这几天项目中用到了SpringSecurity做登陆安全。所以在这写一下也许可以帮助一下其他人,自己也熟悉一下

SpringSecurity配置文件如下:

<beans:beans xmlns="http://www.springframework.org/schema/security"

	xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

	xsi:schemaLocation="http://www.springframework.org/schema/beans

	http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

	http://www.springframework.org/schema/security

	http://www.springframework.org/schema/security/spring-security-3.1.xsd">

	<!-- 这个元素用来在你的应用程序中启用基于安全的注解

    <global-method-security  pre-post-annotations="enabled" access-decision-manager-ref="myAccessDecisionManager"/>

    -->

	<http pattern="/index.html" security="none" />	

	<http auto-config="true">

		<logout logout-success-url="/app/login" />

		<form-login login-page="/app/login" default-target-url="/app/admin"

			authentication-failure-url="/app/loginfailed" />

		<!-- "记住我"功能,采用持久化策略(将用户的登录信息存放在数据库表中) -->

		<!-- <remember-me data-source-ref="dataSource" /> -->

		<!-- 增加一个自定义的filter,放在FILTER_SECURITY_INTERCEPTOR之前,

		实现用户、角色、权限、资源的数据库管理-->

		<custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/> 

	</http>

	<!-- 实现了UserDetailsService的Bean -->

	<authentication-manager alias="myAuthenticationManager">

		<authentication-provider user-service-ref="myUserDetailService">

		     <password-encoder hash="plaintext">

             </password-encoder>

			<!-- <password-encoder ref="passwordEncoder">

			    <salt-source user-property="username" />

			</password-encoder> -->

		</authentication-provider>

	</authentication-manager>

	<!--

	             一个自定义的filter,必须包含

	     authenticationManager,

	     accessDecisionManager,

	     securityMetadataSource 三个属性。

	 -->

	<beans:bean id="myFilter"

		class="com.yihaomen.common.intercept.MyFilterSecurityInterceptor">

		<!-- 用户拥有的权限 -->

		<beans:property name="authenticationManager" ref="myAuthenticationManager"></beans:property>

		<!-- 用户是否拥有所请求资源的权限 -->

		<beans:property name="accessDecisionManager" ref="myAccessDecisionManager"></beans:property>

		<!-- 资源与权限对应关系 -->

		<beans:property name="securityMetadataSource" ref="mySecurityMetadataSource"></beans:property>

	</beans:bean>

</beans:beans>

所有的实现逻辑便在这个FilterInterceptor之中,主要的实现的是这个Interceptor中的三个属性,而实现的这三个类:

Interceptor:

package com.yihaomen.common.intercept;

import java.io.IOException;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.security.access.SecurityMetadataSource;

import org.springframework.security.access.intercept.AbstractSecurityInterceptor;

import org.springframework.security.access.intercept.InterceptorStatusToken;

import org.springframework.security.web.FilterInvocation;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {

	// 与spring-security.xml里的myFilter的属性securityMetadataSource对应,

	// 其他的两个组件,已经在AbstractSecurityInterceptor定义

	@Autowired

	private FilterInvocationSecurityMetadataSource securityMetadataSource;

	public void doFilter(ServletRequest request, ServletResponse response,

			FilterChain chain) throws IOException, ServletException {

		FilterInvocation fi = new FilterInvocation(request, response, chain);

		invoke(fi);

	}

	public Class<? extends Object> getSecureObjectClass() {

		return FilterInvocation.class;

	}

	public void invoke(FilterInvocation fi) throws IOException,

			ServletException {

		// object为FilterInvocation对象

		// super.beforeInvocation(fi);源码

		// 1.获取请求资源的权限

		// 执行Collection<ConfigAttribute> attributes =

		// SecurityMetadataSource.getAttributes(object);

		// 2.是否拥有权限

		// this.accessDecisionManager.decide(authenticated, object, attributes);

		InterceptorStatusToken token = super.beforeInvocation(fi);

		try {

			fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

		} finally {

			super.afterInvocation(token, null);

