先看一下spring security 官方对以下几个类或接口的解释,因为这个几个类在程序中会使用到;
ConfigAttribute:Stores a security system related configuration attribute.
SecurityConfig:ConfigAttribute的实现类。
GrantedAuthority:Represents an authority granted to an Authentication object.
GrantedAuthorityImpl:GrantedAuthority的实现类。
UserDetails:Provides core user information.
Authentication:Represents the token for an authentication request or for an authenticated principal once the request has been processed by the AuthenticationManager.authenticate(Authentication) method.
UserDetailsService:Core interface which loads user-specific data.
FilterInvocationSecurityMetadataSource:Marker interface for SecurityMetadataSource implementations that are designed to perform lookups keyed on FilterInvocations.
AccessDecisionManager:Makes a final access control (authorization) decision.
定义四张表:用户表、角色表、资源表、组织机构表(可选)
首先需要在web.xml文件中添加以下配置:
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
接着配置spring security的配置文件:
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <!-- access-denied-page:定义没有权限时跳转的页面 ;use-expressions:true表示使用表达式定义忽略拦截资源列表--> <http auto-config="true" access-denied-page="/accessDenied.do" use-expressions="true"> <!-- 忽略拦截资源定义 --> <intercept-url pattern="/showLogin.do*" filters="none" /> <intercept-url pattern="/scripts/**" filters="none" /> <intercept-url pattern="/images/**" filters="none" /> <intercept-url pattern="/styles/**" filters="none" /> <intercept-url pattern="/dwr/**" filters="none" /> <!-- isAuthenticated()表示只有通过验证的用户才能访问 --> <intercept-url pattern="/**" access="isAuthenticated()" /> <intercept-url pattern="/main.do*" access="isAuthenticated()" /> <!-- max-sessions=1:禁止2次登陆;ession-fixation-protection="none":防止伪造sessionid攻击,用户登录成功后会销毁用户当前的session,--> <!-- 创建新的session并把用户信息复制到新session中 ;invalid-session-url:定义session超时跳转页面 --> <session-management invalid-session-url="/timeout.jsp" session-fixation-protection="none"> <concurrency-control max-sessions="1" /> </session-management> <!-- 表单验证 --> <form-login login-page="/showLogin.do" authentication-failure-url="/showLogin.do?error=true" always-use-default-target="true" default-target-url="/login.do?error=false" /> <!-- 退出系统跳转页面 --> <logout invalidate-session="true" logout-success-url="/showLogin.do" /> <!-- 免登陆验证 --> <remember-me /> <!-- 自定义拦截器(这里和spring security2的配置有点不同) --> <custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="securityFilter" /> </http> <beans:bean id="securityFilter" class="xxx.xxx.xxx.commons.permissionengine.web.security.FilterSecurityInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="accessDecisionManager" ref="securityAccessDecisionManager" /> <beans:property name="securityMetadataSource" ref="securityMetadataSource" /> </beans:bean> <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="securityUserDetailService"> <!-- 密码采用MD5算法加密 --> <password-encoder hash="md5" /> </authentication-provider> </authentication-manager> <!-- 用户拥有的权限 --> <beans:bean id="securityUserDetailService" class="xxx.xxx.xxx.commons.permissionengine.web.security.SecurityUserDetailService" /> <!-- 用户是否拥有所请求资源的权限 --> <beans:bean id="securityAccessDecisionManager" class="xxx.xxx.xxx.commons.permissionengine.web.security.SecurityAccessDecisionManager" /> <!-- 资源与权限对应关系 --> <beans:bean id="securityMetadataSource" class="xxx.xxx.xxx.commons.permissionengine.web.security.SecurityMetadataSource" /> </beans:beans>
接着需要写一个类实现UserDetails接口,这个并不是我们系统的用户,它只是一个VO,
用于保存从spring security上下文环境中获取到登录用户,因为从spring security上下文环境中获取登录用户的返回值就是UserDetails的实现类:
