参考文档: http://wenku.baidu.com/view/4ec7e324ccbff121dd368364.html
在spring security3中使用自己定义的数据结构来实现权限设置。
- 数据库
- 用户表
- 角色表
- action表,即资源表
- 角色-用户关联表
- actiion-角色关联表
- 配置过程
- web.xml中加入过滤器
- <!-- 配置spiring security -->
- <filter>
- <filter-name>springSecurityFilterChain</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>springSecurityFilterChain</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <!-- 配置spiring security结束 -->
- 在applicationContext.xml中import spring security部分的配置
- <import resource="security3.0_JPA.xml"/>
- 配置import resource="security3.0_JPA.xml
- <?xml version="1.0" encoding="UTF-8"?>
- <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.0.xsd">
- <http auto-config="true" access-denied-page="/jsp/accessDenied.jsp">
- <intercept-url pattern="/css/**" filters="none" />
- <intercept-url pattern="/images/**" filters="none" />
- <intercept-url pattern="/js/**" filters="none" />
- <!-- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,
- 这个filter位于FILTER_SECURITY_INTERCEPTOR之前 -->
- <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" />
- </http>
- <!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
- 我们的所有控制将在这三个类中实现,解释详见具体配置 -->
- <beans:bean id="myFilter" class="com.softvan.spring.security.FilterSecurityInterceptor">
- <beans:property name="authenticationManager" ref="MyAuthenticationManager" />
- <!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 -->
- <beans:property name="accessDecisionManager" ref="AccessDecisionManager" />
- <beans:property name="securityMetadataSource" ref="MySecurityMetadataSource" />
- </beans:bean>
- <!-- 资源源数据定义,将所有的资源和权限对应关系建立起来,即定义某一资源可以被哪些角色访问 -->
- <beans:bean id="MySecurityMetadataSource" init-method="loadResourceDefine" class="com.softvan.spring.security.InvocationSecurityMetadataSourceService">
- <beans:property name="roleService" ref="RoleService" />
- <beans:property name="actionService" ref="ActionService" />
- </beans:bean>
- <!-- 验证配置 , 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
- <authentication-manager alias="MyAuthenticationManager">
- <authentication-provider user-service-ref="UserDetailService">
- <!--
- <s:password-encoder hash="sha" />
- -->
- </authentication-provider>
- </authentication-manager>
- </beans:beans>
- web.xml中加入过滤器
- 相关java代码
- AccessDecisionManager.java
- /**
- *
- */
- package com.softvan.spring.security;
- import org.apache.log4j.Logger;
- /**
- * @author 徐泽宇(roamer)
- *
- * 2010-7-4
- */
- import java.util.Collection;
- import java.util.Iterator;
- import org.springframework.security.access.AccessDeniedException;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.authentication.InsufficientAuthenticationException;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.stereotype.Service;
- @Service("AccessDecisionManager")
- public class AccessDecisionManager implements org.springframework.security.access.AccessDecisionManager {
- /**
- * Logger for this class
- */
- private static final Logger logger = Logger.getLogger(AccessDecisionManager.class);
- // In this method, need to compare authentication with configAttributes.
- // 1, A object is a URL, a filter was find permission configuration by this
- // URL, and pass to here.
- // 2, Check authentication has attribute in permission configuration
- // (configAttributes)
- // 3, If not match corresponding authentication, throw a
- // AccessDeniedException.
- public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
- if (logger.isDebugEnabled()) {
- logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - start"); //$NON-NLS-1$
- }
- if (configAttributes == null) {
- if (logger.isDebugEnabled()) {
- logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - end"); //$NON-NLS-1$
- }
- return;
- }
- if (logger.isDebugEnabled()){
- logger.debug("正在访问的url是:"+object.toString());
- }
- Iterator<ConfigAttribute> ite = configAttributes.iterator();
- while (ite.hasNext()) {
- ConfigAttribute ca = ite.next();
- logger.debug("needRole is:"+ca.getAttribute());
- String needRole = ((SecurityConfig) ca).getAttribute();
- for (GrantedAuthority ga : authentication.getAuthorities()) {
- logger.debug("/t授权信息是:"+ga.getAuthority());
- if (needRole.equals(ga.getAuthority())) { // ga is user's role.
