学步园

这几天学习了一下Spring Security3.1，从官网下载了Spring Security3.1版本进行练习，经过多次尝试才摸清了其中的一些原理。本人不才，希望能帮助大家。还有，这次我第二次写博客啊，文体不是很行。希望能让观看者不产生疲惫的感觉，我已经心满意足了。

一、数据库结构

     先来看一下数据库结构，采用的是基于角色-资源-用户的权限管理设计。(MySql数据库)

    为了节省篇章，只对比较重要的字段进行注释。

    1.用户表Users

    CREATE TABLE `users` (

       -- 账号是否有限 1. 是 0.否
       `enable` int(11) default NULL,
       `password` varchar(255) default NULL,
       `account` varchar(255) default NULL,
       `id` int(11) NOT NULL auto_increment,
       PRIMARY KEY  (`id`)
    )

   2.角色表Roles

   CREATE TABLE `roles` (
     `enable` int(11) default NULL,
     `name` varchar(255) default NULL,
     `id` int(11) NOT NULL auto_increment,
     PRIMARY KEY  (`id`)
   )

   3 用户_角色表users_roles

   CREATE TABLE `users_roles` (

     --用户表的外键
     `uid` int(11) default NULL,

     --角色表的外键
     `rid` int(11) default NULL,
     `urId` int(11) NOT NULL auto_increment,
     PRIMARY KEY  (`urId`),
     KEY `rid` (`rid`),
     KEY `uid` (`uid`),
    CONSTRAINT `users_roles_ibfk_1` FOREIGN KEY (`rid`) REFERENCES `roles` (`id`),
    CONSTRAINT `users_roles_ibfk_2` FOREIGN KEY (`uid`) REFERENCES `users` (`id`)
   )

   4.资源表resources

   CREATE TABLE `resources` (
     `memo` varchar(255) default NULL,

     -- 权限所对应的url地址
     `url` varchar(255) default NULL,

     --优先权
     `priority` int(11) default NULL,

     --类型
     `type` int(11) default NULL,

     --权限所对应的编码，例201代表发表文章
     `name` varchar(255) default NULL,
     `id` int(11) NOT NULL auto_increment,
     PRIMARY KEY  (`id`)
   )

   5.角色_资源表roles_resources

    CREATE TABLE `roles_resources` (
      `rsid` int(11) default NULL,
      `rid` int(11) default NULL,
      `rrId` int(11) NOT NULL auto_increment,
      PRIMARY KEY  (`rrId`),
      KEY `rid` (`rid`),
      KEY `roles_resources_ibfk_2` (`rsid`),
      CONSTRAINT `roles_resources_ibfk_2` FOREIGN KEY (`rsid`) REFERENCES `resources` (`id`),
      CONSTRAINT `roles_resources_ibfk_1` FOREIGN KEY (`rid`) REFERENCES `roles` (`id`)
      )

  二、系统配置

   所需要的jar包，请自行到官网下载，我用的是Spring Security3.1.0.RC1版的。把dist下的除了源码件包导入就行了。还有那些零零碎的   数据库驱动啊，log4j.jar等等，我相信在用Spring Security之前，大家已经会的了。

  1） web.xml

  <!-- Spring --><br /> <context-param><br /> <param-name>contextConfigLocation</param-name><br /> <param-value>classpath:applicationContext.xml,classpath:applicationContext-security.xml</param-value><br /> </context-param></p> <p> <listener><br /> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class><br /> </listener><br /> <!-- 权限 --><br /> <filter><br /> <filter-name>springSecurityFilterChain</filter-name><br /> <filter-class><br /> org.springframework.web.filter.DelegatingFilterProxy<br /> </filter-class><br /> </filter><br /> <filter-mapping><br /> <filter-name>springSecurityFilterChain</filter-name><br /> <url-pattern>/*</url-pattern><br /> </filter-mapping>

