学步园

参考文档： http://wenku.baidu.com/view/4ec7e324ccbff121dd368364.html

在spring security3中使用自己定义的数据结构来实现权限设置。

1. 数据库
   • 用户表
   • 角色表
   • action表，即资源表
   • 角色-用户关联表
   • actiion-角色关联表
2. 配置过程
   • web.xml中加入过滤器
     <!-- 配置spiring security --><br /> <filter><br /> <filter-name>springSecurityFilterChain</filter-name><br /> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class><br /> </filter><br /> <filter-mapping><br /> <filter-name>springSecurityFilterChain</filter-name><br /> <url-pattern>/*</url-pattern><br /> </filter-mapping><br /> <!-- 配置spiring security结束 -->
      
   • 在applicationContext.xml中import spring security部分的配置
     <import resource="security3.0_JPA.xml"/> 
   • 配置import resource="security3.0_JPA.xml
     <?xml version="1.0" encoding="UTF-8"?><br /> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans</p> <p>http://www.springframework.org/schema/beans/spring-beans-3.0.xsd</p> <p>http://www.springframework.org/schema/security</p> <p> http://www.springframework.org/schema/security/spring-security-3.0.xsd"><br /> <http auto-config="true" access-denied-page="/jsp/accessDenied.jsp"><br /> <intercept-url pattern="/css/**" filters="none" /><br /> <intercept-url pattern="/images/**" filters="none" /><br /> <intercept-url pattern="/js/**" filters="none" /><br /> <!-- 增加一个filter，这点与Acegi是不一样的，不能修改默认的filter了，<br /> 这个filter位于FILTER_SECURITY_INTERCEPTOR之前 --><br /> <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" /><br /> </http><br /> <!-- 一个自定义的filter，必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性，<br /> 我们的所有控制将在这三个类中实现，解释详见具体配置 --><br /> <beans:bean id="myFilter" class="com.softvan.spring.security.FilterSecurityInterceptor"><br /> <beans:property name="authenticationManager" ref="MyAuthenticationManager" /><br /> <!-- 访问决策器，决定某个用户具有的角色，是否有足够的权限去访问某个资源 --><br /> <beans:property name="accessDecisionManager" ref="AccessDecisionManager" /><br /> <beans:property name="securityMetadataSource" ref="MySecurityMetadataSource" /><br /> </beans:bean><br /> <!-- 资源源数据定义，将所有的资源和权限对应关系建立起来，即定义某一资源可以被哪些角色访问 --><br /> <beans:bean id="MySecurityMetadataSource" init-method="loadResourceDefine" class="com.softvan.spring.security.InvocationSecurityMetadataSourceService"><br /> <beans:property name="roleService" ref="RoleService" /><br /> <beans:property name="actionService" ref="ActionService" /><br /> </beans:bean></p> <p> <!-- 验证配置 ， 认证管理器，实现用户认证的入口，主要实现UserDetailsService接口即可 --><br /> <authentication-manager alias="MyAuthenticationManager"><br /> <authentication-provider user-service-ref="UserDetailService"><br /> <!--<br /> <s:password-encoder hash="sha" /><br /> --><br /> </authentication-provider><br /> </authentication-manager><br /> </beans:beans> 
3. 相关java代码
   • AccessDecisionManager.java
     /**<br /> *<br /> */<br /> package com.softvan.spring.security;<br /> import org.apache.log4j.Logger;<br /> /**<br /> * @author 徐泽宇(roamer)<br /> *<br /> * 2010-7-4<br /> */<br /> import java.util.Collection;<br /> import java.util.Iterator;<br /> import org.springframework.security.access.AccessDeniedException;<br /> import org.springframework.security.access.ConfigAttribute;<br /> import org.springframework.security.access.SecurityConfig;<br /> import org.springframework.security.authentication.InsufficientAuthenticationException;<br /> import org.springframework.security.core.Authentication;<br /> import org.springframework.security.core.GrantedAuthority;<br /> import org.springframework.stereotype.Service;<br /> @Service("AccessDecisionManager")<br /> public class AccessDecisionManager implements org.springframework.security.access.AccessDecisionManager {<br /> /**<br /> * Logger for this class<br /> */<br /> private static final Logger logger = Logger.getLogger(AccessDecisionManager.class);<br /> // In this method, need to compare authentication with configAttributes.