- if (logger.isDebugEnabled()) {
- logger.debug("判断到,needRole 是"+needRole+",用户的角色是:"+ga.getAuthority()+",授权数据相匹配");
- logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - end"); //$NON-NLS-1$
- }
- return;
- }
- }
- }
- throw new AccessDeniedException("没有权限");
- }
- public boolean supports(ConfigAttribute attribute) {
- // TODO Auto-generated method stub
- return true;
- }
- public boolean supports(Class<?> clazz) {
- return true;
- }
- }
- FilterSecurityInterceptor.java
- /**
- *
- */
- package com.softvan.spring.security;
- import org.apache.log4j.Logger;
- /**
- * @author 徐泽宇(roamer)
- *
- * 2010-7-4
- */
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import org.springframework.security.access.SecurityMetadataSource;
- import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
- import org.springframework.security.access.intercept.InterceptorStatusToken;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
- /**
- * Logger for this class
- */
- private static final Logger logger = Logger.getLogger(FilterSecurityInterceptor.class);
- private FilterInvocationSecurityMetadataSource securityMetadataSource;
- public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
- if (logger.isDebugEnabled()) {
- logger.debug("doFilter(ServletRequest, ServletResponse, FilterChain) - start"); //$NON-NLS-1$
- }
- FilterInvocation fi = new FilterInvocation(request, response, chain);
- invoke(fi);
- if (logger.isDebugEnabled()) {
- logger.debug("doFilter(ServletRequest, ServletResponse, FilterChain) - end"); //$NON-NLS-1$
- }
- }
- public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
- return this.securityMetadataSource;
- }
- public Class<? extends Object> getSecureObjectClass() {
- return FilterInvocation.class;
- }
- public void invoke(FilterInvocation fi) throws IOException, ServletException {
- InterceptorStatusToken token = super.beforeInvocation(fi);
- try {
- fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
- } finally {
- super.afterInvocation(token, null);
- }
- }
- @Override
- public SecurityMetadataSource obtainSecurityMetadataSource() {
- return this.securityMetadataSource;
- }
- public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
- this.securityMetadataSource = securityMetadataSource;
- }
- public void destroy() {
- // TODO Auto-generated method stub
- }
- public void init(FilterConfig filterconfig) throws ServletException {
- // TODO Auto-generated method stub
- }
- }
- InvocationSecurityMetadataSourceService.java
- /**
- *
- */
- package com.softvan.spring.security;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.HashMap;
- import java.util.Iterator;
- import java.util.List;
- import java.util.Map;
- import org.apache.log4j.Logger;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- import org.springframework.security.web.util.AntUrlPathMatcher;
- import org.springframework.security.web.util.UrlMatcher;
- import org.springframework.stereotype.Service;
- import com.alcor.acl.domain.TAction;
- import com.alcor.acl.domain.TRole;
- import com.alcor.acl.service.ActionService;
- import com.alcor.acl.service.RoleService;
- /*
- *
- * 最核心的地方,就是提供某个资源对应的权限定义,即getAttributes方法返回的结果。
- * 注意,我例子中使用的是AntUrlPathMatcher这个path matcher来检查URL是否与资源定义匹配,
- * 事实上你还要用正则的方式来匹配,或者自己实现一个matcher。
- *
- * 此类在初始化时,应该取到所有资源及其对应角色的定义
- *
- * 说明:对于方法的spring注入,只能在方法和成员变量里注入,
- * 如果一个类要进行实例化的时候,不能注入对象和操作对象,
- * 所以在构造函数里不能进行操作注入的数据。
- */
- @Service("InvocationSecurityMetadataSourceService")
- public class InvocationSecurityMetadataSourceService implements FilterInvocationSecurityMetadataSource {
- /**
- * Logger for this class
- */
- private static final Logger logger = Logger.getLogger(InvocationSecurityMetadataSourceService.class);
- private RoleService roleService ;
- private ActionService actionService;
- private UrlMatcher urlMatcher = new AntUrlPathMatcher();
- private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
- public void loadResourceDefine()throws Exception {
- this.resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
- //通过数据库中的信息设置,resouce和role
- for (TRole item:this.roleService.getAllRoles()){
- Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
- ConfigAttribute ca = new SecurityConfig(item.getRoleName());
- atts.add(ca);
- List<TAction> tActionList = actionService.findByRoleID(item.getRoleId());
- //把资源放入到spring security的resouceMap中
- for(TAction tAction:tActionList){
- logger.debug("获得角色:["+item.getRoleName()+"]拥有的acton有:"+tAction.getActionUrl());
- this.resourceMap.put(tAction.getActionUrl(), atts);
- }
- }
- /*//通过硬编码设置,resouce和role
- resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
- Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
- ConfigAttribute ca = new SecurityConfig("admin");
- atts.add(ca);
- resourceMap.put("/jsp/admin.jsp", atts);
- resourceMap.put("/swf/zara.html", atts);*/
- }
- // According to a URL, Find out permission configuration of this URL.
