/main/common.action:
具有common角色的用户就可以访问
/main/admin.action:
具有
admin
角色的用户就可以访问
/main/share.action:
具有common和
admin
角色的用户可以访问,但两角色用户看到的内容不一样。
spring security相关配置和实现过程如下所示。
1. 配置web.xml,加入spring security特性。
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext*.xml</param-value>
</context-param>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2. 配置spring security(applicationContext-security.xml)
加入http资源配置(无权访问拒绝页面、form认证页面、退出以及http资源保护的核心filter。
<http access-denied-page="/auth/denied" >
<intercept-url pattern="/index.jsp" filters="none" />
<form-login login-page="/auth/login"
authentication-failure-url="/auth/login?error=true"
default-target-url="/main/common" />
<logout logout-success-url="/auth/login" logout-url="/auth/logout"/>
<custom-filter before="FILTER_SECURITY_INTERCEPTOR"
ref="myFilter" />
</http>
<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置 -->
<beans:bean id="myFilter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager"
ref="authenticationManager" />
<beans:property name="accessDecisionManager"
ref="myAccessDecisionManagerBean" />
<beans:property name="securityMetadataSource"
ref="securityMetadataSource" />
</beans:bean>
<!-- 认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可 -->
<authentication-manager alias="authenticationManager">
<authentication-provider
user-service-ref="myUserDetailService">
<password-encoder hash="md5" />
</authentication-provider>
</authentication-manager>
<beans:bean id="myUserDetailService"
class="org.chenwd.security.MyUserDetailService" />
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 -->
<beans:bean id="myAccessDecisionManagerBean"
class="org.chenwd.security.MyAccessDecisionManager">
</beans:bean>
<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 -->
<beans:bean id="securityMetadataSource"
class="org.chenwd.security.MyInvocationSecurityMetadataSource" />
3. 资源源数据实现类,用于加载所有角色、资源的关系。
package org.chenwd.security;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.annotation.Resource;
import org.hibernate.SessionFactory;
import org.hibernate.classic.Session;
import org.springframework.context.ApplicationContext;
import org.springframework.context.support.ClassPathXmlApplicationContext;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.AntUrlPathMatcher;
import org.springframework.security.web.util.UrlMatcher;
import org.springframework.stereotype.Service;
public class MyInvocationSecurityMetadataSource
implements FilterInvocationSecurityMetadataSource {
private UrlMatcher urlMatcher = new AntUrlPathMatcher();;
private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
public MyInvocationSecurityMetadataSource() {
loadResourceDefine();
}
private void loadResourceDefine() {
resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
ApplicationContext context = new ClassPathXmlApplicationContext(
"classpath:applicationContext.xml");
SessionFactory sessionFactory = (SessionFactory) context
.getBean("sessionFactory");
Session session = sessionFactory.openSession();
String sql = "from Resource";
List list = session.createQuery(sql).list();
if(list != null && list.size() > 0){
Collection<ConfigAttribute> atts = null;
org.chenwd.entity.Resource resource = null;
Iterator iterator = list.iterator();
while(iterator.hasNext()){
resource = (org.chenwd.entity.Resource)iterator.next();
sql = "select r.rolename from t_role r,t_role_resource ros" +
" where ros.resourceid = '" + resource.getId() + "' and ros.roleid = r.id";
List list2 = session.createSQLQuery(sql).list();