<br /> // 1, A object is a URL, a filter was find permission configuration by this<br /> // URL, and pass to here.<br /> // 2, Check authentication has attribute in permission configuration<br /> // (configAttributes)<br /> // 3, If not match corresponding authentication, throw a<br /> // AccessDeniedException.<br /> public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {<br /> if (logger.isDebugEnabled()) {<br /> logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - start"); //$NON-NLS-1$<br /> }<br /> if (configAttributes == null) {<br /> if (logger.isDebugEnabled()) {<br /> logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - end"); //$NON-NLS-1$<br /> }<br /> return;<br /> }<br /> if (logger.isDebugEnabled()){<br /> logger.debug("正在访问的url是："+object.toString());<br /> }<br /> Iterator<ConfigAttribute> ite = configAttributes.iterator();<br /> while (ite.hasNext()) {<br /> ConfigAttribute ca = ite.next();<br /> logger.debug("needRole is："+ca.getAttribute());<br /> String needRole = ((SecurityConfig) ca).getAttribute();<br /> for (GrantedAuthority ga : authentication.getAuthorities()) {<br /> logger.debug("/t授权信息是："+ga.getAuthority());<br /> if (needRole.equals(ga.getAuthority())) { // ga is user's role.<br /> if (logger.isDebugEnabled()) {<br /> logger.debug("判断到，needRole 是"+needRole+",用户的角色是:"+ga.getAuthority()+"，授权数据相匹配");<br /> logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - end"); //$NON-NLS-1$<br /> }<br /> return;<br /> }<br /> }<br /> }<br /> throw new AccessDeniedException("没有权限");<br /> }<br /> public boolean supports(ConfigAttribute attribute) {<br /> // TODO Auto-generated method stub<br /> return true;<br /> }<br /> public boolean supports(Class<?> clazz) {<br /> return true;<br /> }<br /> } 
   • FilterSecurityInterceptor.java
     /**<br /> *<br /> */<br /> package com.softvan.spring.security;<br /> import org.apache.log4j.Logger;<br /> /**<br /> * @author 徐泽宇(roamer)<br /> *<br /> * 2010-7-4<br /> */<br /> import java.io.IOException;<br /> import javax.servlet.Filter;<br /> import javax.servlet.FilterChain;<br /> import javax.servlet.FilterConfig;<br /> import javax.servlet.ServletException;<br /> import javax.servlet.ServletRequest;<br /> import javax.servlet.ServletResponse;<br /> import org.springframework.security.access.SecurityMetadataSource;<br /> import org.springframework.security.access.intercept.AbstractSecurityInterceptor;<br /> import org.springframework.security.access.intercept.InterceptorStatusToken;<br /> import org.springframework.security.web.FilterInvocation;<br /> import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;<br /> public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {<br /> /**<br /> * Logger for this class<br /> */<br /> private static final Logger logger = Logger.getLogger(FilterSecurityInterceptor.class);<br /> private FilterInvocationSecurityMetadataSource securityMetadataSource;<br /> public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {<br /> if (logger.isDebugEnabled()) {<br /> logger.debug("doFilter(ServletRequest, ServletResponse, FilterChain) - start"); //$NON-NLS-1$<br /> }<br /> FilterInvocation fi = new FilterInvocation(request, response, chain);<br /> invoke(fi);<br /> if (logger.isDebugEnabled()) {<br /> logger.debug("doFilter(ServletRequest, ServletResponse, FilterChain) - end"); //$NON-NLS-1$<br /> }<br /> }<br /> public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {<br /> return this.securityMetadataSource;<br /> }<br /> public Class<? extends Object> getSecureObjectClass() {<br /> return FilterInvocation.class;<br /> }<br /> public void invoke(FilterInvocation fi) throws IOException, ServletException {<br /> InterceptorStatusToken token = super.beforeInvocation(fi);<br /> try {<br /> fi.getChain().doFilter(fi.getRequest(), fi.getResponse());<br /> } finally {<br /> super.afterInvocation(token, null);<br /> }<br /> }<br /> @Override<br /> public SecurityMetadataSource obtainSecurityMetadataSource() {<br /> return this.securityMetadataSource;<br /> }<br /> public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {<br /> this.securityMetadataSource = securityMetadataSource;<br /> }<br /> public void destroy() {<br /> // TODO Auto-generated method stub<br /> }<br /> public void init(FilterConfig filterconfig) throws ServletException {<br /> // TODO Auto-generated method stub<br /> }<br /> } 
   • InvocationSecurityMetadataSourceService.java
     /**<br /> *<br /> */<br /> package com.softvan.spring.security;<br /> import java.util.ArrayList;<br /> import java.util.Collection;<br /> import java.util.HashMap;<br /> import java.util.Iterator;<br /> import java.util.List;<br /> import java.util.Map;<br /> import org.apache.log4j.Logger;<br /> import org.springframework.security.access.ConfigAttribute;<br /> import org.springframework.security.access.SecurityConfig;<br /> import org.springframework.security.web.FilterInvocation;<br /> import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;<br /> import org.springframework.security.web.util.AntUrlPathMatcher;<br /> import org.springframework.security.web.util.UrlMatcher;<br /> import org.springframework.stereotype.Service;<br /> import com.alcor.acl.domain.TAction;<br /> import com.alcor.acl.domain.TRole;<br /> import com.alcor.acl.service.ActionService;<br /> import com.alcor.acl.service.RoleService;<br /> /*<br /> *<br /> * 最核心的地方，就是提供某个资源对应的权限定义，即getAttributes方法返回的结果。<br /> * 注意，我例子中使用的是AntUrlPathMatcher这个path matcher来检查URL是否与资源定义匹配，<br /> * 事实上你还要用正则的方式来匹配，或者自己实现一个matcher。<br /> *<br /> * 此类在初始化时，应该取到所有资源及其对应角色的定义<br /> *<br /> * 说明：对于方法的spring注入，只能在方法和成员变量里注入，<br /> * 如果一个类要进行实例化的时候，不能注入对象和操作对象，<br /> * 所以在构造函数里不能进行操作注入的数据。<br /> */<br /> @Service("InvocationSecurityMetadataSourceService")<br /> public class InvocationSecurityMetadataSourceService implements FilterInvocationSecurityMetadataSource {<br /> /**<br /> * Logger for this class<br /> */<br /> private static final Logger logger = Logger.getLogger(InvocationSecurityMetadataSourceService.class);</p> <p> private RoleService roleService ;<br /> private ActionService actionService; </p> <p> private UrlMatcher urlMatcher = new AntUrlPathMatcher();<br /> private static Map<String, Collection<ConfigAttribute>> resourceMap = null;<br /> public void loadResourceDefine()throws Exception {<br /> this.resourceMap = new HashMap<String, Collection<ConfigAttribute>>();</p> <p> //通过数据库中的信息设置，resouce和role<br /> for (TRole item:this.roleService.getAllRoles()){<br /> Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();<br /> ConfigAttribute ca = new SecurityConfig(item.getRoleName());<br /> atts.add(ca);<br /> List<TAction> tActionList = actionService.findByRoleID(item.getRoleId());<br /> //把资源放入到spring security的resouceMap中<br /> for(TAction tAction:tActionList){<br /> logger.debug("获得角色：["+item.getRoleName()+"]拥有的acton有："+tAction.getActionUrl());<br /> this.resourceMap.put(tAction.getActionUrl(), atts);<br /> }<br /> }</p> <p> /*//通过硬编码设置，resouce和role<br /> resourceMap = new HashMap<String, Collection<ConfigAttribute>>();<br /> Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();<br /> ConfigAttribute ca = new SecurityConfig("admin");<br /> atts.add(ca);<br /> resourceMap.put("/jsp/admin.jsp", atts);<br /> resourceMap.put("/swf/zara.html", atts);*/ </p> <p> }<br /> // According to a URL, Find out permission configuration of this URL.