Abstract: Spring Framework is an excellent multi-tier J2EE framework, Spring itself does not provide security support for the system. Acegi security framework is based on a Spring IOC and AOP mechanism to achieve. This paper discusses the interactions between the various components Acegi security framework, and to implement the safety control method based on the application by the Spring Framework extension Acegi database design.
Key words: Spring; Acegi; authentication; authorization
I. Introduction
In recent years, with the rapid development of Internet technology, computer network has penetrated into people's work, study and daily life, then, how to build secure web applications has become the hottest topic of the current. Spring is a and AOP (Aspect Oriented Programming) frame multilayer J2EE application framework based IoC (Inversion of Control). Spring Framework is its excellent properties has attracted more and more attention of developers, and is used in a large number of system development. However, the conventional Spring Framework itself does not provide support for system security, may be used herein by describes a security framework Acegi Spring framework, and with Acegi Spring Framework for secure user authentication authorization and resource control a more in-depth research and extension, and gives a feasible solution.
Two, Spring Framework and introduce Acegi security framework
2.1 spring frame
Spring framework developed by the Open Source is an excellent multi-tier J2EE framework, which provides a very lightweight solution for enterprise applications, greatly reducing the difficulty and complexity of application development, improve the speed of development .
The core Spring framework is IoC and AOP. IoC is a design pattern, i.e. IoC pattern. IoC mode further reduces the coupling between the classes, and changes the traditional method of creating an object, the object manager implements a way that the profile, managed by a Spring framework IoC container object responsible configurable. IoC mode greatly improves the flexibility of system development and maintenance.
AOP is a programming model, it is a concern from a cross-section of the system. The traditional object-oriented programming OOP system mainly from the vertical cut face issues concern, concern for the cross-section of the system is small, or that is difficult to focus on, such as security, logging, transaction and other enterprise services taking into account the system when, OOP can not do anything, can only serve to introduce a similar system-level code in all classes. AOP provides a good way to solve the problem of system-level services. AOP will be broken down into aspects of system services look, the class and provide a declarative system service. Java class does not know the existence of the logging service does not need to consider the relevant code. Therefore, an application written with AOP is loosely coupled, reusability of code would be increased.
2.2 Acegi Security Framework
With Spring Framework, developers can quickly build a well-structured WEB application, but the existing Spring Framework itself does not provide security-related solutions. Acegi security framework, also from the Open Source community provides a good solution for security control WEB application framework for the realization of Spring. Acegi security framework itself is the use of a mechanism Spring IoC and AOP implementation provided, it will serve as a safety system-level J2EE platform services, issued in the form of AOP Aspect. Therefore, by means of Acegi security framework, developers can enable applications using declarative security control manner in Spring.
Acegi security framework mainly by security manager, and a security interceptor control management components. Safety management system object is a security control entity, the main support frame Acegi methods and two types of security management object URL request; interceptor is an important component in Acegi, to implement security controls to intercept requests for different security manager safety control request using a different interceptor intercepts; is the actual safety control management means to achieve a variety of safety control component of the intercepted request interceptor security management and control, mainly including components AuthenticationManager implement user authentication, to achieve authorized users AccessDecisionManager RunAsManager role and achieve transformation. Security manager, and a security interceptor control the relationship among management component shown in Figure 1.
Third, the application Acegi security framework in the system based on the Spring framework in
3.1 Analysis of system security requirements
First, we need a clear object-security controls, for business methods and URL resources.
Second, the need to further clarify, the data system authentication information and authorization information resource persistent form.
3.2 Acegi Security System Database Design
Support multiple security information in a persistent way Acegi framework, you can configure or stored in a relational database in the configuration file. Because in practical applications, often demand changes. Therefore, in the configuration file configuration is not meet the actual application requirements. However, Acegi itself is very simple to design permission on the table, users table {username, password, enabled} and authorities table {username, authority}, this simple design is certainly not suitable for complex permission requirements. In order to address the complexity of rights management, where the introduction of the concept of role (role), making the separation of users and permissions, a user has multiple roles, a role with more appropriate permissions, so that even more flexibility to support security policies.
Meanwhile, in order to better fit Acegi security framework, but also introduces the concept of Resource (resource), and the resources can be divided into the FUNCTION URL (method), with a plurality of resources may correspond to permission. Specific database design shown in Figure 2.
3.3 Certification Manager, Licensing Manager configuration
Implement safety control system, you first need to be on the safe management and authorization management system configuration, the system authentication and authorization needs to get security information, Acegi itself provides a mechanism for acquiring the authentication information, implementing authentication and authorization process, the active safety system explained reading information according to the formulation information and corresponding information. Figure 3 shows a schematic diagram of the configuration manager authentication information stored in the user security database.
