spring security 3 自定义认证,授权示例
1,建一个web project,并导入所有需要的lib。
2,配置web.xml,使用Spring的机制装载:
- <?xml version="1.0" encoding="UTF-8"?>
- <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
- http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
- <context-param>
- <param-name>contextConfigLocation</param-name>
- <param-value>classpath:applicationContext*.xml</param-value>
- </context-param>
- <listener>
- <listener-class>
- org.springframework.web.context.ContextLoaderListener
- </listener-class>
- </listener>
- <filter>
- <filter-name>springSecurityFilterChain</filter-name>
- <filter-class>
- org.springframework.web.filter.DelegatingFilterProxy
- </filter-class>
- </filter>
- <filter-mapping>
- <filter-name>springSecurityFilterChain</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
- <welcome-file-list>
- <welcome-file>login.jsp</welcome-file>
- </welcome-file-list>
- </web-app>
这个文件中的内容我相信大家都很熟悉了,不再多说了。
2,来看看applicationContext-security.xml这个配置文件,关于Spring Security的配置均在其中:
- <?xml version="1.0" encoding="UTF-8"?>
- <beans:beans xmlns="http://www.springframework.org/schema/security"
- xmlns:beans="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-3.0.xsd">
- <http access-denied-page="/403.jsp"><!-- 当访问被拒绝时,会转到403.jsp -->
- <intercept-url pattern="/login.jsp" filters="none" />
- <form-login login-page="/login.jsp"
- authentication-failure-url="/login.jsp?error=true"
- default-target-url="/index.jsp" />
- <logout logout-success-url="/login.jsp" />
- <http-basic />
- <!-- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了,这个filter位于FILTER_SECURITY_INTERCEPTOR之前 -->
- <custom-filter before="FILTER_SECURITY_INTERCEPTOR"
- ref="myFilter" />
- </http>
- <!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
- 我们的所有控制将在这三个类中实现,解释详见具体配置 -->
- <beans:bean id="myFilter" class="com.robin.erp.fwk.security.MyFilterSecurityInterceptor">
- <beans:property name="authenticationManager"
- ref="authenticationManager" />
- <beans:property name="accessDecisionManager"
- ref="myAccessDecisionManagerBean" />
- <beans:property name="securityMetadataSource"
- ref="securityMetadataSource" />
- </beans:bean>
- <!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
- <authentication-manager alias="authenticationManager">
- <authentication-provider
- user-service-ref="myUserDetailService">
- <!-- 如果用户的密码采用加密的话,可以加点“盐”
- <password-encoder hash="md5" />
- -->
- </authentication-provider>
- </authentication-manager>
- <beans:bean id="myUserDetailService"
- class="com.robin.erp.fwk.security.MyUserDetailService" />
- <!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 -->
- <beans:bean id="myAccessDecisionManagerBean"
- class="com.robin.erp.fwk.security.MyAccessDecisionManager">
- </beans:bean>
- <!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 -->
- <beans:bean id="securityMetadataSource"
- class="com.robin.erp.fwk.security.MyInvocationSecurityMetadataSource" />
- </beans:beans>
3,来看看自定义filter的实现:
- package com.example.spring.security;
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import org.springframework.security.access.SecurityMetadataSource;
- import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
- import org.springframework.security.access.intercept.InterceptorStatusToken;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor
- implements Filter {
- private FilterInvocationSecurityMetadataSource securityMetadataSource;
- // ~ Methods
- // ========================================================================================================
- /**
- * Method that is actually called by the filter chain. Simply delegates to
- * the {@link #invoke(FilterInvocation)} method.
