没事就来了解下spring security.网上找了很多资料。有过时的,也有不是很全面的。各种问题也算是让我碰了个遍。这样吧。我先把整个流程写下来,之后在各个易混点分析吧。
1.建立几个必要的页面。
login.jsp index.jsp user.jsp admin.jsp error.jsp 后面几个只是用来做跳转的,里面没什么要注意的,就贴出login里面的吧
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>login</title> </head> <body> <form action="/mavenTest/j_spring_security_check" method="post"> 账户:<input type="text" name="j_username" id="username"/> 密码:<input type="text" name="j_password" id="password"/> <input type="submit" value="登陆"/> </form> </body> </html>
2.配置web.xml 没有用的就没有粘贴了
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
3.忘记吧pom.xml文件给出来了 版本为<org.springframework-version>3.2.3.RELEASE</org.springframework-version>
<!-- spring security --> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${org.springframework-version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${org.springframework-version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${org.springframework-version}</version> </dependency>
4.配置spring security .xml文件
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 不需要进行安全认证的资源 --> <http pattern="/resources/**" security="none" /> <http pattern="/login.jsp" security="none"/> <!-- 资源所需要的权限 --> <http auto-config='true'> <form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=true" /> <logout logout-success-url="/index.jsp"/> <!-- 尝试访问没有权限的页面时跳转的页面 --> <access-denied-handler error-page="/error-noauth.jsp"/> <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/> </http> <!-- 自定义一个filter,必须包含authenticationManager,accessDecisionManager, securityMetadataSource三个属性 所有的功能都在这三个类中实现--> <beans:bean id="myFilter" class="com.demo.im.model.security.MyFilterSecurotyInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="accessDecisionManager" ref ="myAccessDecisionManagerBean"/> <beans:property name="securityMetadataSource" ref="securityMetadaSource"/> </beans:bean> <!-- 认证管理器,实现用户认证的入口,主要实现userdetailsservice --> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="myUserDetailService"> </authentication-provider> </authentication-manager> <beans:bean id="myUserDetailService" class="com.demo.im.model.security.DefaultUserDetailsService"> </beans:bean> <!-- 访问决策,决定某个用户具有的角色,是否有足够的权限去访问某个资源 --> <beans:bean id="myAccessDecisionManagerBean" class="com.demo.im.model.security.MyAccessDecisionManager" /> <beans:bean id="securityMetadaSource" class="com.demo.im.model.security.MyInvocationSecurityMetadaSource"/> </beans:beans>
5.MyFilterSecurotyInterceptor 自定义filter的代码如下。
其中最核心的代码是 invoke() 方法中的
InterceptorStatusToken token = super.beforeInvocation(fi);
这一句在dofilter之前进行权限验证,而具体的实现交给了accessDecisionManager,下面将继续讨论
package com.demo.im.model.security; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import org.springframework.security.access.SecurityMetadataSource; import org.springframework.security.access.intercept.AbstractSecurityInterceptor; import org.springframework.security.access.intercept.InterceptorStatusToken; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; public class MyFilterSecurotyInterceptor extends AbstractSecurityInterceptor implements Filter { private FilterInvocationSecurityMetadataSource securityMetadataSource; @Override public void init(FilterConfig filterConfig) throws ServletException { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { FilterInvocation fi = new FilterInvocation(request, response,chain); invoke(fi); } @Override public void destroy() { // TODO Auto-generated method stub } @Override public Class<?> getSecureObjectClass() { // TODO Auto-generated method stub return FilterInvocation.class; } @Override public SecurityMetadataSource obtainSecurityMetadataSource() { // TODO Auto-generated method stub return this.securityMetadataSource; } public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() { return securityMetadataSource; } public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) { this.securityMetadataSource = securityMetadataSource; } public void invoke(FilterInvocation fi) throws IOException ,ServletException{ InterceptorStatusToken token = super.beforeInvocation(fi); try { fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); } catch (Exception e) { // TODO: handle exception }finally{ super.afterInvocation(token, null); } } }
