springsecurity31高级详细开发指南

《springsecurity31高级详细开发指南》由会员分享，可在线阅读，更多相关《springsecurity31高级详细开发指南（16页珍藏版）》请在装配图网上搜索。

1、SpringSecurity3的使用方法有4种：一种是全部利用配置文件，将用户、权限、资源(url)硬编码在xml文件中。二种是用户和权限用数据库存储，而资源(url)和权限的对应采用硬编码配置。三种是细分角色和权限，并将用户、角色、权限和资源均采用数据库存储，并且自定义过滤器，代替原有的FilterSecuritylnterceptor过滤器，并分别实现AccessDecisionManager、InvocationSecurityMetadataSourceService和UserDetailsService，并在配置文件中进行相应配置。四是修改springsecurity的源代码，主要是

2、修改InvocationSecurityMetadataSourceService和UserDetailsService两个类。前者是将配置文件或数据库中存储的资源(url)提取出来加工成为url和权限列表的Map供Security使用，后者提取用户名和权限组成一个完整的(UserDetails)User对象，该对象可以提供用户的详细信息供AuthentationManager进行认证与授权使用。该方法理论上可行，但是比较暴力，不推荐使用。本文有两个例子，我在简单例子章节实现了第一种方法。在复杂例子章节实现了第二种和第三种方法组合使用的例子。简单例子通俗易懂，不再赘述。复杂例子及其使用和扩展，

3、我将穿插详细的配置注释和讲解，包括整个程序的执行过程。简单例子创建web工程如下图所示:配置如下图所示:单击Finish即可。把从spring网站下载的spring-security-3.1.0.RELEASE解压，并将其中的spring-security-samples-contacts-3.1.0.RELEASE.war解压，把WEB-INFlib中的jar包拷贝到如下图所示：筋NfWebProjectWebPrcj?rtDetailsProjectName:springSecurity30UsedefaultlocatFonLocation;C:cyuworkmyeclipspringS

4、ecurrtySdirectory:SourcefcldenWtbrqgtfolder;WcbRoQt/springSecurityS匚ontextrootURL:FiniCancelCreaieaWet)ProjectIMextaJSTLSupportAddJSTLlibrariestoWEB-INF/libfolder?J2EESpecificationLevelaJavaEE5.0J2EE1.4J2EE1.2Createawebprojectintheworkspaceoranexternallocationli=即】匸j|r:h5Gdb期fcl*UFVrslMj-L&.:kiflo-K

5、k-clas-iw-C増logbtar-G.?.2jsr ilMipiJlhEtv.-gJflfl.ftELtAS kO-4jMLJKAtE.9.fhfa.RELA.jiFliRELATE府百p申(X疵i 阿呷胡电甌旧越由!1碧ip-rg-ih:-DLE-%ELEjlLjx- O-seajnPj-d-SELtSlxir Ep呷l.DLREIMF.Hr=ip*ig-Bacurrt-Era-3J_D.HeLAsLJh!S5|n-5ecun*yryDWi-JL艺L*尖刖盼r習问料mMIUl*54测A-再审网叭向內*1-W士R口cf修改配置web.xml如下：web-appversion=2.5xml

6、ns=http:/www.springframework.org/schema/beans/spring-beans-3.0.xsdspringSecurityFilterChain/filter-namefilter-classyorg.springframework.web.filter.DelegatingFilterProxfilter-mappingfilter-namespringSecurityFilterChain/*org.springframework.web.context.ContextLoaderListenerindex.jsp在src中创建securityConf

7、ig.xml内容如下：httpaccess-denied-pageform-loginlogin-pageROLE_ADMIN的权限-intercept-urlaccess=ROLE_ADMIN/intercept-urlmax-sessions=1error-if-maximum-exceeded=fa/session-managementauthentication-managerauthentication-provideruser-serviceusername=cyu/authentication-provider/authentication-manager在WebRoot中创建l

8、ogin.jsp内容如下：pageEncoding%pagelanguage=javaimport=java.util.*=UTF-8%登录用户:密码:在WebRoot中创建accessDenied.jsp,内容如下：%pageIanguage=javaimport=java.util.*pageEncoding=utf-8vhtml访问拒绝您的访问被拒绝，无权访问该资源！在WebRoot中创建admin.jsp内容如下：%pagelanguage=javaimport=java.util.*pageEncoding=utf-8MyJSPadmin.jspstartingpage欢迎来到管理员

