【转】Spring security3 sec:authorize url 无效的问题

原贴地址：http://my.oschina.net/u/2259804/blog/476044

转载注：在需要用SS控制界面元素的显示隐藏，而又无法为sec:authorize标签提供一个确定的Role列表（这通常出现在系统的角色有增、减需求的场合），则可以使用下面的方法解决问题。

如果项目里SS的权限控制已经完备，那么只需要做第1步就好了。记住将ref指向的过滤器改成自己的。

Spring security3 sec:authorize url 无效的问题

发表于2个月前(2015-07-08 10:44)   阅读（ 85） | 评论（ 1）  0人收藏此文章, 我要收藏

赞 0

9月19日成都 OSC 源创会正在报名，送机械键盘和开源无码内裤  

sexurity的xml文件里

1、在<http auto-config="true">上面加上如下代码

?

1 2 3

< beans:bean  id = "customWebInvocationPrivilegeEvaluator"  class = "org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator" >            < beans:constructor-arg  name = "securityInterceptor"  ref = "filterSecurityInterceptor"  />        </ beans:bean >

2、ref="filterSecurityInterceptor" 这里是自定义的过滤器

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

< beans:bean  id = "filterSecurityInterceptor"      class = "org.springframework.security.web.access.intercept.FilterSecurityInterceptor"  autowire = "byType" >      < beans:property  name = "securityMetadataSource"  ref = "filterInvocationSecurityMetadataSource"  />      < beans:property  name = "authenticationManager"  ref = "org.springframework.security.authenticationManager" /> </ beans:bean >   < beans:bean  id = "filterInvocationSecurityMetadataSource"      class = "com.iqilu.security.JdbcFilterInvocationDefinitionSourceFactoryBean" >      < beans:property  name = "dataSource"  ref = "dataSource" />      < beans:property  name = "resourceQuery"  value="              select re.c_res_string,r.c_name               from t_role r               join t_resc_role rr on  r.C_ID = rr .C_ROLE_ID               join t_resc re on  re.C_ID = rr .C_RESC_ID               order by re.c_priority      "/> </ beans:bean >

完整的配置：

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64

<? xml  version = "1.0"  encoding = "UTF-8" ?>   < beans:beans  xmlns = "http://www.springframework.org/schema/security"         xmlns:beans = "http://www.springframework.org/schema/beans"         xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"         xsi:schemaLocation="http://www.springframework.org/schema/beans             http://www.springframework.org/schema/beans/spring-beans-3.0.xsd             http://www.springframework.org/schema/security             http://www.springframework.org/schema/security/spring-security-3.1.xsd">                  < beans:bean  id = "customWebInvocationPrivilegeEvaluator"  class = "org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator" >            < beans:constructor-arg  name = "securityInterceptor"  ref = "filterSecurityInterceptor"  />        </ beans:bean >                  <!-- 对于一些css、js、图片等文件不进行过滤 -->      < http  pattern = "/css/**"  security = "none"  />      < http  pattern = "/js/**"  security = "none"  />      < http  pattern = "/images/**"  security = "none"  />      < http  pattern = "/themes/**"  security = "none"  />      < http  auto-config = "true"  access-denied-page = "/accessDenied.jsp" >          < intercept-url  pattern = "/login.jsp"  access = "IS_AUTHENTICATED_ANONYMOUSLY"  />          < intercept-url  pattern = "/upload.jsp"  access = "ROLE_ADMIN"  />          < intercept-url  pattern = "/**"  access = "ROLE_USER,ROLE_ADMIN"  />          < form-login  login-page = "/login.jsp"              authentication-failure-url = "/login.jsp?error=true"              default-target-url = "/index.jsp"  />          < logout  invalidate-session = "true"               logout-success-url = "/login.jsp"               logout-url = "/j_spring_security_logout" />          < custom-filter  ref = "filterSecurityInterceptor"  before = "FILTER_SECURITY_INTERCEPTOR"  />      </ http >              <!-- 认证管理器 -->      < authentication-manager >          < authentication-provider >              < jdbc-user-service  data-source-ref = "dataSource"                  users-by-username-query = "select C_ACCOUNT as username,C_PASSWORD as password, 1  as enabled from t_user where C_ACCOUNT=?"                  authorities-by-username-query="select u.C_ACCOUNT as username,r.c_name as authority                       from t_user u                      join t_user_role ur                      on  u.C_BH = ur .c_user_id                      join t_role r                      on  r.c_id = ur .c_role_id                      where u.C_ACCOUNT=?"/>          </ authentication-provider >      </ authentication-manager >            < beans:bean  id = "filterSecurityInterceptor"          class = "org.springframework.security.web.access.intercept.FilterSecurityInterceptor"  autowire = "byType" >          < beans:property  name = "securityMetadataSource"  ref = "filterInvocationSecurityMetadataSource"  />          < beans:property  name = "authenticationManager"  ref = "org.springframework.security.authenticationManager" />      </ beans:bean >        < beans:bean  id = "filterInvocationSecurityMetadataSource"          class = "com.iqilu.security.JdbcFilterInvocationDefinitionSourceFactoryBean" >          < beans:property  name = "dataSource"  ref = "dataSource" />          < beans:property  name = "resourceQuery"  value="              select re.c_res_string,r.c_name               from t_role r               join t_resc_role rr on  r.C_ID = rr .C_ROLE_ID               join t_resc re on  re.C_ID = rr .C_RESC_ID               order by re.c_priority          "/>      </ beans:bean > </ beans:beans >