package xxx.xxx.xxx.commons.permissionengine.entity; import java.util.Collection; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.userdetails.UserDetails; public class UserDetailInfo implements UserDetails { private static final long serialVersionUID = 6137804370301413132L; private String userName; private String password; private Collection<GrantedAuthority> authorities; public UserDetailInfo() {} @Override public Collection<GrantedAuthority> getAuthorities() { return authorities; } @Override public String getPassword() { return password; } @Override public String getUsername() { return userName; } @Override public boolean isAccountNonExpired() { return true; } @Override public boolean isAccountNonLocked() { return true; } @Override public boolean isCredentialsNonExpired() { return true; } @Override public boolean isEnabled() { return true; } public String getUserName() { return userName; } public void setUserName(String userName) { this.userName = userName; } public void setPassword(String password) { this.password = password; } public void setAuthorities(Collection<GrantedAuthority> authorities) { this.authorities = authorities; } }
接着自定义一个继承了AbstractSecurityInterceptor的filter:
package xxx.xxx.xxx.commons.permissionengine.web.security; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import org.springframework.security.access.SecurityMetadataSource; import org.springframework.security.access.intercept.AbstractSecurityInterceptor; import org.springframework.security.access.intercept.InterceptorStatusToken; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter { private FilterInvocationSecurityMetadataSource securityMetadataSource; @Override public void destroy() { // TODO Auto-generated method stub } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException { FilterInvocation invocation = new FilterInvocation(request, response, filterChain); invoke(invocation); } public void invoke(FilterInvocation filterInvocation) throws IOException, ServletException { InterceptorStatusToken token = super.beforeInvocation(filterInvocation); try { filterInvocation.getChain().doFilter(filterInvocation.getRequest(), filterInvocation.getResponse()); } finally { super.afterInvocation(token, null); } } @Override public void init(FilterConfig arg0) throws ServletException { // TODO Auto-generated method stub } @Override public Class<? extends Object> getSecureObjectClass() { return FilterInvocation.class; } @Override public SecurityMetadataSource obtainSecurityMetadataSource() { return this.securityMetadataSource; } public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) { this.securityMetadataSource = securityMetadataSource; } public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() { return this.securityMetadataSource; } }
接着定义一个类,实现了UserDetailsService接口,主要用于获取登录用户信息和用户所具有的角色
package xxx.xxx.xxx.commons.permissionengine.web.security; import java.util.ArrayList; import java.util.Collection; import java.util.Set; import javax.annotation.Resource; import org.springframework.dao.DataAccessException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.GrantedAuthorityImpl; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import xxx.xxx.xxx.commons.permissionengine.entity.Role; import xxx.xxx.xxx.commons.permissionengine.entity.User; import xxx.xxx.xxx.commons.permissionengine.entity.UserDetailInfo; import xxx.xxx.xxx.commons.permissionengine.service.IUserService; public class SecurityUserDetailService implements UserDetailsService { private IUserService userService; /** * 获取登录用户信息并添加到security上下文环境 */ @Override public UserDetails loadUserByUsername(String name)throws UsernameNotFoundException, DataAccessException { //定义存放用户角色信息的集合 Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>(); //通过已经经过验证的登录用户的用户名查找登录用户信息 User user = userService.findUserByProperty("name", name); //定义一个userDetailInfo对象,该类实现了spring security UserDetails接口,因为已经经过验证的登录用户会保持在 //spring security上下文环境中,通过该上下文环境获取登录用户信息返回的是UserDetails类型,因此需要定义一个类实现该接口 UserDetailInfo userDetailInfo = null; if(user != null) { //获取登录用户信息的角色列表 Set<Role> roles = user.getRoles(); for(Role role : roles) { //利用角色用户具有的角色的编号构造一个GrantedAuthority对象,并把该对象添加到集合中 GrantedAuthorityImpl grantedAuthorityImpl = new GrantedAuthorityImpl("ROLE_"+role.getNo()); authorities.add(grantedAuthorityImpl); } userDetailInfo = new UserDetailInfo(); userDetailInfo.setUserName(user.getName()); userDetailInfo.setPassword(user.getPassword()); //把角色信息添加到userDetailInfo对象中 userDetailInfo.setAuthorities(authorities); } return userDetailInfo; } @Resource(name = "userService") public void setUserService(IUserService userService) { this.userService = userService; } }