<br /> public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {<br /> if (logger.isDebugEnabled()) {<br /> logger.debug("getAttributes(Object) - start"); //$NON-NLS-1$<br /> }<br /> // guess object is a URL.<br /> String url = ((FilterInvocation) object).getRequestUrl();<br /> Iterator<String> ite = resourceMap.keySet().iterator();<br /> while (ite.hasNext()) {<br /> String resURL = ite.next();<br /> if (urlMatcher.pathMatchesUrl(url, resURL)) {<br /> Collection<ConfigAttribute> returnCollection = resourceMap.get(resURL);<br /> if (logger.isDebugEnabled()) {<br /> logger.debug("getAttributes(Object) - end"); //$NON-NLS-1$<br /> }<br /> return returnCollection;<br /> }<br /> }<br /> if (logger.isDebugEnabled()) {<br /> logger.debug("getAttributes(Object) - end"); //$NON-NLS-1$<br /> }<br /> return null;<br /> }<br /> public boolean supports(Class<?> clazz) {<br /> return true;<br /> }<br /> public Collection<ConfigAttribute> getAllConfigAttributes() {<br /> return null;<br /> }<br /> public RoleService getRoleService() {<br /> return roleService;<br /> }<br /> public void setRoleService(RoleService roleService) {<br /> this.roleService = roleService;<br /> }<br /> public ActionService getActionService() {<br /> return actionService;<br /> }<br /> public void setActionService(ActionService actionService) {<br /> this.actionService = actionService;<br /> }<br /> } 
   • UserDetailService.java
     /**<br /> *<br /> */<br /> package com.softvan.spring.security;<br /> import java.util.ArrayList;<br /> import java.util.Collection;<br /> import java.util.Set;<br /> import javax.inject.Inject;<br /> import org.apache.log4j.Logger;<br /> import org.springframework.dao.DataAccessException;<br /> import org.springframework.security.core.GrantedAuthority;<br /> import org.springframework.security.core.authority.GrantedAuthorityImpl;<br /> import org.springframework.security.core.userdetails.User;<br /> import org.springframework.security.core.userdetails.UserDetails;<br /> import org.springframework.security.core.userdetails.UserDetailsService;<br /> import org.springframework.security.core.userdetails.UsernameNotFoundException;<br /> import org.springframework.stereotype.Service;<br /> import com.alcor.acl.domain.TRole;<br /> import com.alcor.acl.domain.TUser;<br /> @Service("UserDetailService")<br /> public class UserDetailService implements UserDetailsService {<br /> /**<br /> * Logger for this class<br /> */<br /> private static final Logger logger = Logger.getLogger(UserDetailService.class);<br /> @Inject<br /> com.alcor.acl.component.User user ; </p> <p> public UserDetails loadUserByUsername(String username)throws UsernameNotFoundException, DataAccessException {<br /> if (logger.isDebugEnabled()) {<br /> logger.debug("loadUserByUsername(String) - start"); //$NON-NLS-1$<br /> }</p> <p> Collection<GrantedAuthority> auths=new ArrayList<GrantedAuthority>();</p> <p> String password=null;<br /> //取得用户的密码<br /> TUser tUser = user.getUserByName(username);<br /> if (tUser ==null){<br /> String message = "用户"+username+"不存在";<br /> logger.error(message);<br /> throw new UsernameNotFoundException(message);<br /> }<br /> password=user.getUserByName(username).getPassword();</p> <p> //获得用户的角色<br /> Set<TRole> tRoles =tUser.getTRoles();<br /> for(TRole item : tRoles){<br /> GrantedAuthorityImpl grantedAuthorityImpl = new GrantedAuthorityImpl(item.getRoleName());<br /> if (logger.isDebugEnabled()){<br /> logger.debug("用户：["+tUser.getName()+"]拥有角色：["+item.getRoleName()+"],即spring security中的access");<br /> }<br /> auths.add(grantedAuthorityImpl);<br /> }</p> <p> User user = new User(username,password, true, true, true, true, auths);</p> <p> if (logger.isDebugEnabled()) {<br /> logger.debug("loadUserByUsername(String) - end"); //$NON-NLS-1$<br /> }<br /> return user;<br /> }<br /> }<br />