 这里主要是配置了让容器启动的时候加载application-security.xml和Spring Security的权限过滤器代理,让其过滤所有的客服请求。

 2）application-security.xml

 <?xml version="1.0" encoding="UTF-8"?><br /> <beans:beans xmlns="http://www.springframework.org/schema/security"<br /> xmlns:beans="http://www.springframework.org/schema/beans"<br /> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<br /> xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd<br /> http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"></p> <p> <global-method-security pre-post-annotations="enabled" /><br /> <!-- 该路径下的资源不用过滤 --><br /> <http pattern="/js/**" security="none"/><br /> <http use-expressions="true" auto-config="true"></p> <p> <form-login /><br /> <logout/><br /> <!-- 实现免登陆验证 --><br /> <remember-me /><br /> <session-management invalid-session-url="/timeout.jsp"><br /> <concurrency-control max-sessions="10" error-if-maximum-exceeded="true" /><br /> </session-management><br /> <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/><br /> </http><br /> <!-- 配置过滤器 --><br /> <beans:bean id="myFilter" class="com.huaxin.security.MySecurityFilter"><br /> <!-- 用户拥有的权限 --><br /> <beans:property name="authenticationManager" ref="myAuthenticationManager" /><br /> <!-- 用户是否拥有所请求资源的权限 --><br /> <beans:property name="accessDecisionManager" ref="myAccessDecisionManager" /><br /> <!-- 资源与权限对应关系 --><br /> <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" /><br /> </beans:bean><br /> <!-- 实现了UserDetailsService的Bean --><br /> <authentication-manager alias="myAuthenticationManager"><br /> <authentication-provider user-service-ref="myUserDetailServiceImpl" /><br /> </authentication-manager><br /> <beans:bean id="myAccessDecisionManager" class="com.huaxin.security.MyAccessDecisionManager"></beans:bean><br /> <beans:bean id="mySecurityMetadataSource" class="com.huaxin.security.MySecurityMetadataSource"><br /> <beans:constructor-arg name="resourcesDao" ref="resourcesDao"></beans:constructor-arg><br /> </beans:bean><br /> <beans:bean id="myUserDetailServiceImpl" class="com.huaxin.security.MyUserDetailServiceImpl"><br /> <beans:property name="usersDao" ref="usersDao"></beans:property><br /> </beans:bean><br /> </beans:beans><br />

我们在第二个http标签下配置一个我们自定义的继承了org.springframework.security.access.intercept.AbstractSecurityInterceptor的Filter，并注入其

必须的3个组件authenticationManager、accessDecisionManager和securityMetadataSource。其作用上面已经注释了。

<custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/> 这里的FILTER_SECURITY_INTERCEPTOR是Spring Security默认的Filter，

我们自定义的Filter必须在它之前，过滤客服请求。接下来看下我们最主要的myFilter吧。

3）myFilter

  (1) MySecurityFilter.java 过滤用户请求

  public class MySecurityFilter extends AbstractSecurityInterceptor implements Filter {<br /> //与applicationContext-security.xml里的myFilter的属性securityMetadataSource对应，<br /> //其他的两个组件，已经在AbstractSecurityInterceptor定义<br /> private FilterInvocationSecurityMetadataSource securityMetadataSource;</p> <p> @Override<br /> public SecurityMetadataSource obtainSecurityMetadataSource() {<br /> return this.securityMetadataSource;<br /> }</p> <p> public void doFilter(ServletRequest request, ServletResponse response,<br /> FilterChain chain) throws IOException, ServletException {<br /> FilterInvocation fi = new FilterInvocation(request, response, chain);<br /> invoke(fi);<br /> }</p> <p> private void invoke(FilterInvocation fi) throws IOException, ServletException {<br /> // object为FilterInvocation对象<br /> //super.beforeInvocation(fi);源码<br /> //1.获取请求资源的权限<br /> //执行Collection<ConfigAttribute> attributes = SecurityMetadataSource.getAttributes(object);<br /> //2.是否拥有权限<br /> //this.accessDecisionManager.decide(authenticated, object, attributes);<br /> InterceptorStatusToken token = super.beforeInvocation(fi);<br /> try {<br /> fi.getChain().doFilter(fi.getRequest(), fi.getResponse());<br /> } finally {<br /> super.afterInvocation(token, null);<br /> }<br /> }</p> <p> public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {<br /> return securityMetadataSource;<br /> }</p> <p> public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {<br /> this.securityMetadataSource = securityMetadataSource;<br /> }</p> <p> public void init(FilterConfig arg0) throws ServletException {<br /> // TODO Auto-generated method stub<br /> }</p> <p> public void destroy() {<br /> // TODO Auto-generated method stub</p> <p> }</p> <p> @Override<br /> public Class<? extends Object> getSecureObjectClass() {<br /> //下面的MyAccessDecisionManager的supports方面必须放回true,否则会提醒类型错误<br /> return FilterInvocation.class;<br /> }<br /> }

  核心的InterceptorStatusToken token = super.beforeInvocation(fi);会调用我们定义的accessDecisionManager:decide(Object object)和securityMetadataSource