		}

	}

	@Override

	public SecurityMetadataSource obtainSecurityMetadataSource() {

		return this.securityMetadataSource;

	}

	public void setSecurityMetadataSource(

			FilterInvocationSecurityMetadataSource securityMetadataSource) {

		this.securityMetadataSource = securityMetadataSource;

	}

	public void destroy() {

	}

	public void init(FilterConfig filterconfig) throws ServletException {

	}

}

package com.yihaomen.comm.service;

import java.util.Collection;

import java.util.HashMap;

import java.util.Iterator;

import java.util.List;

import java.util.Map;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.web.FilterInvocation;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

import com.yihaomen.common.dao.ResourcesDao;

import com.yihaomen.common.domain.SysResource;

public class MyInvocationSecurityMetadataSourceService implements

		FilterInvocationSecurityMetadataSource {

	@Autowired

	private ResourcesDao resourcesDao;

	// resourceMap及为key-url,value-Collection<ConfigAttribute>,资源权限对应Map

	private static Map<String, Collection<ConfigAttribute>> resourceMap = null;

	public MyInvocationSecurityMetadataSourceService(ResourcesDao resourcesDao) {

		this.resourcesDao = resourcesDao;

		System.out.println("加载MyInvocationSecurityMetadataSourceService..."

				+ resourcesDao);

		loadResourceDefine();

	}

	// 加载所有资源与权限的关系

	private void loadResourceDefine() {

		if (resourceMap == null) {

			resourceMap = new HashMap<String, Collection<ConfigAttribute>>();

			List<SysResource> resources = resourcesDao.findAll();

			// 加载资源对应的权限

			for (SysResource resource : resources) {

				Collection<ConfigAttribute> auths = resourcesDao

						.loadRoleByResource(resource.getResource());

				System.out.println("权限=" + auths);

				resourceMap.put(resource.getResource(), auths);

			}

		}

	}

	//由资源路径获得权限

	//object为请求的资源路径

	public Collection<ConfigAttribute> getAttributes(Object object)

			throws IllegalArgumentException {

		// object是一个URL,被用户请求的url

		String requestUrl = ((FilterInvocation) object).getRequestUrl();

		System.out.println("requestUrl is " + requestUrl);

		int firstQuestionMarkIndex = requestUrl.indexOf("?");

		//如果请求的资源路径有?后面的参数,则将?后面的切掉,以免拒绝访问

		if (firstQuestionMarkIndex != -1) {

			requestUrl = requestUrl.substring(0, firstQuestionMarkIndex);

		}

		if (resourceMap == null) {

			loadResourceDefine();

		}

		//

		Iterator<String> ite = resourceMap.keySet().iterator();

		//根据资源路径获得其所需的权限

		while (ite.hasNext()) {

			String resURL = ite.next();

			if (resURL.equals(requestUrl)) {

				return resourceMap.get(resURL);

			}

		}

		return null;

	}

	public boolean supports(Class<?> arg0) {

		// TODO Auto-generated method stub

		return true;

	}

	public Collection<ConfigAttribute> getAllConfigAttributes() {

		// TODO Auto-generated method stub

		return null;

	}

}

package com.yihaomen.comm.service;

import java.sql.SQLException;

import java.util.Collection;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.dao.DataAccessException;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.security.core.userdetails.User;

import org.springframework.security.core.userdetails.UserCache;

import org.springframework.security.core.userdetails.UserDetails;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

import com.yihaomen.common.dao.UserInfoDao;

import com.yihaomen.common.domain.SysUser;

/**

 * 根据用户名获得其所拥有的权限,返回该用户的状态信息。并将其所拥有的权限放入GrantedAuthority中

 * @author Administrator

 *

 */

public class MyUserDetailService implements UserDetailsService {

	@Autowired

	private UserInfoDao userInfoDao;

