最近在做项目遇到了权限管理,用户要求可以自己建立不同的角色对系统的资源进行控制, 不同的用户有不同的角色,又恰恰框架中用到了struts+spring+hibernate,要求在web层调用 业务逻辑层 时不考虑权限,web层可以控制用户的显示界面,逻辑层处理用户权限问题。
想来想去好像只有spring 的aop 可以做到,在调用到 接口 中的方法时,首先检查用户的权限,如果检查通过则继续执行,否则抛出异常。但是新的问题又出现了,如何在逻辑层上来得到当前用户的id,以致用户的 角色,总不能每次都要从web中传来一个 httprequest,或者 session 这类的吧。在网上看了很多资料,发现了acegi,恰好解决了以上的难题,具体的实现原理这里就不多说了,网上有很多相关资料。
说正题,首先来看看acegi 的官方 example ,我下载的是acegi-security-1.0.0-RC1,解压缩后可以看到acegi-security-sample-contacts-filter.war,打开配置文件有这样几句
java代码:
<bean id="contactManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
sample.contact.ContactManager.create=ROLE_USER
sample.contact.ContactManager.getAllRecipients=ROLE_USER
sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ
sample.contact.ContactManager.getById=ROLE_USER,AFTER_ACL_READ
sample.contact.ContactManager.delete=ACL_CONTACT_DELETE
sample.contact.ContactManager.deletePermission=ACL_CONTACT_ADMIN
sample.contact.ContactManager.addPermission=ACL_CONTACT_ADMIN
</value>
</property>
</bean>
可以看到它是通过读配置文件来判断执行某个方法所需要的角色的,再看这几句
java代码:
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/index.jsp=ROLE_ANONYMOUS,ROLE_USER
/hello.htm=ROLE_ANONYMOUS,ROLE_USER
/logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
/switchuser.jsp=ROLE_SUPERVISOR
/j_acegi_switch_user=ROLE_SUPERVISOR
/acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
/**=ROLE_USER
</value>
</property>
</bean>
同样是将页面的访问权限写死在配置文件中,再来看看它的tag是如何处理的
java代码:
<auth:authorize ifAnyGranted="ROLE_DELETE">
<a href="">删除</a>
</auth:authorize>
可见它是要求我们对链接或者其他资源的保护时提供 用户角色,可是既然角色是用户自己添加的我们又如何来写死在这里呢?
还有就是它对用户验证默认使用的是jdbc,即 JdbcDaoImpl
java代码:
<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource"><ref local="dataSource"/></property>
</bean>
而我们希望基于Hibernate的Dao来实现。
可见仅仅使用现有的acegi 是 无法满足我们项目开发的需求的。
解决方法:
1: 开发基于数据库的保护资源。
看过acegi的源代码就会知道,对保护资源的定义是通过实现ObjectDefinitionSource这个接口来实现的,而且acegi为我们提供了默认实现的抽象类
java代码:
public abstract class AbstractMethodDefinitionSource
implements MethodDefinitionSource {
//~ Static fields/initializers =============================================
private static final Log logger = LogFactory.getLog(AbstractMethodDefinitionSource.class);
//~ Methods ================================================================
public ConfigAttributeDefinition getAttributes(Object object)
throws IllegalArgumentException {
Assert.notNull(object, "Object cannot be null");
if (object instanceof MethodInvocation) {
return this.lookupAttributes(((MethodInvocation) object).getMethod());
}
if (object instanceof JoinPoint) {
JoinPoint jp = (JoinPoint) object;
Class targetClazz = jp.getTarget().getClass();
String targetMethodName = jp.getStaticPart().getSignature().getName();
Class[] types = ((CodeSignature) jp.getStaticPart().getSignature())
.getParameterTypes();
if (logger.isDebugEnabled()) {
logger.debug("Target Class: " + targetClazz);
logger.debug("Target Method Name: " + targetMethodName);
for (int i = 0; i < types.length; i++) {
if (logger.isDebugEnabled()) {
logger.debug("Target Method Arg #" + i + ": "
+ types[i]);
}
}
}
try {
return this.lookupAttributes(targetClazz.getMethod(targetMethodName, types));
} catch (NoSuchMethodException nsme) {
throw new IllegalArgumentException("Could not obtain target method from JoinPoint: " + jp);
}
}
throw new IllegalArgumentException("Object must be a MethodInvocation or JoinPoint");
}
public boolean supports(Class clazz) {
return (MethodInvocation.class.isAssignableFrom(clazz)
|| JoinPoint.class.isAssignableFrom(clazz));
}
protected abstract ConfigAttributeDefinition lookupAttributes(Method method);
}
我们要做的就是实现它的