9、页面.修改index.jsp内容如下：%pagelanguage=javaimport=java.util.*pageEncoding=UTF-8MyJSPindex.jspstartingpage这是首页，欢迎!进入admin页面进入其它页面添加工程如下图所示:点击Finish即可，然后运行工程如下图所示:-HbE母PrcfKtM-ElpHiHmmiMApEki*4alpB塞鱼广日ri*rT二CrfAie*iceJLfpiwyndmwUhdLB-J*1匚.nvdiauUh曲0卿匕音*Acct誓y2芒BINFA*JTW沪Ptmhm爲2_.曰：Filler.T*5H5iEPi箱f-Ser.|莘亜

10、屯J?Mw疋丸宣疋pDeIF-jf誌卅/申THlC4f1aJT-amutEli;%StappT-jj!:1tjpJrtfeiiiieahtnncjbi-IstthiM_!.-fl，童*MW- itiapEv-TFLOjar血托hy“! O.IQw测试页面如下:用户:密码:输入用户：cyu密码：sap123，然后回车：这是苜页欢迎cyu!,进入zdirdri页面进入其它页面点击进入admin页面”超链，得到如下图所示:您的访问被拒绝，无权访问该资源！复杂例子修改securityConfig.xml内容如下：httpaccess-denied-page=/accessDenied.jspvform

11、-loginlogin-page=/login.jsp!-访问/admin.jsp资源的用户必须具有ROLE_ADMIN的权限-access=ROLE_ADMIN/max-sessions=1error-if-maximum-exceeded=favcustom-filterref=myFilterbefore=FILTER_SECURITY_INTERCEPTOR!-如果用户的密码采用加密的话-/接口即编写UrlMatcher接口，内容如下：packagecom.aostarit.spring.security.tool;publicabstractinterfaceUrlMatcherpu

12、blicabstractObjectcompile(StringparamString);publicabstractbooleanparamString);pathMatchesUrl(ObjectparamObject,StringpublicabstractStringgetUniversalMatchPattern();publicabstractbooleanrequiresLowerCaseUrl();这个接口是以前spring版本中的，现在的spring版本中不存在，由于项目需要且使用方便,故加入到项目当中。编写AntUrlPathMatcher类，内容如下：packagecom

13、.aostarit.spring.security.tool;importorg.springframework.util.AntPathMatcher;importorg.springframework.util.PathMatcher;publicclassAntUrlPathMatcherimplementsUrlMatcherprivatebooleanrequiresLowerCaseUrlprivatePathMatcherpathMatcherpublicAntUrlPathMatcher。this(true);publicAntUrlPathMatcher(booleanreq

14、uiresLowerCaseUrl)this.requiresLowerCaseUrl=true;this.pathMatcher=newAntPathMatcher();this.requiresLowerCaseUrl=requiresLowerCaseUrl;publicObjectcompile(Stringpath)if(this.requiresLowerCaseUrl)returnpath.toLowerCase();returnpath;publicvoidsetRequiresLowerCaseUrl(booleanrequiresLowerCaseUrl)this.requ

15、iresLowerCaseUrl=requiresLowerCaseUrl;publicbooleanpathMatchesUrl(Objectpath,Stringurl)if(/*.equals(path)|(*.equals(path)returntruereturnthis.pathMatcher.match(String)path,url);publicStringgetUniversalMatchPattern()return/*;publicbooleanrequiresLowerCaseUrl()returnthis.requiresLowerCaseUrl;publicStr

16、ingtoString()returnsuper.getClass().getName()+requiresLowerCase=+this.requiresLowerCaseUrl+;这个类是以前spring版本中的工具类，现在的spring版本中不存在，由于项目需要且使用方便，故加入到项目当中。类，内容如下:编写MyFilterSecuritylnterceptorpackagecom.aostarit.spring.security;importjava.io.10Exception;importjavax.servlet.Filter;importjavax.servlet.Filter

17、Chain;importjavax.servlet.FilterConfig;importjavax.servlet.ServletException;importjavax.servlet.ServletRequest;importjavax.servlet.ServletResponse;importorg.springframework.security.access.SecurityMetadataSource;importorg.springframework.security.access.intercept.AbstractSecurityInterceptor;importor

18、g.springframework.security.access.intercept.InterceptorStatusToken;importorg.springframework.security.web.FilterInvocation;importorg.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;publicclassMyFilterSecurityInterceptorextendsAbstractSecurityInterceptorimplements

