Acegi配置总结
1、 在web.xml中配置contextConfigLocation,并且配置acegi filter chain即过滤器链
1、 在web.xml中配置contextConfigLocation,并且配置acegi filter chain即过滤器链
例如:
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>
<!—配置过滤器链过滤范围-->
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--将事物提交给web applicationContext-->
<listener>
<listener-class>org.acegisecurity.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
2,在applicationContext-auth.xml中配置
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans default-lazy-init="true">
<description></description>
<!-- 权限验证 -->
<bean id="authenticator" class="com.hywebchina.budget.service.auth.impl.Authenticator">
<property name="authService" >
<ref bean="authService"/>
</property>
<!--
<property name="voters">
<list>
<bean class="com.hywebchina.budget.service.auth.impl.DataReportDecisionVoter">
<property name="rolePermissionService">
<ref bean="rolePermissionService"/>
</property>
</bean>
</list>
</property>
-->
</bean>
<bean id="accessDecisionVoterService" class="com.hywebchina.budget.service.auth.impl.AccessDecisionVoterService" >
<property name="authService">
<ref bean="authService"/>
</property>
<property name="authenticator">
<ref local="authenticator"/>
</property>
</bean>
<bean id="authService" class="com.hywebchina.budget.service.auth.impl.AuthService">
<property name="roleDAO">
<ref bean="roleDAO"/>
</property>
<property name="permissionDefinesDAO">
<ref bean="permissionDefinesDAO"/>
</property>
<property name="defaultRoleUserParser">
<ref bean="defaultRoleUserParser"/>
</property>
<property name="defaultRolePermissionParser">
<ref bean="defaultRolePermissionParser"/>
</property>
<property name="employeeDAO">
<ref bean="employeeDAOJdbc"/>
</property>
<property name="roleUserParsers">
<map>
<entry key="0">
<ref bean="inbuiltRoleUserParser"/>
</entry>
</map>
</property>
</bean>
<!--
FilterChainProxy会按顺序来调用这些filter,使这些filter能享用Spring ioc的功能,
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON定义了url比较前先转为小写,
PATTERN_TYPE_APACHE_ANT定义了使用Apache ant的匹配模式
-->
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
<!-- CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON-->
PATTERN_TYPE_APACHE_ANT
/**.html*=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
/**/**.html*=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
/j_acegi_**=httpSessionContextIntegrationFilter,logoutFilter,securityContextHolderAwareRequestFilter,authenticationProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>
<!--
1,最先要配置的过滤器,用于提供安全上下文实例.
2,每次request前 HttpSessionContextIntegrationFilter从Session中获取Authentication对象,
在request完后, 又把Authentication对象保存到Session中供下次request使用,此filter必须其他Acegi filter前使用,使之能跨越多个请求。
-->
<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>
<!-- 登出过滤器 -->
<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
<constructor-arg value="/login.jsp"/> <!-- URL redirected to after logout -->
<constructor-arg>
<list>
<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/>
</list>
</constructor-arg>
</bean>
<!--
登陆验证过滤器.
