先看一下spring security 官方對以下幾個類或接口的解釋,因爲這個幾個類在程序中會使用到;
ConfigAttribute:Stores a security system related configuration attribute.
SecurityConfig:ConfigAttribute的實現類。
GrantedAuthority:Represents an authority granted to an Authentication object.
GrantedAuthorityImpl:GrantedAuthority的實現類。
UserDetails:Provides core user information.
Authentication:Represents
the token for an authentication request or for an authenticated
principal once the request has been processed by the
AuthenticationManager.authenticate(Authentication) method.
UserDetailsService:Core interface which loads user-specific data.
FilterInvocationSecurityMetadataSource:Marker
interface for SecurityMetadataSource implementations that are designed
to perform lookups keyed on FilterInvocations.
AccessDecisionManager:Makes a final access control (authorization) decision.
定義四張表:用戶表、角色表、資源表、組織機構表(可選)
首先需要在web.xml文件中添加以下配置:
- <filter>
- <filter-name>springSecurityFilterChain</filter-name>
- <filter-class>
- org.springframework.web.filter.DelegatingFilterProxy
- </filter-class>
- </filter>
- <filter-mapping>
- <filter-name>springSecurityFilterChain</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
接着配置spring security的配置文件:
- <? xml version = "1.0" encoding = "UTF-8" ?>
- < beans:beans xmlns = "http://www.springframework.org/schema/security"
- xmlns:beans = "http://www.springframework.org/schema/beans"
- xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation ="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.0.xsd">
- <!-- access-denied-page:定義沒有權限時跳轉的頁面 ;use-expressions:true表示使用表達式定義忽略攔截資源列表-->
- < http auto-config = "true" access-denied-page = "/accessDenied.do" use-expressions = "true" >
- <!-- 忽略攔截資源定義 -->
- < intercept-url pattern = "/showLogin.do*" filters = "none" />
- < intercept-url pattern = "/scripts/**" filters = "none" />
- < intercept-url pattern = "/images/**" filters = "none" />
- < intercept-url pattern = "/styles/**" filters = "none" />
- < intercept-url pattern = "/dwr/**" filters = "none" />
- <!-- isAuthenticated()表示只有通過驗證的用戶才能訪問 -->
- < intercept-url pattern = "/**" access = "isAuthenticated()" />
- < intercept-url pattern = "/main.do*" access = "isAuthenticated()" />
- <!-- max-sessions=1:禁止2次登陸;ession-fixation-protection="none":防止僞造sessionid攻擊,用戶登錄成功後會銷燬用戶當前的session,-->
- <!-- 創建新的session並把用戶信息複製到新session中 ;invalid-session-url:定義session超時跳轉頁面 -->
- < session-management invalid-session-url = "/timeout.jsp" session-fixation-protection = "none" >
- < concurrency-control max-sessions = "1" />
- </ session-management >
- <!-- 表單驗證 -->
- < form-login login-page = "/showLogin.do" authentication-failure-url = "/showLogin.do?error=true" always-use-default-target = "true" default-target-url = "/login.do?error=false" />
- <!-- 退出系統跳轉頁面 -->
- < logout invalidate-session = "true" logout-success-url = "/showLogin.do" />
- <!-- 免登陸驗證 -->
- < remember-me />
- <!-- 自定義攔截器(這裏和spring security2的配置有點不同) -->
- < custom-filter before = "FILTER_SECURITY_INTERCEPTOR" ref = "securityFilter" />
- </ http >
- < beans:bean id = "securityFilter" class = "xxx.xxx.xxx.commons.permissionengine.web.security.FilterSecurityInterceptor" >
- < beans:property name = "authenticationManager" ref = "authenticationManager" />
- < beans:property name = "accessDecisionManager" ref = "securityAccessDecisionManager" />
- < beans:property name = "securityMetadataSource" ref = "securityMetadataSource" />
- </ beans:bean >
- < authentication-manager alias = "authenticationManager" >
- < authentication-provider user-service-ref = "securityUserDetailService" >
- <!-- 密碼採用MD5算法加密 -->
- < password-encoder hash = "md5" />
- </ authentication-provider >
- </ authentication-manager >
- <!-- 用戶擁有的權限 -->
- < beans:bean id = "securityUserDetailService" class = "xxx.xxx.xxx.commons.permissionengine.web.security.SecurityUserDetailService" />
- <!-- 用戶是否擁有所請求資源的權限 -->
- < beans:bean id = "securityAccessDecisionManager" class = "xxx.xxx.xxx.commons.permissionengine.web.security.SecurityAccessDecisionManager" />
- <!-- 資源與權限對應關係 -->
- < beans:bean id = "securityMetadataSource" class = "xxx.xxx.xxx.commons.permissionengine.web.security.SecurityMetadataSource" />
- </ beans:beans >
接着需要寫一個類實現UserDetails接口,這個並不是我們系統的用戶,它只是一個VO,