- public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
- if (logger.isDebugEnabled()) {
- logger.debug("getAttributes(Object) - start"); //$NON-NLS-1$
- }
- // guess object is a URL.
- String url = ((FilterInvocation) object).getRequestUrl();
- Iterator<String> ite = resourceMap.keySet().iterator();
- while (ite.hasNext()) {
- String resURL = ite.next();
- if (urlMatcher.pathMatchesUrl(url, resURL)) {
- Collection<ConfigAttribute> returnCollection = resourceMap.get(resURL);
- if (logger.isDebugEnabled()) {
- logger.debug("getAttributes(Object) - end"); //$NON-NLS-1$
- }
- return returnCollection;
- }
- }
- if (logger.isDebugEnabled()) {
- logger.debug("getAttributes(Object) - end"); //$NON-NLS-1$
- }
- return null;
- }
- public boolean supports(Class<?> clazz) {
- return true;
- }
- public Collection<ConfigAttribute> getAllConfigAttributes() {
- return null;
- }
- public RoleService getRoleService() {
- return roleService;
- }
- public void setRoleService(RoleService roleService) {
- this.roleService = roleService;
- }
- public ActionService getActionService() {
- return actionService;
- }
- public void setActionService(ActionService actionService) {
- this.actionService = actionService;
- }
- }
- UserDetailService.java
- /**
- *
- */
- package com.softvan.spring.security;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.Set;
- import javax.inject.Inject;
- import org.apache.log4j.Logger;
- import org.springframework.dao.DataAccessException;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.authority.GrantedAuthorityImpl;
- import org.springframework.security.core.userdetails.User;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.core.userdetails.UserDetailsService;
- import org.springframework.security.core.userdetails.UsernameNotFoundException;
- import org.springframework.stereotype.Service;
- import com.alcor.acl.domain.TRole;
- import com.alcor.acl.domain.TUser;
- @Service("UserDetailService")
- public class UserDetailService implements UserDetailsService {
- /**
- * Logger for this class
- */
- private static final Logger logger = Logger.getLogger(UserDetailService.class);
- @Inject
- com.alcor.acl.component.User user ;
- public UserDetails loadUserByUsername(String username)throws UsernameNotFoundException, DataAccessException {
- if (logger.isDebugEnabled()) {
- logger.debug("loadUserByUsername(String) - start"); //$NON-NLS-1$
- }
- Collection<GrantedAuthority> auths=new ArrayList<GrantedAuthority>();
- String password=null;
- //取得用户的密码
- TUser tUser = user.getUserByName(username);
- if (tUser ==null){
- String message = "用户"+username+"不存在";
- logger.error(message);
- throw new UsernameNotFoundException(message);
- }
- password=user.getUserByName(username).getPassword();
- //获得用户的角色
- Set<TRole> tRoles =tUser.getTRoles();
- for(TRole item : tRoles){
- GrantedAuthorityImpl grantedAuthorityImpl = new GrantedAuthorityImpl(item.getRoleName());
- if (logger.isDebugEnabled()){
- logger.debug("用户:["+tUser.getName()+"]拥有角色:["+item.getRoleName()+"],即spring security中的access");
- }
- auths.add(grantedAuthorityImpl);
- }
- User user = new User(username,password, true, true, true, true, auths);
- if (logger.isDebugEnabled()) {
- logger.debug("loadUserByUsername(String) - end"); //$NON-NLS-1$
- }
- return user;
- }
- }
- AccessDecisionManager.java
相关推荐
springsecurity(用spring ibatis freemaker)实现的用户自定义的权限管理页面, 里头包括数据库脚本 和原数据 和原代码 主要参考http://blog.csdn.net/k10509806/article/details/6369131 这个人的文章做的
项目的jar没有包含,得自己去导进项目,需要哪些jar里面有附说明。这个项目是是把权限根据数据库定义而控制的。而不是将权限死硬的写在配置文件上。使权限系统更灵活更通用。。
SpringSecurity4 样例工程(自定义登录页,从数据库获取用户名密码)
SpringBoot+SpringSecurity整合示例代码,实现了从数据库中获取信息进行登录认证和权限认证。 本项目为idea工程,请用idea2019导入(老版应该也可以)。 本项目用户信息所需sql文件,在工程的resources文件夹下,...