	@Autowired

	private UserCache userCache;

	public UserDetails loadUserByUsername(String username)

			throws UsernameNotFoundException, DataAccessException {

		System.out.println("username is :" + username);

		SysUser user = null;

		try {

			user = this.userInfoDao.findByName(username);

			System.out.println(user);

		} catch (SQLException e) {

			// TODO Auto-generated catch block

			e.printStackTrace();

		}

		// 获得用户权限

		Collection<GrantedAuthority> auths = userInfoDao

				.loadUserAuthorityByName(username);

		boolean enables = true;

		// 账户过期否

		boolean accountNonExpired = true;

		// 证书过期否

		boolean credentialsNonExpired = true;

		// 账户锁定否

		boolean accountNonLocked = true;

		// 封装成spring security的user

		User userdetail = new User(username, user.getPassword(), enables,

				accountNonExpired, credentialsNonExpired, accountNonLocked,

				auths);

		for (GrantedAuthority s : auths) {

			s.getAuthority();

		}

		System.out.println(auths);

		return userdetail;

	}

	public UserInfoDao getUserInfoDao() {

		return userInfoDao;

	}

	public void setUserInfoDao(UserInfoDao userInfoDao) {

		this.userInfoDao = userInfoDao;

	}

	//设置用户缓存功能。

	public UserCache getUserCache() {

		return userCache;

	}

	public void setUserCache(UserCache userCache) {

		this.userCache = userCache;

	}

}

package com.yihaomen.comm.service;

import java.util.Collection;

import java.util.Iterator;

import org.springframework.security.access.AccessDecisionManager;

import org.springframework.security.access.AccessDeniedException;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.access.SecurityConfig;

import org.springframework.security.authentication.InsufficientAuthenticationException;

import org.springframework.security.core.Authentication;

import org.springframework.security.core.GrantedAuthority;

public class MyAccessDecisionManager implements AccessDecisionManager {

	public void decide(Authentication authentication, Object object,

			Collection<ConfigAttribute> configAttributes)

			throws AccessDeniedException, InsufficientAuthenticationException {

		if (configAttributes == null) {

			return;

		}

		//所请求的资源拥有的权限(一个资源对多个权限)

		Iterator<ConfigAttribute> ite = configAttributes.iterator();

		while (ite.hasNext()) {

			ConfigAttribute ca = ite.next();

			//访问所请求资源所需要的权限

			String needRole = ((SecurityConfig) ca).getAttribute();

			System.out.println("needRole is " + needRole);

			// ga 为用户所被赋予的权限。 needRole 为访问相应的资源应该具有的权限。

			for (GrantedAuthority ga : authentication.getAuthorities()) {

				if (needRole.trim().equals(ga.getAuthority().trim())) {

					return;

				}

			}

		}

		//没有权限

		throw new AccessDeniedException("没有权限访问!");

	}

	public boolean supports(ConfigAttribute arg0) {

		// TODO Auto-generated method stub

		return true;

	}

	public boolean supports(Class<?> arg0) {

		// TODO Auto-generated method stub

		return true;

	}

}

SpringSecurity数据库中存储用户、角色、资源的更多相关文章

  1. Spring-Security (学习记录三)--读取数据库中的用户和角色

    目录 1.先将hibernate的环境整合进来 2.创建一个数据库security,执行security.sql 3.修改spring-security.xml,采用数据库的方式读取用户跟角色 4.u ...

  2. SpringSecurity 自定义用户 角色 资源权限控制

    SpringSecurity 自定义用户 角色 资源权限控制 package com.joyen.learning.security; import java.sql.ResultSet; impor ...

  3. 数据库中存储日期的字段类型究竟应该用varchar还是datetime ?

    背景: 前段时间在百度经验看到一篇文章<如何在电脑右下角显示你(爱人)的名字>,之前也听过这个小技巧,但没真正动手设置过.所以出于好奇就实践了一下. 设置完成后的效果例如以下.右下角的时间 ...