- *
- * @param request
- * the servlet request
- * @param response
- * the servlet response
- * @param chain
- * the filter chain
- *
- * @throws IOException
- * if the filter chain fails
- * @throws ServletException
- * if the filter chain fails
- */
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- FilterInvocation fi = new FilterInvocation(request, response, chain);
- invoke(fi);
- }
- public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
- return this.securityMetadataSource;
- }
- public Class<? extends Object> getSecureObjectClass() {
- return FilterInvocation.class;
- }
- public void invoke(FilterInvocation fi) throws IOException,
- ServletException {
- InterceptorStatusToken token = super.beforeInvocation(fi);
- try {
- fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
- } finally {
- super.afterInvocation(token, null);
- }
- }
- public SecurityMetadataSource obtainSecurityMetadataSource() {
- return this.securityMetadataSource;
- }
- public void setSecurityMetadataSource(
- FilterInvocationSecurityMetadataSource newSource) {
- this.securityMetadataSource = newSource;
- }
- @Override
- public void destroy() {
- }
- @Override
- public void init(FilterConfig arg0) throws ServletException {
- }
- }
最核心的代码就是invoke方法中的InterceptorStatusToken token = super.beforeInvocation(fi);这一句,即在执行doFilter之前,进行权限的检查,而具体的实现已经交给accessDecisionManager了。
4,来看看authentication-provider的实现:
- package com.example.spring.security;
- import java.util.ArrayList;
- import java.util.Collection;
- import org.springframework.dao.DataAccessException;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.authority.GrantedAuthorityImpl;
- import org.springframework.security.core.userdetails.User;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.core.userdetails.UserDetailsService;
- import org.springframework.security.core.userdetails.UsernameNotFoundException;
- public class MyUserDetailService implements UserDetailsService {
- @Override
- public UserDetails loadUserByUsername(String username)
- throws UsernameNotFoundException, DataAccessException {
- Collection<GrantedAuthority> auths=new ArrayList<GrantedAuthority>();
- GrantedAuthorityImpl auth2=new GrantedAuthorityImpl("ROLE_ADMIN");
- auths.add(auth2);
- if(username.equals("robin1")){
- auths=new ArrayList<GrantedAuthority>();
- GrantedAuthorityImpl auth1=new GrantedAuthorityImpl("ROLE_ROBIN");
- auths.add(auth1);
- }
- // User(String username, String password, boolean enabled, boolean accountNonExpired,
- // boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {
- User user = new User(username,
- "robin", true, true, true, true, auths);
- return user;
- }
- }
在这个类中,你就可以从数据库中读入用户的密码,角色信息,是否锁定,账号是否过期等,我想这么简单的代码就不再多解释了。
5,对于资源的访问权限的定义,我们通过实现FilterInvocationSecurityMetadataSource这个接口来初始化数据。
- package com.example.spring.security;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.HashMap;
- import java.util.Iterator;
- import java.util.Map;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- import org.springframework.security.web.util.AntUrlPathMatcher;
- import org.springframework.security.web.util.UrlMatcher;
- /**
- *
- * 此类在初始化时,应该取到所有资源及其对应角色的定义
- *
- * @author Robin
- *
- */
- public class MyInvocationSecurityMetadataSource
- implements FilterInvocationSecurityMetadataSource {
- private UrlMatcher urlMatcher = new AntUrlPathMatcher();;
- private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
- public MyInvocationSecurityMetadataSource() {
- loadResourceDefine();
- }
- private void loadResourceDefine() {
- resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
- Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
- ConfigAttribute ca = new SecurityConfig("ROLE_ADMIN");
- atts.add(ca);
- resourceMap.put("/index.jsp", atts);
- resourceMap.put("/i.jsp", atts);
- }
- // According to a URL, Find out permission configuration of this URL.
- public Collection<ConfigAttribute> getAttributes(Object object)
- throws IllegalArgumentException {
- // guess object is a URL.
- String url = ((FilterInvocation)object).getRequestUrl();
- Iterator<String> ite = resourceMap.keySet().iterator();
- while (ite.hasNext()) {
- String resURL = ite.next();
- if (urlMatcher.pathMatchesUrl(url, resURL)) {
- return resourceMap.get(resURL);
- }
- }
- return null;
- }
- public boolean supports(Class<?> clazz) {
- return true;
- }
- public Collection<ConfigAttribute> getAllConfigAttributes() {
- return null;
- }
- }
看看loadResourceDefine方法,我在这里,假定index.jsp和i.jsp这两个资源,需要ROLE_ADMIN角色的用户才能访问。
这个类中,还有一个最核心的地方,就是提供某个资源对应的权限定义,即getAttributes方法返回的结果。注意,我例子中使用的是AntUrlPathMatcher这个path matcher来检查URL是否与资源定义匹配,事实上你还要用正则的方式来匹配,或者自己实现一个matcher。
6,剩下的就是最终的决策了,make a decision,其实也很容易,呵呵。
- package com.example.spring.security;
- import java.util.Collection;
- import java.util.Iterator;
- import org.springframework.security.access.AccessDecisionManager;
- import org.springframework.security.access.AccessDeniedException;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.authentication.InsufficientAuthenticationException;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.GrantedAuthority;
- public class MyAccessDecisionManager implements AccessDecisionManager {
- //In this method, need to compare authentication with configAttributes.
- // 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here.
- // 2, Check authentication has attribute in permission configuration (configAttributes)
- // 3, If not match corresponding authentication, throw a AccessDeniedException.
- public void decide(Authentication authentication, Object object,
- Collection<ConfigAttribute> configAttributes)
- throws AccessDeniedException, InsufficientAuthenticationException {
- if(configAttributes == null){
- return ;
- }
- System.out.println(object.toString()); //object is a URL.
- Iterator<ConfigAttribute> ite=configAttributes.iterator();
- while(ite.hasNext()){
- ConfigAttribute ca=ite.next();
- String needRole=((SecurityConfig)ca).getAttribute();
- for(GrantedAuthority ga:authentication.getAuthorities()){
- if(needRole.equals(ga.getAuthority())){ //ga is user's role.