4、过滤器代码：

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121

package  com.iqilu.security;   import  java.sql.ResultSet; import  java.sql.SQLException; import  java.util.Collection; import  java.util.LinkedHashMap; import  java.util.List; import  java.util.Map;   import  javax.sql.DataSource;   import  org.springframework.beans.factory.FactoryBean; import  org.springframework.jdbc.core.support.JdbcDaoSupport; import  org.springframework.jdbc.object.MappingSqlQuery; import  org.springframework.security.access.ConfigAttribute; import  org.springframework.security.access.ConfigAttributeEditor; import  org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource; import  org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; import  org.springframework.security.web.util.AntPathRequestMatcher; import  org.springframework.security.web.util.RequestMatcher;     @SuppressWarnings ({  "rawtypes" ,  "deprecation"  }) public  class  JdbcFilterInvocationDefinitionSourceFactoryBean      extends  JdbcDaoSupport  implements  FactoryBean {      private  String resourceQuery;        public  boolean  isSingleton() {          return  true ;      }        public  Class getObjectType() {          return  FilterInvocationSecurityMetadataSource. class ;      }        public  Object getObject() {          return  new  DefaultFilterInvocationSecurityMetadataSource( this              .buildRequestMap());      }        @SuppressWarnings ( "unchecked" )      protected  Map<String, String> findResources() {          ResourceMapping resourceMapping =  new  ResourceMapping(getDataSource(),                  resourceQuery);            Map<String, String> resourceMap =  new  LinkedHashMap<String, String>();            for  (Resource resource : (List<Resource>) resourceMapping.execute()) {              String url = resource.getUrl();              String role = resource.getRole();                if  (resourceMap.containsKey(url)) {                  String value = resourceMap.get(url);                  resourceMap.put(url, value +  ","  + role);              }  else  {                  resourceMap.put(url, role);              }          }            return  resourceMap;      }        @SuppressWarnings ({  "unchecked"  })      protected  LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> buildRequestMap() {          LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap =              null ;          requestMap =  new  LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();            ConfigAttributeEditor editor =  new  ConfigAttributeEditor();            Map<String, String> resourceMap =  this .findResources();            for  (Map.Entry<String, String> entry : resourceMap.entrySet()) {              String key = entry.getKey();              editor.setAsText(entry.getValue());              requestMap.put( new  AntPathRequestMatcher(key),                  (Collection<ConfigAttribute>) editor.getValue());          }            return  requestMap;      }        public  void  setResourceQuery(String resourceQuery) {          this .resourceQuery = resourceQuery;      }        private  class  Resource {          private  String url;          private  String role;            public  Resource(String url, String role) {              this .url = url;              this .role = role;          }            public  String getUrl() {              return  url;          }            public  String getRole() {              return  role;          }      }        private  class  ResourceMapping  extends  MappingSqlQuery {          protected  ResourceMapping(DataSource dataSource,              String resourceQuery) {              super (dataSource, resourceQuery);              compile();          }            protected  Object mapRow(ResultSet rs,  int  rownum)              throws  SQLException {              String url = rs.getString( 1 );              String role = rs.getString( 2 );              Resource resource =  new  Resource(url, role);                return  resource;          }      } }