SpringSecurity3.x完整入门教程_第1页
SpringSecurity3.x完整入门教程_第2页
SpringSecurity3.x完整入门教程_第3页
SpringSecurity3.x完整入门教程_第4页
SpringSecurity3.x完整入门教程_第5页
已阅读5页,还剩4页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

1、Spring Security 3.x 出来一段时间了,跟Acegi是大不同了,与2.x的版本也有一些小小的区别,网上有一些文档,也有人翻译Spring Security 3.x的guide,但通过阅读guide,无法马上就能很容易的实现一个完整的实例。我花了点儿时间,根据以前的实战经验,整理了一份完整的入门教程,供需要的朋友们参考。1,建一个web project,并导入所有需要的lib,这步就不多讲了。2,配置web.xml,使用Spring的机制装载: contextConfigLocation classpath:applicationContext*.xml org.springfr

2、amework.web.context.ContextLoaderListener springSecurityFilterChain org.springframework.web.filter.DelegatingFilterProxy springSecurityFilterChain /* login.jsp 这个文件中的内容我相信大家都很熟悉了,不再多说了。2,来看看applicationContext-security.xml这个配置文件,关于Spring Security的配置均在其中: !- 如果用户的密码采用加密的话,可以加点“盐” - 3,来看看自定义filter的实现:p

3、ackage com.robin.erp.fwk.security;import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import org.springframework.securi

4、ty.access.SecurityMetadataSource;import ercept.AbstractSecurityInterceptor;import ercept.InterceptorStatusToken;import org.springframework.security.web.FilterInvocation;import erc

5、ept.FilterInvocationSecurityMetadataSource;public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter private FilterInvocationSecurityMetadataSource securityMetadataSource; / Methods / = /* * Method that is actually called by the filter chain. Simply delegates to

6、* the link #invoke(FilterInvocation) method. * * param request * the servlet request * param response * the servlet response * param chain * the filter chain * * throws IOException * if the filter chain fails * throws ServletException * if the filter chain fails */ public void doFilter(ServletReques

7、t request, ServletResponse response, FilterChain chain) throws IOException, ServletException FilterInvocation fi = new FilterInvocation(request, response, chain); invoke(fi); public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() return this.securityMetadataSource; public Class ge

8、tSecureObjectClass() return FilterInvocation.class; public void invoke(FilterInvocation fi) throws IOException, ServletException InterceptorStatusToken token = super.beforeInvocation(fi); try fi.getChain().doFilter(fi.getRequest(), fi.getResponse(); finally super.afterInvocation(token, null); public

9、 SecurityMetadataSource obtainSecurityMetadataSource() return this.securityMetadataSource; public void setSecurityMetadataSource( FilterInvocationSecurityMetadataSource newSource) this.securityMetadataSource = newSource; Override public void destroy() Override public void init(FilterConfig arg0) thr

10、ows ServletException 最核心的代码就是invoke方法中的InterceptorStatusToken token = super.beforeInvocation(fi);这一句,即在执行doFilter之前,进行权限的检查,而具体的实现已经交给accessDecisionManager了,下文中会讲述。4,来看看authentication-provider的实现:package com.robin.erp.fwk.security;import java.util.ArrayList;import java.util.Collection;import org.spr

11、ingframework.dao.DataAccessException;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.GrantedAuthorityImpl;import org.springframework.security.core.userdetails.User;import org.springframework.security.core.userdetails.UserDetails;import org

12、.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;public class MyUserDetailService implements UserDetailsService Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException

13、, DataAccessException Collection auths=new ArrayList(); GrantedAuthorityImpl auth2=new GrantedAuthorityImpl(ROLE_ADMIN); auths.add(auth2); if(username.equals(robin1) auths=new ArrayList(); GrantedAuthorityImpl auth1=new GrantedAuthorityImpl(ROLE_ROBIN); auths.add(auth1); / User(String username, Stri

14、ng password, boolean enabled, boolean accountNonExpired,/ boolean credentialsNonExpired, boolean accountNonLocked, Collection authorities) User user = new User(username, robin, true, true, true, true, auths); return user; 在这个类中,你就可以从数据库中读入用户的密码,角色信息,是否锁定,账号是否过期等,我想这么简单的代码就不再多解释了。5,对于资源的访问权限的定义,我们通过实

15、现FilterInvocationSecurityMetadataSource这个接口来初始化数据。package com.robin.erp.fwk.security;import java.util.ArrayList;import java.util.Collection;import java.util.HashMap;import java.util.Iterator;import java.util.Map;import org.springframework.security.access.ConfigAttribute;import org.springframework.se

16、curity.access.SecurityConfig;import org.springframework.security.web.FilterInvocation;import ercept.FilterInvocationSecurityMetadataSource;import org.springframework.security.web.util.AntUrlPathMatcher;import org.springframework.security.web.util.UrlMatcher

17、;/* * * 此类在初始化时,应该取到所有资源及其对应角色的定义 * * author Robin * */public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource private UrlMatcher urlMatcher = new AntUrlPathMatcher(); private static MapString, Collection resourceMap = null; public MyInvocationSecurityMetada

18、taSource() loadResourceDefine(); private void loadResourceDefine() resourceMap = new HashMapString, Collection(); Collection atts = new ArrayList(); ConfigAttribute ca = new SecurityConfig(ROLE_ADMIN); atts.add(ca); resourceMap.put(/index.jsp, atts); resourceMap.put(/i.jsp, atts); / According to a U

19、RL, Find out permission configuration of this URL. public Collection getAttributes(Object object) throws IllegalArgumentException / guess object is a URL. String url = (FilterInvocation)object).getRequestUrl(); Iterator ite = resourceMap.keySet().iterator(); while (ite.hasNext() String resURL = ite.

20、next(); if (urlMatcher.pathMatchesUrl(resURL, url) return resourceMap.get(resURL); return null; public boolean supports(Class clazz) return true; public Collection getAllConfigAttributes() return null; 看看loadResourceDefine方法,我在这里,假定index.jsp和i.jsp这两个资源,需要ROLE_ADMIN角色的用户才能访问。这个类中,还有一个最核心的地方,就是提供某个资源对

21、应的权限定义,即getAttributes方法返回的结果。注意,我例子中使用的是AntUrlPathMatcher这个path matcher来检查URL是否与资源定义匹配,事实上你还要用正则的方式来匹配,或者自己实现一个matcher。6,剩下的就是最终的决策了,make a decision,其实也很容易,呵呵。package com.robin.erp.fwk.security;import java.util.Collection;import java.util.Iterator;import org.springframework.security.access.AccessDec

22、isionManager;import org.springframework.security.access.AccessDeniedException;import org.springframework.security.access.ConfigAttribute;import org.springframework.security.access.SecurityConfig;import org.springframework.security.authentication.InsufficientAuthenticationException;import org.springf

23、ramework.security.core.Authentication;import org.springframework.security.core.GrantedAuthority;public class MyAccessDecisionManager implements AccessDecisionManager /In this method, need to compare authentication with configAttributes. / 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here. / 2, Check authentication has attribute in permission configuration (configAttributes) / 3, If not match corresponding authentication, throw a AccessDeniedException. public void decide(Authentication authentication, Object obje

人人文库> 全部分类> 教育资料 > 辅导培训

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论