6.DefaultUserDetailsService的实现
在这个类中你可以通过读取数据库来进行权限赋值,下面的代码未注解的是我写的静态的
package com.demo.im.model.security; import java.util.ArrayList; import java.util.Collection; import java.util.List; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.GrantedAuthorityImpl; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.stereotype.Service; import com.demo.im.entity.Role; import com.demo.im.entity.TUser; import com.demo.im.model.dao.TUserMapper; @Service public class DefaultUserDetailsService implements UserDetailsService { @Autowired TUserMapper userDao; @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { // TODO Auto-generated method stub System.out.println("userDetail********"); Collection <GrantedAuthority> auths = new ArrayList<GrantedAuthority>(); GrantedAuthority auth2 = new GrantedAuthorityImpl("ROLE_ADMIN"); auths.add(auth2); User user = new User(username,"1111",true,true,true,true,auths); return user; // TUser paramU = new TUser(); // paramU.setUsername(username); // List<TUser> userList = userDao.selectByUserParam(paramU); // TUser user = new TUser(); // if(userList==null || userList.size()<=0){ // throw new UsernameNotFoundException("username"); // } // //得到用户权限 // if(user.getRoles()!=null && user.getRoles().size()>0){ // // for(Role role : user.getRoles()){ // GrantedAuthority grantedAuthority = new GrantedAuthorityImpl( // role.getRolecode().toUpperCase()); // auths.add(grantedAuthority); // } // // } // user.setAuthorities(auths); // return user; } }
7.MyInvocationSecurityMetadaSource类的内容
这个类说白了就是从数据库中取出资源对应的权限,我这里也是写的静态的,修改为动态的方法也很简单,执行一个查询就行了
package com.demo.im.model.security; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.Iterator; import java.util.Map; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; public class MyInvocationSecurityMetadaSource implements FilterInvocationSecurityMetadataSource{ // private UrlMatcher urlMatcher = new AntUrlPathMatcher(); private static Map<String,Collection<ConfigAttribute>> resourceMap = null; public MyInvocationSecurityMetadaSource(){ loadResourceDefine(); } private void loadResourceDefine(){ resourceMap = new HashMap<String, Collection<ConfigAttribute>>(); Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>(); ConfigAttribute ca = new SecurityConfig("ROLE_ADMIN"); atts.add(ca); resourceMap.put("/user.jsp", atts); resourceMap.put("/admin.jsp", atts); resourceMap.put("/index.jsp",atts); } @Override public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { // TODO Auto-generated method stub String url = ((FilterInvocation)object).getRequestUrl(); Iterator<String> ite = resourceMap.keySet().iterator(); while(ite.hasNext()){ String resURL = ite.next(); if(url.equalsIgnoreCase(resURL)){ return resourceMap.get(resURL); } } return null; } @Override public Collection<ConfigAttribute> getAllConfigAttributes() { // TODO Auto-generated method stub return null; } @Override public boolean supports(Class<?> clazz) { // TODO Auto-generated method stub return true; } }
8.最后就是决策类了MyAccessDecisionManager
这个类就更好理解了,我们知道了用户的角色,我们也知道资源的角色,对比一下,也就是decide()一致就返回,不行就抛异常
package com.demo.im.model.security; import java.util.Collection; import java.util.Iterator; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; public class MyAccessDecisionManager implements AccessDecisionManager{ @Override public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException { if(configAttributes == null){ return ; } System.out.println(object.toString()); Iterator<ConfigAttribute> ite = configAttributes.iterator(); while(ite.hasNext()){ ConfigAttribute ca = ite.next(); String needRole = ((SecurityConfig)ca).getAttribute(); for(GrantedAuthority ga : authentication.getAuthorities()){ if(needRole.equals(ga.getAuthority())){ return ; } } } throw new AccessDeniedException("no right"); } @Override public boolean supports(ConfigAttribute arg0) { // TODO Auto-generated method stub return true; } @Override public boolean supports(Class<?> arg0) { // TODO Auto-generated method stub return true; } }
9总结:
到这里一个基本的spring security算是搭建完了。过会在来说说我遇到的坑。方便以后大家找自己的坑。