用於保存從spring security上下文環境中獲取到登錄用戶,因爲從spring security上下文環境中獲取登錄用戶的返回值就是UserDetails的實現類:
- package xxx.xxx.xxx.commons.permissionengine.entity;
- import java.util.Collection;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.userdetails.UserDetails;
- public class UserDetailInfo implements UserDetails {
- private static final long serialVersionUID = 6137804370301413132L;
- private String userName;
- private String password;
- private Collection<GrantedAuthority> authorities;
- public UserDetailInfo() {}
- @Override
- public Collection<GrantedAuthority> getAuthorities() {
- return authorities;
- }
- @Override
- public String getPassword() {
- return password;
- }
- @Override
- public String getUsername() {
- return userName;
- }
- @Override
- public boolean isAccountNonExpired() {
- return true ;
- }
- @Override
- public boolean isAccountNonLocked() {
- return true ;
- }
- @Override
- public boolean isCredentialsNonExpired() {
- return true ;
- }
- @Override
- public boolean isEnabled() {
- return true ;
- }
- public String getUserName() {
- return userName;
- }
- public void setUserName(String userName) {
- this .userName = userName;
- }
- public void setPassword(String password) {
- this .password = password;
- }
- public void setAuthorities(Collection<GrantedAuthority> authorities) {
- this .authorities = authorities;
- }
- }
接着自定義一個繼承了AbstractSecurityInterceptor的filter:
- package xxx.xxx.xxx.commons.permissionengine.web.security;
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import org.springframework.security.access.SecurityMetadataSource;
- import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
- import org.springframework.security.access.intercept.InterceptorStatusToken;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
- private FilterInvocationSecurityMetadataSource securityMetadataSource;
- @Override
- public void destroy() {
- // TODO Auto-generated method stub
- }
- @Override
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
- FilterInvocation invocation = new FilterInvocation(request, response, filterChain);
- invoke(invocation);
- }
- public void invoke(FilterInvocation filterInvocation) throws IOException, ServletException {
- InterceptorStatusToken token = super .beforeInvocation(filterInvocation);
- try {
- filterInvocation.getChain().doFilter(filterInvocation.getRequest(), filterInvocation.getResponse());
- } finally {
- super .afterInvocation(token, null );
- }
- }
- @Override
- public void init(FilterConfig arg0) throws ServletException {
- // TODO Auto-generated method stub
- }
- @Override
- public Class<? extends Object> getSecureObjectClass() {
- return FilterInvocation. class ;
- }
- @Override
- public SecurityMetadataSource obtainSecurityMetadataSource() {
- return this .securityMetadataSource;
- }
- public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
- this .securityMetadataSource = securityMetadataSource;
- }
- public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
- return this .securityMetadataSource;
- }
- }
接着定義一個類,實現了UserDetailsService接口,主要用於獲取登錄用戶信息和用戶所具有的角色
- package xxx.xxx.xxx.commons.permissionengine.web.security;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.Set;
- import javax.annotation.Resource;
- import org.springframework.dao.DataAccessException;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.authority.GrantedAuthorityImpl;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.core.userdetails.UserDetailsService;
- import org.springframework.security.core.userdetails.UsernameNotFoundException;
- import xxx.xxx.xxx.commons.permissionengine.entity.Role;
- import xxx.xxx.xxx.commons.permissionengine.entity.User;
- import xxx.xxx.xxx.commons.permissionengine.entity.UserDetailInfo;
- import xxx.xxx.xxx.commons.permissionengine.service.IUserService;
- public class SecurityUserDetailService implements UserDetailsService {
- private IUserService userService;
- /**
- * 獲取登錄用戶信息並添加到security上下文環境
- */
- @Override
- public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException, DataAccessException {
- //定義存放用戶角色信息的集合
- Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
- //通過已經經過驗證的登錄用戶的用戶名查找登錄用戶信息
- User user = userService.findUserByProperty("name" , name);
- //定義一個userDetailInfo對象,該類實現了spring security UserDetails接口,因爲已經經過驗證的登錄用戶會保持在