19、FilterprivateFilterInvocationSecurityMetadataSourcesecurityMetadataSourceMethodthatisactuallycalledbythefilterchain.Simplydelegatesto* thelink#invoke(FilterInvocation)method.* paramrequest* theservletrequest* paramresponse* theservletresponse* paramchain* thefilterchain* throwsIOException* ifthefilt

20、erchainfailsthrowsServletExceptionifthefilterchainfails*/publicvoiddoFilter(ServletRequestrequest,ServletResponseresponse,FilterChainchain)throwsIOException,ServletExceptionFilterInvocationfi=newFilterInvocation(request,response,chain);invoke(fi);publicFilterInvocationSecurityMetadataSourcegetSecuri

21、tyMetadataSource()returnthis.securityMetadataSource;publicClassgetSecureObjectClass()returnFilterInvocation.class;publicvoidinvoke(FilterInvocationfi)throwsIOException,ServletExceptionInterceptorStatusTokentoken=super.beforeInvocation(fi);tryfi.getChain().doFilter(fi.getRequest(),fi.getResponse();fi

22、nallysuper.afterInvocation(token,null);publicSecurityMetadataSourceobtainSecurityMetadataSource()returnthis.securityMetadataSource;publicvoidsetSecurityMetadataSource(FilterInvocationSecurityMetadataSourcenewSource)this.securityMetadataSource=newSource;publicvoiddestroy()publicvoidinit(FilterConfiga

23、rg0)throwsServletException会调用核心的是InterceptorStatusTokentoken=super.beforeInvocation(fi);我们定义的accessDecisionManager:decide(Objectobject)securityMetadataSource:getAttributes(Objectobject)编写MyInvocationSecurityMetadataSource类，内容如下：packagecom.aostarit.spring.security;importjava.util.ArrayList;importjava

24、.util.Collection;importjava.util.HashMap;importjava.util.Iterator;importjava.util.Map;importorg.springframework.security.access.ConfigAttribute;importorg.springframework.security.access.SecurityConfig;importorg.springframework.security.web.FilterInvocation;importorg.springframework.security.web.acce

25、ss.intercept.FilterInvocationSecurityMetadataSource;importcom.aostarit.spring.security.tool.AntUrlPathMatcher;importcom.aostarit.spring.security.tool.UrlMatcher;/*此类在初始化时，应该取到所有资源及其对应角色的定义*/publicclassMyInvocationSecurityMetadataSourceimplementsFilterInvocationSecurityMetadataSourceprivateUrlMatcher

26、urlMatcher=newAntUrlPathMatcher();privatestaticMapString,Collectionnull;publicMyInvocationSecurityMetadataSource()loadResourceDefine();privatevoidloadResourceDefine()resourceMap=newHashMapString,Collection();Collectionatts=newArrayList();ConfigAttributeca=newSecurityConfig(ROLE_USER);atts.add(ca);re

27、sourceMap.put(/index.jsp,atts);和方法。resourceMapCollectionattsno=newArrayList();ConfigAttributecano=newSecurityConfig(ROLE_NO);attsno.add(cano);resourceMap.put(/other.jsp,attsno);/AccordingtoaURL,FindoutpermissionconfigurationofthisURL.publicCollectiongetAttributes(Objectobject)throwsIllegalArgumentEx

28、ception/guessobjectisaURL.Stringurl=(FilterInvocation)object).getRequestUrl();Iteratorite=resourceMap.keySet().iterator();while(ite.hasNext()StringresURL=ite.next();if(urlMatcher.pathMatchesUrl(resURL,url)returnresourceMap.get(resURL);returnnull;publicbooleansupports(Classclazz)returntrue;publicColl

29、ectiongetAllConfigAttributes()returnnull;对于资源的访问权限的定义，我们通过实现FilterlnvocationSecurityMetadataSource这个接口来初始化数据。看看loadResourceDefin方法，我在这里，假定index.jsp这个资源，需要ROLE_USE角色的用户才能访问，other.jsp这个资源，需要ROLE_N(角色的用户才能访问。这个类中，还有一个最核心的地方，就是提供某个资源对应的权限定义，即getAttributes方法返回的结果。注意，我例子中使用的是AntUrlPathMatcher这个pathmatcher

30、来检查URL是否与资源定义匹配，事实上你还要用正则的方式来匹配，或者自己实现一个matcher。这里的角色和资源都可以从数据库中获取，建议通过我们封装的平台级持久层管理类获取和管理。编写MyAccessDecisionManager类，内容如下：packagecom.aostarit.spring.security;importjava.util.Collection;importjava.util.Iterator;importorg.springframework.security.access.AccessDecisionManager;importorg.springframework