- return;
- }
- }
- }
- throw new AccessDeniedException("no right");
- }
- @Override
- public boolean supports(ConfigAttribute attribute) {
- // TODO Auto-generated method stub
- return true;
- }
- @Override
- public boolean supports(Class<?> clazz) {
- return true;
- }
- }
在这个类中,最重要的是decide方法,如果不存在对该资源的定义,直接放行;否则,如果找到正确的角色,即认为拥有权限,并放行,否则throw new AccessDeniedException("no right");这样,就会进入上面提到的403.jsp页面
spring security 3 自定义认证,授权示例的更多相关文章
- Spring Security OAuth2.0认证授权三:使用JWT令牌
Spring Security OAuth2.0系列文章: Spring Security OAuth2.0认证授权一:框架搭建和认证测试 Spring Security OAuth2.0认证授权二: ...
- Spring Security OAuth2.0认证授权六:前后端分离下的登录授权
历史文章 Spring Security OAuth2.0认证授权一:框架搭建和认证测试 Spring Security OAuth2.0认证授权二:搭建资源服务 Spring Security OA ...
- Spring Security OAuth2.0认证授权二:搭建资源服务
在上一篇文章[Spring Security OAuth2.0认证授权一:框架搭建和认证测试](https://www.cnblogs.com/kuangdaoyizhimei/p/14250374. ...
- Spring Security OAuth2.0认证授权四:分布式系统认证授权
Spring Security OAuth2.0认证授权系列文章 Spring Security OAuth2.0认证授权一:框架搭建和认证测试 Spring Security OAuth2.0认证授 ...
- Spring Security OAuth2.0认证授权五:用户信息扩展到jwt
历史文章 Spring Security OAuth2.0认证授权一:框架搭建和认证测试 Spring Security OAuth2.0认证授权二:搭建资源服务 Spring Security OA ...
- Spring Security OAuth2.0认证授权一:框架搭建和认证测试
一.OAuth2.0介绍 OAuth(开放授权)是一个开放标准,允许用户授权第三方应用访问他们存储在另外的服务提供者上的信息,而不 需要将用户名和密码提供给第三方应用或分享他们数据的所有内容. 1.s ...
- Spring security OAuth2.0认证授权学习第四天(SpringBoot集成)
基础的授权其实只有两行代码就不单独写一个篇章了; 这两行就是上一章demo的权限判断; 集成SpringBoot SpringBoot介绍 这个篇章主要是讲SpringSecurity的,Spring ...
- Spring security OAuth2.0认证授权学习第三天(认证流程)
本来之前打算把第三天写基于Session认证授权的,但是后来视屏看完后感觉意义不大,而且内容简单,就不单独写成文章了; 简单说一下吧,就是通过Servlet的SessionApi 通过实现拦截器的前置 ...
- Spring security OAuth2.0认证授权学习第一天(基础概念-认证授权会话)
这段时间没有学习,可能是因为最近工作比较忙,每天回来都晚上11点多了,但是还是要学习的,进过和我的领导确认,在当前公司的技术架构方面,将持续使用Spring security,暂不做Shiro的考虑, ...
随机推荐
- Idea1.5使用Maven搭建Apache Spark1.6源码阅读环境
1.插件安装,在Idea界面依次:File->settings->plugins,安装Maven 2.下载Spark1.6.2源码,这个在GitHub上下载,具体流程自己百度,很简单 3. ...
- Jquery 返回顶部
<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8&qu ...
- 新手站长选择WordPress程序建站需要注意的8个问题
文章出自:http://www.banwagongvps.com/119.html 如今我们不论是出于个人的兴趣爱好,还是出于我们希望通过搭建自己的网站获利的动机,入门级别的都变得非 常的简单,我们只 ...
- crontab格式使用方式
第1列分钟1-59第2列小时1-23(0表示子夜)第3列日1-31第4列月1-12第5列星期0-6(0表示星期天)第6列要运行的命令 下面是crontab的格式:分 时 日 月 星期 要运行的命令 这 ...
- SDCC 2016中国软件开发者大会十三大主题
SDCC中国软件开发者嘉年华(Software Developer Carnival China),是由全球最大中文IT社区CSDN于2007年创办的软件技术领域顶级盛会,将如约于2016年11月18 ...
- 关于input在li列表中居中显示
input属于置换元素(replaced element),置换元素主要是指img,input,textarea,select,object等这类默认就有CSS格式化外表范围的元素,这些元素的垂直居中 ...
- 【LeetCode】419. Battleships in a Board
Given an 2D board, count how many different battleships are in it. The battleships are represented w ...
- hdu_5969_最大的位或(贪心)
题目链接:hdu_5969_最大的位或 题意: 中文,还是自己看 题解: xjb贪心一下就行了 #include<bits/stdc++.h> #define F(i,a,b) for(i ...
- 使用SpringMVC时,配置DispatcherServlet注意的url-pattern的问题
url-pattern配置时注意: <!--springMVC配置--><servlet> <servlet-name>springMVC</servlet- ...
- java 判断大小写、数字出现的次数
//定义一个字符串 String s = "Hello123World"; //定义三个统计变量 int bigCount = 0; int smallCount = 0; int ...