Corresponding to the illustrated XML configuration file code is as follows:
/* 配置数据库datasource 和Acegi 的 jdbcDao */ <bean id=”dataSource” class=”org.springframework.jdbc.datasource.DriverManagerDataSource”> <property name=”driverClassName”> <value>${jdbc.driverClassName}</value> </property> <property name=”url”> <value>${jdbc.url}</value> </property>
<property name=”username”>
<value>${jdbc.username}</value>
</property>
<property name=”password”>
<value>${jdbc.password}</value>
</property>
</bean>
<bean id=”jdbcDaoImpl” class=”org.acegisecurity. roviders. dao.jdbc.JdbcDaoImpl”>
<property name=”dataSource”>
<ref bean=”dataSource”/>
</property>
</bean>
/*配置用户信息的加密算法*/
<bean id=”passwordEncoder”
Class=”org.acegisecurity.providers.encoding.Md5passwordEncoder”/>
/*配置缓存有效时间*/
<bean id=”userCache” class=”org.acegiSecurity. providers. dao.cache.EhCacheBasedUserCache”>
…//这里对缓存有效时间进行设置
</bean>
/*配置daoAuthenticationProvider*/
<bean id=”daoAuthenticationProvider”
class=”org.acegisecurity.providers.dao.DaoAuthenticationProvider”>
<property name=”authenticationDao”>
<ref local=”JdbcDaoImpl”/>
</property>
<property name=”passwordEncoder”>
<ref local=” passwordEncoder”/>
</property>
<property name=”userCache”>
<ref local=” userCache”/>
</property>
</bean>
/*配置认证管理器*/
<bean id=”authenticationManager” class=”org.acegisecurity. providers.ProviderManager”>
<property name=”providers”>
<list>
<ref local=”daoAuthenticationProvider”/>
</list>
</property>
</bean>
授权管理器的配置方法与认证管理器的配置基本类似,这里不再讨论。
3.4 安全请求拦截器的配置
以上配置完成后,就需要配置安全拦截器。不同的安全管理对象需要使用不同的安全拦截器。对于方法级的安全认证需要使用的拦截器为MethodSecurityInterceptor,而应用于URL资源的安全拦截器为FilterSecurityInterceptor 。其中,MethodSecurityInterceptor拦截器是借助于Spring Aop实现的,而FilterSecurityInterceptor拦截器是借助于Servlet Filter 实现的。本文以URL资源请求的安全拦截器为例说明配置情况。
由于URL资源请求安全拦截是借助于过滤器进行的。因此首先要配置Acegi Servlet过滤器。过滤器类似于AOP Around装备,实现在web资源调用前后进行的一些操作6种过滤器,他们依次构成Servlet过滤器链,依次处理客户请求。需要注意的是过滤器配置的顺序是不能交换的,当不需要使用某个过滤器时,可直接将其删除和注释。过滤器在web.xml中配置形式为
<filter> <filter-name>Acegi HTTP Request Security Filter</filter-name> <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> <param-value> Org.acegisecurity.intercept.web.SecurityEnforcementFilter </param-value> </init-param> </filter> <filter-mapping> <filter-name>Acigi HTTP Request Security Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
在spring applicationContext.xml文件中的配置形式为
<bean id=”securityEnforcementFilter” class=””>
<property name=”filterSecurityInterceptor”>
<ref bean=”filterInvocationInteceptor”/>
</property>
<property name=”authenticationEntryPoint”>
<ref bean=”authenticationProcessingFilterEntryPoint”/>
</property>
以上代码是SecurityEnforcementFilter的配置,该过滤器对用户是否有权访问web资源作出最后的决定。其它的过滤器的配置类同。
配置完过滤器后,需要对拦截器FilterSecurityInterceptor进行配置,
<bean id=”filterInvocationInterceptor” Class=””> <property name=”authenuserCacheticationManager”>1 <property name=”accessDecisionManager”> <property name=”objectDefinitionSource”> <ref local="filterObjectDefinitionSource"/> </property> <bean id="filterObjectDefinitionSource" class="org.xiaohongli.acegi.db.DBFilterObjectDefinitionSource"> <constructor-arg><refbean="jdbcTemplate"/> </constructor-arg> </bean>
objectDefinitionSource属性定义了那些受保护的URL资源,其中引用了一个本地对象filterObjectDefinitionSource。 filterObjectDefinitionSource类从数据库中读取需要保护的URL安全信息,它扩展了PathBasedFilterInvocationDefinition Map类。
同样,实现了另外一个methodObjectDefinitionSource类从数据库中读取需要保护的FUNCTION资源,它扩展了MethodDefinitionMap类。限于篇幅,在这里就不列出具体实现的源代码。
<bean id="methodObjectDefinitionSource"
class="org.xiaohongli.acegi.db.DBMethodObjectDefinitionSource">
<constructor-arg><refbean="jdbcTemplate"/>
</constructor-arg>
</bean>
四、结束语
由于Spring在越来越多的项目中的应用,因此基于Spring应用的安全控制系统的研究就显得非常重要。Acegi提供了对Spring应用安全的支持,然而 Acegi本身提供的实例并不能满足大规模的复杂的权限需求,本文通过扩展Acegi的数据库设计即可满足复杂的权限需求。然而,怎样将Acegi应用到非Spring的系统中,还有待进一步研究。
苏先生ii:专注于Java开发技术的研究与知识分享!
————END————