  :getAttributes(Object object)方法。

 （2）MySecurityMetadataSource.java

  //1 加载资源与权限的对应关系<br /> public class MySecurityMetadataSource implements FilterInvocationSecurityMetadataSource {<br /> //由spring调用<br /> public MySecurityMetadataSource(ResourcesDao resourcesDao) {<br /> this.resourcesDao = resourcesDao;<br /> loadResourceDefine();<br /> }</p> <p> private ResourcesDao resourcesDao;<br /> private static Map<String, Collection<ConfigAttribute>> resourceMap = null;</p> <p> public ResourcesDao getResourcesDao() {<br /> return resourcesDao;<br /> }</p> <p> public void setResourcesDao(ResourcesDao resourcesDao) {<br /> this.resourcesDao = resourcesDao;<br /> }</p> <p> public Collection<ConfigAttribute> getAllConfigAttributes() {<br /> // TODO Auto-generated method stub<br /> return null;<br /> }</p> <p> public boolean supports(Class<?> clazz) {<br /> // TODO Auto-generated method stub<br /> return true;<br /> }<br /> //加载所有资源与权限的关系<br /> private void loadResourceDefine() {<br /> if(resourceMap == null) {<br /> resourceMap = new HashMap<String, Collection<ConfigAttribute>>();<br /> List<Resources> resources = this.resourcesDao.findAll();<br /> for (Resources resource : resources) {<br /> Collection<ConfigAttribute> configAttributes = new ArrayList<ConfigAttribute>();<br /> //以权限名封装为Spring的security Object<br /> ConfigAttribute configAttribute = new SecurityConfig(resource.getName());<br /> configAttributes.add(configAttribute);<br /> resourceMap.put(resource.getUrl(), configAttributes);<br /> }<br /> }</p> <p> Set<Entry<String, Collection<ConfigAttribute>>> resourceSet = resourceMap.entrySet();<br /> Iterator<Entry<String, Collection<ConfigAttribute>>> iterator = resourceSet.iterator();</p> <p> }<br /> //返回所请求资源所需要的权限<br /> public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {</p> <p> String requestUrl = ((FilterInvocation) object).getRequestUrl();<br /> System.out.println("requestUrl is " + requestUrl);<br /> if(resourceMap == null) {<br /> loadResourceDefine();<br /> }<br /> return resourceMap.get(requestUrl);<br /> }</p> <p>}

 这里的resourcesDao，熟悉Dao设计模式和Spring 注入的朋友应该看得明白。

（3）MyUserDetailServiceImpl.java

 public class MyUserDetailServiceImpl implements UserDetailsService {</p> <p> private UsersDao usersDao;<br /> public UsersDao getUsersDao() {<br /> return usersDao;<br /> }</p> <p> public void setUsersDao(UsersDao usersDao) {<br /> this.usersDao = usersDao;<br /> }</p> <p> public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {<br /> System.out.println("username is " + username);<br /> Users users = this.usersDao.findByName(username);<br /> if(users == null) {<br /> throw new UsernameNotFoundException(username);<br /> }<br /> Collection<GrantedAuthority> grantedAuths = obtionGrantedAuthorities(users);</p> <p> boolean enables = true;<br /> boolean accountNonExpired = true;<br /> boolean credentialsNonExpired = true;<br /> boolean accountNonLocked = true;</p> <p> User userdetail = new User(users.getAccount(), users.getPassword(), enables, accountNonExpired, credentialsNonExpired, accountNonLocked, grantedAuths);<br /> return userdetail;<br /> }</p> <p> //取得用户的权限<br /> private Set<GrantedAuthority> obtionGrantedAuthorities(Users user) {<br /> Set<GrantedAuthority> authSet = new HashSet<GrantedAuthority>();<br /> Set<Roles> roles = user.getRoles();</p> <p> for(Roles role : roles) {<br /> Set<Resources> tempRes = role.getResources();<br /> for(Resources res : tempRes) {<br /> authSet.add(new GrantedAuthorityImpl(res.getName()));<br /> s }<br /> }<br /> return authSet;<br /> }<br /> }

(4) MyAccessDecisionManager.java

public class MyAccessDecisionManager implements AccessDecisionManager {</p> <p> public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {<br /> if(configAttributes == null) {<br /> return;<br /> }<br /> //所请求的资源拥有的权限(一个资源对多个权限)<br /> Iterator<ConfigAttribute> iterator = configAttributes.iterator();<br /> while(iterator.hasNext()) {<br /> ConfigAttribute configAttribute = iterator.next();<br /> //访问所请求资源所需要的权限<br /> String needPermission = configAttribute.getAttribute();<br /> System.out.println("needPermission is " + needPermission);<br /> //用户所拥有的权限authentication<br /> for(GrantedAuthority ga : authentication.getAuthorities()) {<br /> if(needPermission.equals(ga.getAuthority())) {<br /> return;<br /> }<br /> }<br /> }<br /> //没有权限<br /> throw new AccessDeniedException(" 没有权限访问！ ");<br /> }</p> <p> public boolean supports(ConfigAttribute attribute) {<br /> // TODO Auto-generated method stub<br /> return true;<br /> }</p> <p> public boolean supports(Class<?> clazz) {<br /> // TODO Auto-generated method stub<br /> return true;<br /> }</p> <p>}

三、流程

 1）容器启动(MySecurityMetadataSource：loadResourceDefine加载系统资源与权限列表)
 2）用户发出请求
 3）过滤器拦截(MySecurityFilter:doFilter)
 4）取得请求资源所需权限(MySecurityMetadataSource:getAttributes)
 5）匹配用户拥有权限和请求权限(MyAccessDecisionManager:decide)，如果用户没有相应的权限，

     执行第6步，否则执行第7步。
 6）登录
 7）验证并授权(MyUserDetailServiceImpl:loadUserByUsername)
 8）重复4,5

四、结束语

好了，终于写完了，回头看了一下，感觉不是怎么行。等我弄明白Spring Security它的原理之后，再回头修改下注释吧。大家觉得不妥的地方，可以留言，我会回复大家的。

我已经把源码上传到CSDN了。http://download.csdn.net/source/3283687