权限管理:
角色
用户
资源
某个用户拥有多个角色,一个角色也可以被多个用户拥有
一个角色对应访问多个资源,一个资源也可以被多个角色访问
spring security的具体应用如下。
版本:3.0.5
1)web.xml配置
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:com/applicationContext.xml</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter>
<filter-name>httpSessionContextIntegrationFilter</filter-name>
<filter-class>
org.springframework.security.web.context.HttpSessionContextIntegrationFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
</filter-mapping>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener
</listener-class>
</listener>
2)页面改造
如果要加验证码功能,可以在此fileter前加验证
<form action="${pageContext.request.contextPath}/j_spring_security_check" name="logonActionForm" method="post">
<input type="text" name="j_username" value=""/>
<input type="password" name="j_password" value="" />
</form>
3)spring security 配置
<http auto-config="true" >
<intercept-url pattern="/logon.jsp" filters="none" />
<intercept-url pattern="/logonAction.do" filters="none" />
<intercept-url pattern="/public/logoutSuccess.jsp" filters="none"/>
<intercept-url pattern="/public/**"/>
<intercept-url pattern="/js/**" filters="none" />
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/theme/**" filters="none" />
<intercept-url pattern="/**" access="ROLE_AA,ROLE_BB,ROLE_BROWSER" requires-channel="any" />
<form-login login-page="${url.login}"
default-target-url="/logonAction.do"
authentication-failure-url="${url.login}"
login-processing-url="/j_spring_security_check"
/>
<logout invalidate-session="true" logout-url="${url.logoutUrl}" logout-success-url="${url.logoutSuccess}" />
<anonymous />
<session-management invalid-session-url="${url.logoutUrl}" />
</http>
<beans:bean id="userCheckServiceImpl" class="com.sample.UserCheckServiceImpl">
<authentication-manager>
<!--编程方式获得用户权限-->
<authentication-provider user-service-ref='userCheckServiceImpl'/>
<!--固定用户名密码方式-->
<authentication-provider>
<password-encoder hash="md5">
<salt-source user-property="username"/>
</password-encoder>
<user-service>
<user name="aatest" password="aatest" authorities="ROLE_AA" />
<user name="admin" password="admin" authorities="ROLE_BROWSER,ROLE_BB,ROLE_AA" />
</user-service>
</authentication-provider>
</authentication-manager>
<global-method-security>
<protect-pointcut expression="execution(* com.sample.exec(..))" access="ROLE_PA" />
<protect-pointcut expression="execution(* com.sample.read(..))" access="ROLE_CA,ROLE_PA,ROLE_BROWSER" />
</global-method-security>
//编程方式校验用户
public class UserCheckServiceImpl implements UserDetailsService {
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException, DataAccessException {
//MockDao
if(!userName.equals("aatest")){
return null;
}
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new GrantedAuthorityImpl("ROLE_AA"));
UserDetails userDetails = new User("aatest", "aatest", true, true,
true, true, authorities);
return userDetails;
}
}
//验证后得到用户信息
SecurityContext ctx =SecurityContextHolder.getContext();
ctx = (SecurityContext) request.getSession().getAttribute("SPRING_SECURITY_CONTEXT");
Authentication auth = ctx.getAuthentication();
Object principal = auth.getPrincipal();
UserDetails user = null;
if(principal instanceof UserDetails){
user = (UserDetails)principal;
}