原创不易,转载请注明出处:Spring Security 3.x完整入门配置教程及其代码下载
代码下载地址:http://www.zuidaima.com/share/1751865719933952.htm
Spring Security 3.x 出来一段时间了,跟Acegi是大不同了,与2.x的版本也有一些小小的区别,网上有一些文档,也有人翻译Spring Security 3.x的guide,但通过阅读guide,无法马上就能很容易的实现一个完整的实例。
我花了点儿时间,根据以前的实战经验,整理了一份完整的入门教程,供需要的朋友们参考。
1,建一个web project,并导入所有需要的lib,这步就不多讲了。
2,配置web.xml,使用Spring的机制装载:
<?xml version="1.0"encoding="UTF-8"?> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <context-param> <param-name> contextConfigLocation </param-name> <param-value> classpath:applicationContext*.xml </param-value> </context-param> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <filter> <filter-name> springSecurityFilterChain </filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name> springSecurityFilterChain </filter-name> <url-pattern> /* </url-pattern> </filter-mapping> <welcome-file-list> <welcome-file> login.jsp </welcome-file> </welcome-file-list> </web-app>
这个文件中的内容我相信大家都很熟悉了,不再多说了。
2,来看看applicationContext-security.xml这个配置文件,关于Spring Security的配置均在其中:
<?xml version="1.0"encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http access-denied-page="/403.jsp"><!-- 当访问被拒绝时,会转到403.jsp --> <intercept-url pattern="/login.jsp" filters="none" /> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true" default-target-url="/index.jsp" /> <logout logout-success-url="/login.jsp" /> <http-basic /> <!-- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前 --> <custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilter" /> </http> <!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性, 我们的所有控制将在这三个类中实现,解释详见具体配置 --> <beans:bean id="myFilter" class="com.robin.erp.fwk.security.MyFilterSecurityInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="accessDecisionManager" ref="myAccessDecisionManagerBean" /> <beans:property name="securityMetadataSource" ref="securityMetadataSource" /> </beans:bean> <!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 --> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="myUserDetailService"> <!-- 如果用户的密码采用加密的话,可以加点“盐” <password-encoder hash="md5"/> --> </authentication-provider> </authentication-manager> <beans:bean id="myUserDetailService" class="com.robin.erp.fwk.security.MyUserDetailService" /> <!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 --> <beans:bean id="myAccessDecisionManagerBean" class="com.robin.erp.fwk.security.MyAccessDecisionManager"> </beans:bean> <!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 --> <beans:bean id="securityMetadataSource" class="com.robin.erp.fwk.security.MyInvocationSecurityMetadataSource" /> </beans:beans>
3,来看看自定义filter的实现:
package com.robin.erp.fwk.security;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor
implements Filter {
private FilterInvocationSecurityMetadataSource securityMetadataSource;
// ~ Methods
//========================================================================================================
/** *//**
* Method that is actually called by the filter chain. Simply delegates to
* the { @link #invoke(FilterInvocation)} method.
*
* @param request
* the servlet request
* @param response
* the servlet response
* @param chain
* the filter chain
*
* @throws IOException
* if the filter chain fails
* @throws ServletException
* if the filter chain fails
*/
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
FilterInvocation fi= new FilterInvocation(request, response, chain);
invoke(fi);
}
public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
return this .securityMetadataSource;
}
public Class <? extends Object> getSecureObjectClass() {
return FilterInvocation. class ;
}
public void invoke(FilterInvocation fi) throws IOException,
ServletException {
InterceptorStatusToken token= super .beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super .afterInvocation(token, null );
}
}
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this .securityMetadataSource;
}
public void setSecurityMetadataSource(
FilterInvocationSecurityMetadataSource newSource) {
this .securityMetadataSource= newSource;
}
@Override
public void destroy() {
}
@Override
public void init(FilterConfig arg0) throws ServletException {
}
}
最核心的代码就是invoke方法中的InterceptorStatusToken token = super.beforeInvocation(fi);这一句,即在执行doFilter之前,进行权限的检查,而具体的实现已经交给accessDecisionManager了,下文中会讲述。