再接着定义一个实现了FilterInvocationSecurityMetadataSource的类:
package xxx.xxx.xxx.commons.permissionengine.web.security; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.Iterator; import java.util.Map; import javax.annotation.Resource; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.web.FilterInvocation; import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; import org.springframework.security.web.util.AntUrlPathMatcher; import org.springframework.security.web.util.UrlMatcher; import xxx.xxx.xxx.commons.permissionengine.service.IMenuService; /** * 资源源数据管理器 * @author Keven * */ public class SecurityMetadataSource implements FilterInvocationSecurityMetadataSource { private IMenuService menuService; //定义一个url匹配工具类 private UrlMatcher urlMatcher = new AntUrlPathMatcher(); private static Map<String, Collection<ConfigAttribute>> menuMap = null; //该构造方法由spring容器调用 public SecurityMetadataSource() { loadMenuDefine(); } private void loadMenuDefine() { menuMap = new HashMap<String, Collection<ConfigAttribute>>(); //初始化匿名用户所拥有的权限 Collection<ConfigAttribute> guestAtts = new ArrayList<ConfigAttribute>(); ConfigAttribute guestAttribute = new SecurityConfig("ROLE_Guest"); guestAtts.add(guestAttribute); menuMap.put("/showLogin.do*", guestAtts); } @Override public Collection<ConfigAttribute> getAllConfigAttributes() { return null; } @Override public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { //获取请求url String url = ((FilterInvocation)object).getRequestUrl(); //从数据库获取资源与角色的对应关系,并设置初始化的资源_角色到该Map menuService.setMenuMap(menuMap); //获取资源列表 Iterator<String> iter = menuMap.keySet().iterator(); while(iter.hasNext()) { String menuUrl = iter.next(); //防止把null值加入到map,报空指针异常 if(menuUrl != null) { //请求url与角色所拥有的权限做匹配 if(urlMatcher.pathMatchesUrl(menuUrl, url)) return menuMap.get(menuUrl); } } return null; } @Override public boolean supports(Class<?> clazz) { return true; } @Resource(name = "menuService") public void setMenuService(IMenuService menuService) { this.menuService = menuService; } }
再接着定义一个实现了AccessDecisionManager的类:
package xxx.xxx.xxx.commons.permissionengine.web.security; import java.util.Collection; import java.util.Iterator; import org.springframework.security.access.AccessDecisionManager; import org.springframework.security.access.AccessDeniedException; import org.springframework.security.access.ConfigAttribute; import org.springframework.security.access.SecurityConfig; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; /** * 决策管理器,用于判断用户需要访问的资源与用户所拥有的角色是否匹配 * @author Keven * */ public class SecurityAccessDecisionManager implements AccessDecisionManager { @Override public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException { if(configAttributes == null) return; //获取资源与角色对应关系列表 Iterator<ConfigAttribute> iter = configAttributes.iterator(); while(iter.hasNext()) { ConfigAttribute configAttribute = iter.next(); //获取访问该资源需要的角色 String needRole = ((SecurityConfig)configAttribute).getAttribute(); //从上下文环境获取用户所具有的角色 for(GrantedAuthority grantedAuthority : authentication.getAuthorities()) { //判断用户拥有的角色是否与访问该资源所需要的角色匹配 if(needRole.equals(grantedAuthority.getAuthority())) return; } } throw new AccessDeniedException("权限不足!"); } @Override public boolean supports(ConfigAttribute arg0) { return true; } @Override public boolean supports(Class<?> arg0) { return true; } }
spring security的基本的登录认证和授权就这样完成了,有关spring security的方法和领域对象的权限控制、单点登录和分布式登录请看下集。