Spring security3.x 自定義驗證Filter

原創文章，歡迎轉載！轉載時務必保留：作者:jmppok ;出處http://blog.csdn.net/jmppok/article/details/44833545

1.applicationContext-secrity.xml配置

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.2.xsd">
        
        
        
        
	<!-- 自動配置模式，攔截所有請求，有ROLE_USER纔可以通過  -->
	<http auto-config="true"  >
	
		
	
		<intercept-url pattern="/login**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

		<intercept-url pattern="/**" access="ROLE_USER" /> 

		<form-login login-page="/login.html" authentication-failure-url ="/loginfailure" default-target-url="/loginsuccess"/>
		<logout invalidate-session="true" logout-success-url="/login.html" logout-url="/j_spring_security_logout"/>
		
		
		
		<access-denied-handler ref="myAuthenticationFailureHandler"/>
		<custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilter"  />
		

	</http>
	

	
    <beans:bean id="myAuthenticationFailureHandler" class="com.lenovo.itcloud.api.base.MyAuthenticationFailureHandler" />
	
	<!-- 一個自定義的filter，必須包含authenticationManager,accessDecisionManager,securityMetadataSource三個屬性，
    我們的所有控制將在這三個類中實現，解釋詳見具體配置 -->
    <beans:bean id="myFilter" class="com.lenovo.itcloud.api.base.MyFilterSecurityInterceptor">
        <beans:property name="authenticationManager"  ref="authenticationManager" />
        <beans:property name="accessDecisionManager"  ref="myAccessDecisionManagerBean" />
        <beans:property name="securityMetadataSource"  ref="securityMetadataSource" />
    </beans:bean>
	
	<!-- 認證管理器。用戶名密碼都集成在配置文件中 -->
	<authentication-manager  alias="authenticationManager">
		
		<authentication-provider
            user-service-ref="myUserDetailService" />
            <!--  
		<authentication-provider>
			<user-service>
				<user name="admin" password="admin" authorities="ROLE_USER" />
				
			</user-service>
		</authentication-provider>
		-->
	</authentication-manager>

 <beans:bean id="myUserDetailService"
        class="com.lenovo.itcloud.api.base.MyUserDetailService" />
	
	
	<!-- 訪問決策器，決定某個用戶具有的角色，是否有足夠的權限去訪問某個資源 -->
    <beans:bean id="myAccessDecisionManagerBean"
        class="com.lenovo.itcloud.api.base.MyAccessDecisionManager">
    </beans:bean>
	
	<!-- 資源源數據定義，即定義某一資源可以被哪些角色訪問 -->
    <beans:bean id="securityMetadataSource" 
        class="com.lenovo.itcloud.api.base.MyInvocationSecurityMetadataSource" />
	
	
</beans:beans>

一個自定義的filter，必須包含authenticationManager,accessDecisionManager,securityMetadataSource三個屬性，同時authenticationManager中需要包含一個用戶驗證服務UserDetailServie。

2.Filter---------------------MyFilterSecurityInterceptor

/**
 * 類 MyFilterSecurityInterceptor 的實現描述：TODO 類實現描述
 * 
 * @author ligh4 2015年3月31日下午4:58:57
 */
public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {

    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    /**
     * @author ligh4 2015年3月31日下午5:03:16
     */
    @Override
    public void destroy() {
        // TODO Auto-generated method stub

    }

    /**
     * @author ligh4 2015年3月31日下午5:03:16
     */
    @Override
    public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
            throws IOException, ServletException {
        FilterInvocation fi = new FilterInvocation(arg0, arg1, arg2);
        invoke(fi);

    }

    public void invoke(FilterInvocation fi) throws IOException, ServletException {
        InterceptorStatusToken token = super.beforeInvocation(fi);
        try {
            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
        } finally {
            super.afterInvocation(token, null);
        }
    }

    public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
        return this.securityMetadataSource;
    }

    public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource newSource) {
        this.securityMetadataSource = newSource;
    }

    /**
     * @author ligh4 2015年3月31日下午5:03:16
     */
    @Override
    public void init(FilterConfig arg0) throws ServletException {
        // TODO Auto-generated method stub

    }

    /**
     * @author ligh4 2015年3月31日下午5:03:16
     */
    @Override
    public Class<?> getSecureObjectClass() {
        return FilterInvocation.class;
    }

    /**
     * @author ligh4 2015年3月31日下午5:03:16
     */
    @Override
    public SecurityMetadataSource obtainSecurityMetadataSource() {
        return this.securityMetadataSource;
    }

}

3.用戶驗證 服務 ---------- MyUserDetialService

/**
 * 類 MyUserDetailService 的實現描述：TODO 類實現描述
 * 
 * @author ligh4 2015年3月31日下午5:08:27
 */
@SuppressWarnings("deprecation")
public class MyUserDetailService implements UserDetailsService {