  4. 批量替换数据库中所有用户数据表中字段数据类型为char和varchar到nvarchar的脚本

    解决问题:字段类型为char的总是占用指定字节长度(末尾好多空白符号),varchar数据类型长度一个汉字占2个字节,内容存储为中文的字段个人建议全部使用nvarchar. 操作说明:打开SQL Se ...

  5. SQL批量更新数据库中所有用户数据表中字段类型为tinyint为int

    --SQL批量更新数据库中所有用户数据表中字段类型为tinyint为int --关键说明:--1.从系统表syscolumns中的查询所有xtype='48'的记录得到类型为[tinyint]的字段- ...

  6. 查看MYSQL数据库中所有用户及拥有权限

    查看MYSQL数据库中所有用户 mysql> SELECT DISTINCT CONCAT('User: ''',user,'''@''',host,''';') AS query FROM m ...

  7. C# 在SQLite数据库中存储图像 z

    C# 在SQLite数据库中存储图像 更多 0 C# SQLite   建表语句 CREATE TABLE [ImageStore]([ImageStore_Id] INTEGER NOT NULL ...

  8. Oracle 18c 数据库中scott用户不存在的解决方法

    Oracle 18c 数据库中scott用户不存在的解决方法 注:该文为转载 上面标题可直接跳转 原文地址:http://www.cnblogs.com/zangdalei/p/5482732.htm ...

  9. 数据库中存储日期的字段类型到底应该用varchar还是datetime

    将数据库中存储时间的数据类型改为varchar(),这时最好让这些时间是数据库中自动生成的(一个没有格式的输入也可能会导致输出错误),因为存储类型为varchar(),所以获取到的值也就被认为是一个字 ...

随机推荐

  1. iOS开发总结-UITableView 自定义cell和动态计算cell的高度

    UITableView cell自定义头文件:shopCell.h#import <UIKit/UIKit.h>@interface shopCell : UITableViewCell@ ...

  2. 在Windows下使用MinGW静态编译Assimp

    使用MinGW静态编译Assimp 到了5月份了,没有写一篇日志,于是自己从知识库里面拿出一篇文章充数吧.这次将要解说怎样在Windows下使用MinGW静态编译Assimp. Assimp是眼下比較 ...

  3. android Camera拍照 及 MediaRecorder录像 预览图像差90度

    Camera拍照: 今天做照相机程序,结果写好了发现出问题了,预览的图像差90度.相关源代码如下: Camera.Parameters params = camera.getParameters(); ...

  4. CCProgressTimer用法

    bool HelloWorld::init(){ if ( !CCLayerColor::initWithColor(ccc4(255, 255, 2555, 255))){ return false ...

  5. Android开发之ViewPager实现多页面切换及动画效果(仿Android的Launcher效果)

    Android开发中经常会有引导页或者切换页面等效果,本文采用ViewPager结合动画效果来实现仿Launcher以及页面切换的效果.源码地址在文章最后给出下载. 效果图如下:       1.Vi ...

  6. ios中创建可以拖动的view原理和实现详解

    有时候我们会需要在界面上拖动view;uiview是继承于uiresponder的,所以可以响应触摸相关的事件. 重点是以下一组方法: - (void)touchesBegan:(NSSet *)to ...

  7. jquery自调用匿名函数解析

    alert("undefined" in window);        (function (window, undefined) {            //构造jQuery ...

  8. AndroidStudio1.4 manifest 中注册Activity时的错误提示解决办法

    问题截图如下: 解决办法截图如下: 1: File->setting->Editor->Language Injections到如下界面 2:双击右侧选中的Item进入编辑界面 3: ...

  9. MyEclipse中配置自己的JRE和tomcat

    MyEclipse中配置自己的JRE:windows>Preference>java>Installed JREs>Add>Stantard VM>next> ...

  10. OC基础-day06

    #pragma mark - Day06_01_点语法 1. 点语法. 1). 如果要访问对象的属性,还要去调用属性对应的setter getter方法.好烦躁好烦躁. 2). 点语法的作用: 快速调 ...