Spring Security3的使用方法有4种: 一种是全部利用配置文件,将用户、权限、资源(url)硬编码在xml文件中。 二种是用户和权限用数据库存储,而资源(url)和权限的对应采用硬编码配置。 三种是细分角色和权限,并将...
2、使用数据库管理用户权限 3、自定义认证数据库表结构 4、自定义登录页面 5、使用数据库管理资源 6、控制用户信息 MD5加密 获取当前用户信息 7、自定义访问拒绝页面 8、动态管理资源结合自定义登录页面 9、 ...
那么在Spring Security3的使用中,有4种方法: 一种是全部利用配置文件,将用户、权限、资源(url)硬编码在xml文件中,已经实现过,并经过验证; 二种是用户和权限用数据库存储,而资源(url)和权限的对应采用硬编码...
这个是基于Spring的一个小例子 , 主要是为了帮助大家学习SpringSecurity和SpringMvc, 1.不用再数据库建表, ...3.判断如果是用户名是admin 密码123,就...还有可以使用自定义的过滤器来实现登录, 有不懂的问题 可以加我
29.2在Spring Security中使用LDAP 221 29.3配置LDAP服务器 221 29.3.1使用嵌入式测试服务器 222 29.3.2使用绑定认证 222 29.3.3加载权限 223 29.4实现类 223 29.4.1 LdapAuthenticator实现 224 通用功能 224 认证者 ...
描述:springsecurity集成springmvc,自定义登录页面,使用mysql数据库认证登录用户,根据用户角色控制授权访问资源。启动项目http://[server]:[port]/[project],进入登录页面,数据表USER中有2个用户(用户名/密码...
这次发布的Spring Security-3.0.1 是一个bug fix 版,主要是对3.0 中存在的一些问题进 行修 正。文档中没有添加新功能的介绍,但是将之前拼写错误的一些类名进行了修正,建议开发 者以这一版本的文档为参考。 ...
这个是基于Spring的一个小例子 , 主要是为了帮助大家学习SpringSecurity和SpringMvc 和Mybatis3.0 1.SS不用再数据库建表 2.使用了SS提供的登录方式,在输入用户名和密码时,访问到服务器后台 3.判断如果是用户名是...
本文档内容为基于Spring下的权限管理,主要包含以下内容1、区分Authentication(验证)与 Authorization(授权)2、SS中的验证特点3、SS中的授权特点4、SS核心安全实现5、配置SS6、配置web.xml 7、Spring配置文件中...
此 Spring Security ACL 自定义使用 MongoDB 作为数据库,通过维护单个 ACL 文档集合来查找域对象上用户的访问控制权限。 集合中的示例 ACL 权限条目确实类似于以下示例代码: { "_id" : "a285005a-a892-409a-be86-...
5.5. Spring Security中的访问控制(验证) 5.5.1. 安全和AOP建议 5.5.2. 安全对象和AbstractSecurityInterceptor 5.5.2.1. 配置属性是什么? 5.5.2.2. RunAsManager 5.5.2.3. AfterInvocationManager 5.5.2.4...
5.5. Spring Security中的访问控制(验证) 5.5.1. 安全和AOP建议 5.5.2. 安全对象和AbstractSecurityInterceptor 5.5.2.1. 配置属性是什么? 5.5.2.2. RunAsManager 5.5.2.3. AfterInvocationManager ...
安全框架SpringSecurity的基本应用 test-ss-11 集成spring security 自定义认证成功和认证失败的handler 自定义访问拒绝的handler(权限不足) 自定义退出登录成功的handler MockUserList是模拟用户列表 authorize...
1、区分Authentication(验证)与 Authorization(授权) ...7、Spring配置文件中设置命名空间 8、通过数据库验证用户身份 9、完善web页面验证规则 10、自定义验证配置 11、本地化消息输出(国际化)
自定义用户详情服务基于数据库实现登录认证及授权。 使用access()方法实现RBAC权限模型(另包涵简单动态菜单实现)
SpringCloud +Spring Security + OAuth2.0 实现权限认证,通过数据库和Redis进行权限认证。自定义认证方案认证