31、.security.access.AccessDeniedException;importorg.springframework.security.access.ConfigAttribute;importorg.springframework.security.access.SecurityConfig;importorg.springframework.security.authentication.InsufficientAuthenticationException;importorg.springframework.security.core.Authentication;impor

32、torg.springframework.security.core.GrantedAuthority;publicclassMyAccessDecisionManagerimplementsAccessDecisionManager/Inthismethod,needtocompareauthenticationwithconfigAttributes./1,AobjectisaURL,afilterwasfindpermissionconfigurationbythisURL,andpasstohere./2,Checkauthenticationhasattributeinpermiss

33、ionconfiguration(configAttributes)/3,Ifnotmatchcorrespondingauthentication,throwaAccessDeniedException.publicvoiddecide(Authenticationauthentication,Objectobject,CollectionconfigAttributes)throwsAccessDeniedException,InsufficientAuthenticationExceptionif(configAttributes=null)return;System.out.print

34、ln(object.toString();/objectisaURL.Iteratorite=configAttributes.iterator();while(ite.hasNext()ConfigAttributeca=ite.next();StringneedRole=(SecurityConfig)ca).getAttribute();for(GrantedAuthorityga:authentication.getAuthorities()if(needRole.equals(ga.getAuthority()/gaisusersrole.return;thrownewAccessD

35、eniedException(noright);publicbooleansupports(ConfigAttributeattribute)/TODOAuto-generatedmethodstubreturntruepublicbooleansupports(Classclazz)returntrue;在这个类中，最重要的是decide方法，如果不存在对该资源的定义，直接放行；否则，如果找到正确的角色，即认为拥有权限，并放行，否则thrownewAccessDeniedException(noright)。所有的异常建议平台统一进行封装并管理。编写MyUserDetailService类，

36、内容如下：packagecom.aostarit.spring.security;importjava.util.ArrayList;importjava.util.Collection;importorg.springframework.dao.DataAccessException;importorg.springframework.security.core.GrantedAuthority;importorg.springframework.security.core.authority.GrantedAuthoritylmp匕importorg.springframework.sec

37、urity.core.userdetails.User;importorg.springframework.security.core.userdetails.UserDetails;importorg.springframework.security.core.userdetails.UserDetailsService;importorg.springframework.security.core.userdetails.UsernameNotFoundException;publicclassMyUserDetailServiceimplementsUserDetailsServicep

38、ublicUserDetailsloadUserByUsername(Stringusername)throwsUsernameNotFoundException,DataAccessExceptionCollectionauths=newArrayList();GrantedAuthoritylmplauth2=newGrantedAuthorityImpl(ROLE_ADMIN/auths.add(auth2);if(username.equals(cyu)auths=newArrayList();GrantedAuthoritylmplauth1=newGrantedAuthorityl

39、mpl(ROLE_USER);auths.add(auth1);auths.add(auth2);/User(Stringusername,Stringpassword,booleanenabled,booleanaccountNonExpired,/booleancredentialsNonExpired,booleanaccountNonLocked,CollectionvGrantedAuthorityauthorities)Useruser=newUser(username,sap123,true,true,true,true,auths);returnuser;在这个类中，你就可以从

40、数据库中读入用户的密码，角色信息，是否锁定，账号是否过期等。建议通过我们封装的平台级持久层管理类获取和管理。整个程序执行的过程如下：1、容器启动(MyInvocationSecurityMetadataSource:loadResourceDefine加载系统资源与权限列表)2、用户发岀请求3、过滤器拦截(MyFilterSecurityInterceptor:doFilter)4、取得请求资源所需权限(MyInvocationSecurityMetadataSource:getAttributes)5、匹配用户拥有权限和请求权限(MyAccessDecisionManager:decide)，如果用户没有相应的权限，执行第6步，否则执行第7步6、登录7、验证并授权(MyUserDetailService:loadUserByUsername)8、重复4,5发布，测试页面如下：用户：密码：输入用户：cyu密码：sap123，然后回车：这是首页欢迎匚四！，进入自dmiri页面进入其它页面点击进入admin页面”超链，得到如下图所示：欢迎来到管理员页面.点击“进入其它页面”超链，得到如下图所示：您的访间被拒绝无权访问该资源！