4,来看看authentication-provider的实现:
package com.robin.erp.fwk.security;
import java.util.ArrayList;
import java.util.Collection;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class MyUserDetailService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
Collection<GrantedAuthority> auths=newArrayList<GrantedAuthority>();
GrantedAuthorityImpl auth2=newGrantedAuthorityImpl("ROLE_ADMIN");
auths.add(auth2);
if(username.equals("robin1")){
auths=newArrayList<GrantedAuthority>();
GrantedAuthorityImpl auth1=newGrantedAuthorityImpl("ROLE_ROBIN");
auths.add(auth1);
}
// User(String username, String password, boolean enabled, boolean accountNonExpired,
// boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {
User user=new User(username,
"robin", true, true, true, true, auths);
return user;
}
}
在这个类中,你就可以从数据库中读入用户的密码,角色信息,是否锁定,账号是否过期等,我想这么简单的代码就不再多解释了。
5,对于资源的访问权限的定义,我们通过实现FilterInvocationSecurityMetadataSource这个接口来初始化数据。
package com.robin.erp.fwk.security;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.AntUrlPathMatcher;
import org.springframework.security.web.util.UrlMatcher;
/** *//**
*
* 此类在初始化时,应该取到所有资源及其对应角色的定义
*
* @author Robin
*
*/
public class MyInvocationSecurityMetadataSource
implements FilterInvocationSecurityMetadataSource {
private UrlMatcher urlMatcher= new AntUrlPathMatcher();;
private static Map <String, Collection <ConfigAttribute>> resourceMap= null ;
public MyInvocationSecurityMetadataSource() {
loadResourceDefine();
}
private void loadResourceDefine() {
resourceMap= new HashMap <String, Collection <ConfigAttribute>> ();
Collection <ConfigAttribute> atts= new ArrayList <ConfigAttribute> ();
ConfigAttribute ca= new SecurityConfig( " ROLE_ADMIN " );
atts.add(ca);
resourceMap.put( " /index.jsp " , atts);
resourceMap.put( " /i.jap " , atts);
}
// According to a URL, Find out permission configuration of this URL.
public Collection <ConfigAttribute> getAttributes(Object object)
throws IllegalArgumentException {
// guess object is a URL.
String url= ((FilterInvocation)object).getRequestUrl();
Iterator <String> ite= resourceMap.keySet().iterator();
while (ite.hasNext()) {
String resURL= ite.next();
if (urlMatcher.pathMatchesUrl(url, resURL)) {
return resourceMap.get(resURL);
}
}
return null ;
}
public boolean supports(Class <?> clazz) {
return true ;
}
public Collection <ConfigAttribute> getAllConfigAttributes() {
return null ;
}
}
看看loadResourceDefine方法,我在这里,假定index.jsp和i.jsp这两个资源,需要ROLE_ADMIN角色的用户才能访问。
这个类中,还有一个最核心的地方,就是提供某个资源对应的权限定义,即getAttributes方法返回的结果。注意,我例子中使用的是AntUrlPathMatcher这个path matcher来检查URL是否与资源定义匹配,事实上你还要用正则的方式来匹配,或者自己实现一个matcher。
6,剩下的就是最终的决策了,make a decision,其实也很容易,呵呵。
package com.robin.erp.fwk.security;
import java.util.Collection;
import java.util.Iterator;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
public class MyAccessDecisionManager implements AccessDecisionManager {
//In this method, need to compare authentication with configAttributes.
// 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here.
// 2, Check authentication has attribute in permission configuration (configAttributes)
// 3, If not match corresponding authentication, throw a AccessDeniedException.
public void decide(Authentication authentication, Object object,
Collection<ConfigAttribute> configAttributes)
throws AccessDeniedException, InsufficientAuthenticationException {
if(configAttributes==null){
return ;
}
System.out.println(object.toString()); //object is a URL.
Iterator<ConfigAttribute> ite=configAttributes.iterator();
while(ite.hasNext()){
ConfigAttribute ca=ite.next();
String needRole=((SecurityConfig)ca).getAttribute();
for(GrantedAuthority ga:authentication.getAuthorities()){
if(needRole.equals(ga.getAuthority())){ //ga is user's role.
return;
}
}
}
throw new AccessDeniedException("no right");
}
@Override
public boolean supports(ConfigAttribute attribute) {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean supports(Class<?> clazz) {
return true;
}
}
在这个类中,最重要的是decide方法,如果不存在对该资源的定义,直接放行;否则,如果找到正确的角色,即认为拥有权限,并放行,否则throw new AccessDeniedException("no right");这样,就会进入上面提到的403.jsp页面。
相关推荐
19.3.3. 读取授权 19.4. 实现类 19.4.1. LdapAuthenticator实现 19.4.1.1. 常用功能 19.4.1.2. BindAuthenticator 19.4.1.3. PasswordComparisonAuthenticator 19.4.1.4. 活动目录认证 19.4.2. 链接到...