- //spring security上下文環境中,通過該上下文環境獲取登錄用戶信息返回的是UserDetails類型,因此需要定義一個類實現該接口
- UserDetailInfo userDetailInfo = null ;
- if (user != null ) {
- //獲取登錄用戶信息的角色列表
- Set<Role> roles = user.getRoles();
- for (Role role : roles) {
- //利用角色用戶具有的角色的編號構造一個GrantedAuthority對象,並把該對象添加到集合中
- GrantedAuthorityImpl grantedAuthorityImpl = new GrantedAuthorityImpl( "ROLE_" +role.getNo());
- authorities.add(grantedAuthorityImpl);
- }
- userDetailInfo = new UserDetailInfo();
- userDetailInfo.setUserName(user.getName());
- userDetailInfo.setPassword(user.getPassword());
- //把角色信息添加到userDetailInfo對象中
- userDetailInfo.setAuthorities(authorities);
- }
- return userDetailInfo;
- }
- @Resource (name = "userService" )
- public void setUserService(IUserService userService) {
- this .userService = userService;
- }
- }
再接着定義一個實現了FilterInvocationSecurityMetadataSource的類:
- package xxx.xxx.xxx.commons.permissionengine.web.security;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.HashMap;
- import java.util.Iterator;
- import java.util.Map;
- import javax.annotation.Resource;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- import org.springframework.security.web.util.AntUrlPathMatcher;
- import org.springframework.security.web.util.UrlMatcher;
- import xxx.xxx.xxx.commons.permissionengine.service.IMenuService;
- /**
- * 資源源數據管理器
- * @author Keven
- *
- */
- public class SecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
- private IMenuService menuService;
- //定義一個url匹配工具類
- private UrlMatcher urlMatcher = new AntUrlPathMatcher();
- private static Map<String, Collection<ConfigAttribute>> menuMap = null ;
- //該構造方法由spring容器調用
- public SecurityMetadataSource() {
- loadMenuDefine();
- }
- private void loadMenuDefine() {
- menuMap = new HashMap<String, Collection<ConfigAttribute>>();
- //初始化匿名用戶所擁有的權限
- Collection<ConfigAttribute> guestAtts = new ArrayList<ConfigAttribute>();
- ConfigAttribute guestAttribute = new SecurityConfig( "ROLE_Guest" );
- guestAtts.add(guestAttribute);
- menuMap.put("/showLogin.do*" , guestAtts);
- }
- @Override
- public Collection<ConfigAttribute> getAllConfigAttributes() {
- return null ;
- }
- @Override
- public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
- //獲取請求url
- String url = ((FilterInvocation)object).getRequestUrl();
- //從數據庫獲取資源與角色的對應關係,並設置初始化的資源_角色到該Map
- menuService.setMenuMap(menuMap);
- //獲取資源列表
- Iterator<String> iter = menuMap.keySet().iterator();
- while (iter.hasNext()) {
- String menuUrl = iter.next();
- //防止把null值加入到map,報空指針異常
- if (menuUrl != null ) {
- //請求url與角色所擁有的權限做匹配
- if (urlMatcher.pathMatchesUrl(menuUrl, url))
- return menuMap.get(menuUrl);
- }
- }
- return null ;
- }
- @Override
- public boolean supports(Class<?> clazz) {
- return true ;
- }
- @Resource (name = "menuService" )
- public void setMenuService(IMenuService menuService) {
- this .menuService = menuService;
- }
- }
再接着定義一個實現了AccessDecisionManager的類:
- package xxx.xxx.xxx.commons.permissionengine.web.security;
- import java.util.Collection;
- import java.util.Iterator;
- import org.springframework.security.access.AccessDecisionManager;
- import org.springframework.security.access.AccessDeniedException;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.authentication.InsufficientAuthenticationException;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.GrantedAuthority;
- /**
- * 決策管理器,用於判斷用戶需要訪問的資源與用戶所擁有的角色是否匹配
- * @author Keven
- *
- */
- public class SecurityAccessDecisionManager implements AccessDecisionManager {
- @Override
- public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
- if (configAttributes == null )
- return ;
- //獲取資源與角色對應關係列表
- Iterator<ConfigAttribute> iter = configAttributes.iterator();
- while (iter.hasNext()) {
- ConfigAttribute configAttribute = iter.next();
- //獲取訪問該資源需要的角色
- String needRole = ((SecurityConfig)configAttribute).getAttribute();
- //從上下文環境獲取用戶所具有的角色
- for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
- //判斷用戶擁有的角色是否與訪問該資源所需要的角色匹配
- if (needRole.equals(grantedAuthority.getAuthority()))
- return ;
- }
- }
- throw new AccessDeniedException( "權限不足!" );
- }
- @Override
- public boolean supports(ConfigAttribute arg0) {
- return true ;
- }
- @Override
- public boolean supports(Class<?> arg0) {
- return true ;
- }
-
}