    /**
     * @author ligh4 2015年3月31日下午5:10:54
     */
    @Override
    public UserDetails loadUserByUsername(String arg0) throws UsernameNotFoundException {

        if (arg0.equals("admin")) {
            Collection<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
            GrantedAuthorityImpl auth2 = new GrantedAuthorityImpl("ROLE_USER");
            auths.add(auth2);

            //    User(String username, String password, boolean enabled, boolean accountNonExpired,
            //                boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {
            User user = new User(arg0, "admin", true, true, true, true, auths);
            return user;
        } else {
            throw new UsernameNotFoundException(arg0);
        }

    }

}

4. 資源及權限定義  --------------- MyInvocationSecurityMetadataSource

/**
 * 類 MyInvocationSecurityMetadataSource 的實現描述：TODO 類實現描述
 * 
 * @author ligh4 2015年3月31日下午5:01:54
 */
public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {

    Collection<ConfigAttribute> role_user      = new ArrayList<ConfigAttribute>();
    Collection<ConfigAttribute> role_anonymous = new ArrayList<ConfigAttribute>();

    public MyInvocationSecurityMetadataSource() {
        role_user.add(new SecurityConfig("ROLE_USER"));

        role_anonymous.add(new SecurityConfig("IS_AUTHENTICATED_ANONYMOUSLY"));
        role_anonymous.add(new SecurityConfig("ROLE_ANONYMOUS"));
        role_anonymous.add(new SecurityConfig("ROLE_USER"));

    }

    /**
     * @author ligh4 2015年3月31日下午5:17:14
     */
    @Override
    public Collection<ConfigAttribute> getAttributes(Object arg0) throws IllegalArgumentException {
        // guess object is a URL.
        String url = ((FilterInvocation) arg0).getRequestUrl();
        if (url.startsWith("/V1") || url.startsWith("/index**")) {
            return role_user;
        } else {
            return role_anonymous;
        }

    }

    /**
     * @author ligh4 2015年3月31日下午5:17:14
     */
    @Override
    public boolean supports(Class<?> arg0) {
        // TODO Auto-generated method stub
        return true;
    }

    /**
     * @author ligh4 2015年3月31日下午5:17:14
     */
    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        // TODO Auto-generated method stub
        return null;
    }
}

5. 訪問決策 ------------------------- MyAccessDecisionManager

/**
 * 類 MyAccessDecisionManager 的實現描述：TODO 類實現描述
 * 
 * @author ligh4 2015年3月31日下午5:01:04
 */
public class MyAccessDecisionManager implements AccessDecisionManager {

    /**
     * @author ligh4 2015年3月31日下午5:28:21
     */
    @Override
    public void decide(Authentication arg0, Object arg1, Collection<ConfigAttribute> arg2)
            throws AccessDeniedException {

        if (arg2 == null) {
            return;
        }
        LogHelper.debug(this, arg1.toString()); //object is a URL.
        Iterator<ConfigAttribute> ite = arg2.iterator();
        while (ite.hasNext()) {
            ConfigAttribute ca = ite.next();
            String needRole = ((SecurityConfig) ca).getAttribute();
            for (GrantedAuthority ga : arg0.getAuthorities()) {
                if (needRole.equals(ga.getAuthority())) { //ga is user's role.
                    return;
                }
            }
        }
        LogHelper.warn(this, "No right of url:" + arg1.toString());
        throw new AccessDeniedException("no right");

    }

    /**
     * @author ligh4 2015年3月31日下午5:28:21
     */
    @Override
    public boolean supports(ConfigAttribute arg0) {
        // TODO Auto-generated method stub
        return true;
    }

    /**
     * @author ligh4 2015年3月31日下午5:28:21
     */
    @Override
    public boolean supports(Class<?> arg0) {
        // TODO Auto-generated method stub
        return true;
    }

}

6. 拒絕訪問的處理 -------------  MyAuthenticationFailureHandler

/**
 * 類 MyAuthenticationFailureHandler 的實現描述：TODO 類實現描述
 * 
 * @author ligh4 2015年3月31日下午4:04:40
 */
public class MyAuthenticationFailureHandler implements AccessDeniedHandler {

    /**
     * @author ligh4 2015年3月31日下午4:15:59
     */
    @Override
    public void handle(HttpServletRequest arg0, HttpServletResponse arg1, AccessDeniedException arg2)
            throws IOException, ServletException {

        LogHelper.debug(this, "handler AccessDeniedException...");

        HttpServletRequest httpRequest = arg0;
        // is ajax request?
        if ("XMLHttpRequest".equals(httpRequest.getHeader("X-Requested-With"))) {
            String msg = "{\"success\" : false, \"message\" : \"authentication-failure\"}";

            arg1.setContentType("json");
            OutputStream outputStream = arg1.getOutputStream();
            outputStream.write(msg.getBytes());
            outputStream.flush();
        }
    }

}

注意只有拒絕訪問纔會執行.如果是未登陸或Session超時，會跳轉到登陸頁面。參考我的另一篇博客。