和servlet spec差不多,处理登陆请求.当身份验证成功时,AuthenticationProcessingFilter会在会话中放置一个Authentication对象,并且重定向到登录成功页面
-->
<bean id="authenticationProcessingFilter" class="com.hywebchina.budget.web.filter.ProcessingFilter">
<!-- 验证管理器 -->
<property name="authenticationManager" ref="authenticationManager"/>
<!-- 定义登陆失败时转向的页面 -->
<property name="authenticationFailureUrl" value="/login.jsp?login_error=1"/>
<!-- 定义登陆成功时转向的页面 -->
<property name="defaultTargetUrl" value="/homepage.html"/>
<!-- 定义登陆请求的页面 -->
<property name="filterProcessesUrl" value="/j_acegi_security_check"/>
<property name="accountServiceImpl" ref="accountServiceImpl"/>
<property name="alwaysUseDefaultTargetUrl" value="true"/>
<property name="passwordEncoder"><ref bean="passwordEncoder"/></property>
</bean>
<!-- 这个bean保存当前的请求到SavedRequest,并存入Session,然后转到登录页 -->
<bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/>
<!-- 这个bean负责为当不存在任何授权信息时,自动为Authentication对象添加userAttribute中定义的匿名用户权限 -->
<bean id="anonymousProcessingFilter" class="com.hywebchina.budget.web.filter.AnonymousFilter">
<property name="key" value="changeThis"/>
<property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/>
</bean>
<!-- 这个bean负责处理各种异常,然后重定向到相应的页面中 -->
<bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<bean class="com.hywebchina.budget.web.filter.AjaxAuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/login.jsp"/>
<property name="forceHttps" value="false"/>
<property name="serverSideRedirect" value="true"/>
</bean>
</property>
<property name="accessDeniedHandler">
<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/WEB-INF/403.jsp"/>
</bean>
</property>
</bean>
<!--
这个bean会首先调用AuthenticationManager判断用户是否已登陆认证,
如还没认证成功,则重定向到登陆界面.认证成功,则从 Authentication中获取用户的权限.
然后从objectDefinitionSource属性获取各种URL资源所对应的权限.
最后调用 AccessDecisionManager来判断用户所拥有的权限与当前受保护的URL资源所对应的权限是否相匹配.
如果匹配失败,则返回403错误给用户.匹配成功则用户可以访问受保护的URL资源
-->
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager">
<bean class="org.acegisecurity.vote.UnanimousBased">
<property name="allowIfAllAbstainDecisions" value="true"/>
<property name="decisionVoters">
<list>
<ref local="accessDecisionVoterService"/>
<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
</property>
<property name="objectDefinitionSource">
<value>
<!-- CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON-->
PATTERN_TYPE_APACHE_ANT
/login.jsp=IS_AUTHENTICATED_ANONYMOUSLY
/**=IS_AUTHENTICATED_REMEMBERED
</value>
</property>
</bean>
<!--
AuthenticationManager的其中一个实现是ProviderManager,它负责把身份验证的工作委托给一个或多个Provider(认证提供者).
Provider都是实现AuthenticationProvider接口,该接口有两个方法authenticate()和support(). authenticate()方法会尝试验证用户身份,
若验证成功则返回一个Authentication对象,否则抛出一个 AuthenticationException.
support()方法会评估当前Authentication对象是否适合这个Provider来进行进一步的处理,而不是指已经通过.
Provir有多个实现.例如daoAuthenticationProvider,anonymousAuthenticationProvider,rememberMeAuthenticationProvider.
-->
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref local="daoAuthenticationProvider"/>
<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="changeThis"/>
</bean>
</list>
</property>
</bean>
<!--
daoAuthenticationProvider负责提供用户信息,包括用户名和密码。其中取用户名密码的工作就交给 userDetailsService来做。
通过userCache来缓存用户信息,减少查询数据库次数。用passwordEncoder来使用加密密码。
userDetailsService的接口实现有jdbcDaoImpl和inMemoryDaoImpl。jdbcDaoImpl通过数据库获取用户名和密码,
而inMemoryDaoImpl则只是通过xml定义的方式来获取。
-->
<bean id="daoAuthenticationProvider" class="com.hywebchina.budget.service.auth.impl.AccountExDaoAuthenticationProvider">
<property name="userDetailsService" >
<ref bean="authUserDetailService"/>
</property>
<property name="passwordEncoder" ref="passwordEncoder"/>
</bean>
<bean id="alwaysInvalidPasswordEncoder" class="com.hywebchina.budget.service.auth.impl.AlwaysValidPasswordEncoder"/>
<bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5PasswordEncoder"/>
<!-- This bean is optional; it isn't used by any other bean as it only listens and logs -->
<bean id="loggerListener" class="org.acegisecurity.event.authentication.LoggerListener"/>
</beans>