Spring Security 参考 1 第一部分前言 15 1.入门 16 2.介绍 17 2.1什么是Spring Security? 17 2.2历史 19 2.3版本编号 20 2.4获得Spring安全 21 2.4.1使用Maven 21 Maven仓库 21 Spring框架 22 2.4.2 Gradle 23 ...
Spring Security入门系列教程: 项目部署 开发环境: JDK 1.8 IDEA 2019.2 MySQL 5.7 Node.js 10.15.3 项目使用技术栈: 前端:Vue + Axios 后端:Spring Boot 、 MyBatis-Plus 权限:Spring Security ....... 二、...
循序渐进,学习Spring Boot、Spring Boot & Shiro、Spring Cloud、Spring Security & Spring Security OAuth2,博客Spring系列源码 一、Spring Boot教程 开启Spring Boot Spring Boot基础配置 Spring Boot中使用...
Spring Web Flow 2.0 入门 本教程分析了 Spring Web Flow 2.0 的技术要点,并且通过创建一个示例应用程序,展示了 Spring Web Flow 2.0 的基本知识。 开始之前 关于本教程 本教程通过一个简化的购物车应用,介绍了...
Spring Boot 基础教程(基于1.3.x-1.5.x) 快速入门 chapter1:基本项目构建(可作为工程脚手架),引入web模块,完成一个简单的RESTful API 使用Intellij中的Spring Initializr来快速构建Spring Boot/Cloud工程 ...
Spring Boot 配置文件详解 Spring Boot RESTful API 架构 Spring Boot 过滤器和拦截器 Spring Boot 全局异常处理 Spring Boot 参数校验 Spring Boot OpenAPI 文档集成 Spring Boot 集成 Mybatis Spring Boot 集成 ...
SpringBootForBeginners Spring Boot初学者教程安装工具PDF: : 视频: : GIT存储库: : 课程大纲介绍Spring Boot拥有很多魔力。 用它开发服务既酷又有趣。 Spring Boot使创建“ Spring”的独立,生产级基于Spring的...
基于Terracota的Session集群配置教程 Web Frameworks DWR MyFaces JSF Reference Implementation Jakarta Slide GWT Jetspeed2 ICEfaces 其他 Atomikos Transaction Manager Java Open Transaction Manager (JOTM) ...
│ 164个完整Java代码.zip │ J2EE综合--Struts常见错误的全面汇总.txt │ java程序员面试资料.zip │ JAVA笔试题(上海释锐).pdf │ MIME简介.txt │ SCJP试题详解.pdf │ SQL面试题_心灵深处.htm │ Struts+...
│ 164个完整Java代码.zip │ J2EE综合--Struts常见错误的全面汇总.txt │ java程序员面试资料.zip │ JAVA笔试题(上海释锐).pdf │ MIME简介.txt │ SCJP试题详解.pdf │ SQL面试题_心灵深处.htm │ Struts+...
│ 164个完整Java代码.zip │ J2EE综合--Struts常见错误的全面汇总.txt │ java程序员面试资料.zip │ JAVA笔试题(上海释锐).pdf │ MIME简介.txt │ SCJP试题详解.pdf │ SQL面试题_心灵深处.htm │ Struts+...
│ 164个完整Java代码.zip │ J2EE综合--Struts常见错误的全面汇总.txt │ java程序员面试资料.zip │ JAVA笔试题(上海释锐).pdf │ MIME简介.txt │ SCJP试题详解.pdf │ SQL面试题_心灵深处.htm │ Struts+...
│ 164个完整Java代码.zip │ J2EE综合--Struts常见错误的全面汇总.txt │ java程序员面试资料.zip │ JAVA笔试题(上海释锐).pdf │ MIME简介.txt │ SCJP试题详解.pdf │ SQL面试题_心灵深处.htm │ Struts+...
用户手册或教程:如果这个项目是供他人学习和使用的,它可能会包含一个用户手册或者快速入门教程,帮助用户理解如何使用网站。许可证信息:通常会包含一个声明项目开源许可的文件,比如Apache License、MIT License...
ASP.NET 2.0 Security FAQs Asp.net 2.0功能体验,细节之Web控件(一) 隐藏控件 Asp.net 2.0功能体验,总体设计思想 Asp.net 2.0 WebPart使用经验点滴 革新:.NET 2.0的自定义配置文件体系初探 关于如何在ASP.NET ...