定义一个url匹配工具类
- private UrlMatcher urlMatcher = new AntUrlPathMatcher();
- private static Map<String, Collection<ConfigAttribute>> menuMap = null ;
- //该构造方法由spring容器调用
- public SecurityMetadataSource() {
- loadMenuDefine();
- }
- private void loadMenuDefine() {
- menuMap = new HashMap<String, Collection<ConfigAttribute>>();
- //初始化匿名用户所拥有的权限
- Collection<ConfigAttribute> guestAtts = new ArrayList<ConfigAttribute>();
- ConfigAttribute guestAttribute = new SecurityConfig( "ROLE_Guest" );
- guestAtts.add(guestAttribute);
- menuMap.put("/showLogin.do*" , guestAtts);
- }
- @Override
- public Collection<ConfigAttribute> getAllConfigAttributes() {
- return null ;
- }
- @Override
- public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
- //获取请求url
- String url = ((FilterInvocation)object).getRequestUrl();
- //从数据库获取资源与角色的对应关系,并设置初始化的资源_角色到该Map
- menuService.setMenuMap(menuMap);
- //获取资源列表
- Iterator<String> iter = menuMap.keySet().iterator();
- while (iter.hasNext()) {
- String menuUrl = iter.next();
- //防止把null值加入到map,报空指针异常
- if (menuUrl != null ) {
- //请求url与角色所拥有的权限做匹配
- if (urlMatcher.pathMatchesUrl(menuUrl, url))
- return menuMap.get(menuUrl);
- }
- }
- return null ;
- }
- @Override
- public boolean supports(Class<?> clazz) {
- return true ;
- }
- @Resource (name = "menuService" )
- public void setMenuService(IMenuService menuService) {
- this .menuService = menuService;
- }
- }
再接着定义一个实现了AccessDecisionManager的类:
- package xxx.xxx.xxx.commons.permissionengine.web.security;
- import java.util.Collection;
- import java.util.Iterator;
- import org.springframework.security.access.AccessDecisionManager;
- import org.springframework.security.access.AccessDeniedException;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.authentication.InsufficientAuthenticationException;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.GrantedAuthority;
- /**
- * 决策管理器,用于判断用户需要访问的资源与用户所拥有的角色是否匹配
- * @author Keven
- *
- */
- public class SecurityAccessDecisionManager implements AccessDecisionManager {
- @Override
- public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
- if (configAttributes == null )
- return ;
- //获取资源与角色对应关系列表
- Iterator<ConfigAttribute> iter = configAttributes.iterator();
- while (iter.hasNext()) {
- ConfigAttribute configAttribute = iter.next();
- //获取访问该资源需要的角色
- String needRole = ((SecurityConfig)configAttribute).getAttribute();
- //从上下文环境获取用户所具有的角色
- for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
- //判断用户拥有的角色是否与访问该资源所需要的角色匹配
- if (needRole.equals(grantedAuthority.getAuthority()))
- return ;
- }
- }
- throw new AccessDeniedException( "权限不足!" );
- }
- @Override
- public boolean supports(ConfigAttribute arg0) {
- return true ;
- }
- @Override
- public boolean supports(Class<?> arg0) {
- return true ;
- }
-
}
相关推荐
早一段时间学习了springsecurity3.0 框架,在开始阶段不知道导入那些必需jar包,经过摸索,总结出来最精简的jar包
spring security3.0权限控制方面的文档
SpringSecurity3.0实现
SpringSecurity3.0相对比较稳定。本实例包含SpringSecurity3.0的基本配置,包含所需的Jar包和mysql数据库文件,直接导入myeclipes中并导入数据库即可运行,配置文件简单易懂,适合SpringSecurity初学者配置入门。...
SpringSecurity3.0 教程 价值不错哦!
教你使用 SpringSecurity 3.0 一步一步教你使用SpringSecurity,从保护web应用到保护业务方法调用
spring-security-web-3.0 spring-security-taglibs-3.0 spring-security-openid-3.0 spring-security-core-3.0 spring-security-config-3.0 spring-security-aspects-3.0 spring-security-acl-3.0
超级详细的spring security3.0教程,包含spring security安全框架的历史和来源,一步一步的教你如何实现项目的安全实现
Spring Security 3.0 权限管理精通,该系统是spring提供的企业级权限系统解决方案,因其优越的特性被广泛应用
英文版本,主要对spring security 3.0.x 进行了介绍, 以及如何使用spring 的 安全架构来进行 web 开发.
SpringSecurity3.0.x官方参考文档(英文+中文双解版)
Spring Security 的前身是 Acegi Security ,是 Spring 项目组中用来提供安全认证服务的框架。
Spring security认证授权例子,自动创建数据库,在SysUser类增加字段,即可动态增加数据库对应表sys_user字段(前提是要删除原表,启动应用时才会重建表)
SpringSecurity 全套开发,设计源码解读,整个拦截器链分析,QQ登录,微信登录,短信验证,短信登录,在security基础上学习写一个自定义验证授权设计模式,整套视频讲解的分享细致认真,非常值得学习。不管小白还是...
spring security3.0所有最新开发包及源码及文档 欢迎大家下载,祝大家学习愉快!。
Spring-Security3.0自定义表结构
springboot+ spring security实现登录认证
要在Spring Boot中实现用户认证和授权管理,你可以使用Spring Security框架。Spring Security提供了一套强大的功能来处理用户身份验证和授权,以下是一些常见的步骤: 1.添加Spring Security依赖: 在项目的 pom.xml...
简单springsecurity3.0的例子 做了详细注释,另外集成了tiles 和conversion插件,希望对你有帮助,里面有不对的地方请给我留言,我加你QQ一起讨论..注:我是通过maven管理的,如果你不是的话可能无法运行起来,只能看代码
Spring Security 3.0 安全权限管理手册(最新),可以作为公司权限管理资料用,权限管理将是系统中的非常重要的一个模块,权限的设计也是参考相关资料进行整理和补充。系统将通过数据库进行管理用户权限