protected abstract ConfigAttributeDefinition lookupAttributes(Method method);方法,
以下是我的实现方法,大致思路是这样,通过由抽象类传来的Method 对象得到
调 用这个方法的 包名,类名,方法名 也就是secureObjectName, 查询数据库并将结果映射为Function 也就是secureObject ,由于Function 与 Role 的多对多关系 可以得到 Function所对应的 Roles ,在将role 包装成GrantedAuthority (也就是acegi中的角色)。其中由于频繁的对数据库的查询 所以使用Ehcache 来作为缓存。
java代码:
package sample.auth;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.acegisecurity.ConfigAttributeDefinition;
import org.acegisecurity.ConfigAttributeEditor;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.intercept.method.AbstractMethodDefinitionSource;
import org.springframework.util.Assert;
import sample.auth.cache.AuthorityBasedFunctionCache;
import sample.auth.cache.info.FunctionByNameCache;
import sample.dao.IBaseDao;
import sample.mappings.function.Function;
import sample.mappings.role.Role;
public class DatabaseDrivenMethodDefinitionSourcew extends
AbstractMethodDefinitionSource {
// baseDao 提供通过HIbenate对数据库操作的实现
private IBaseDao baseDao;
// AuthorityBasedFunctionCache 通过Function 查 Role 时缓存
private AuthorityBasedFunctionCache cache;
// FunctionByNameCache 由反射到的方法名查找 数据库对应的Function 时的缓存
private FunctionByNameCache functionCache;
public FunctionByNameCache getFunctionCache() {
return functionCache;
}
public void setFunctionCache(FunctionByNameCache functionCache) {
this.functionCache = functionCache;
}
protected ConfigAttributeDefinition lookupAttributes(Method mi) {
Assert.notNull(mi,"lookupAttrubutes in the DatabaseDrivenMethodDefinitionSourcew is null");
String secureObjectName=mi.getDeclaringClass().getName() +"."+ mi.getName();
//Function 为数据库中保护资源的映射
Function secureObject=functionCache.getFunctionByCache(secureObjectName);
if(secureObject==null)//if secure object not exist in database
{
secureObject=(Function)baseDao.loadByKey(Function.class, "protectfunction", secureObjectName);
functionCache.putFunctionInCache(secureObject);
}
if(secureObject==null)
Assert.notNull(secureObject,"secureObject(Function) not found in db");
//retrieving roles associated with this secure object
Collection roles = null;
GrantedAuthority[] grantedAuthoritys = cache.getAuthorityFromCache(secureObject.getName());
// 如果是第一次 cache 为空
if(grantedAuthoritys == null){
Set rolesSet = secureObject.getRoles();
Iterator it = rolesSet.iterator();
List list = new ArrayList();
while(it.hasNext()){
Role role = (Role)it.next();
GrantedAuthority g = new GrantedAuthorityImpl(role.getName());
list.add(g);
}
grantedAuthoritys = (GrantedAuthority[])list.toArray(new GrantedAuthority[0]);
cache.putAuthorityInCache(secureObject.getName(),grantedAuthoritys);
roles = Arrays.asList(grantedAuthoritys);
}else{
roles = Arrays.asList(grantedAuthoritys);
}
if(!roles.isEmpty()){
ConfigAttributeEditor configAttrEditor=new ConfigAttributeEditor();
StringBuffer rolesStr=new StringBuffer();
for(Iterator it = roles.iterator();it.hasNext();){
GrantedAuthority role=(GrantedAuthority)it.next();
rolesStr.append(role.getAuthority()).append(",");
}
configAttrEditor.setAsText( rolesStr.toString().substring(0,rolesStr.length()-1) );
ConfigAttributeDefinition configAttrDef=(ConfigAttributeDefinition)configAttrEditor.getValue();
return configAttrDef;
}
Assert.notEmpty(roles,"collection of roles is null or empty");
return null;
}
public Iterator getConfigAttributeDefinitions() {
return null;
}
public IBaseDao getBaseDao() {
return baseDao;
}
public void setBaseDao(IBaseDao baseDao) {
this.baseDao = baseDao;
}
public AuthorityBasedFunctionCache getCache() {
return cache;
}
public void setCache(AuthorityBasedFunctionCache cache) {
this.cache = cache;
}
}
2:定义 基于方法的 自定义标志
通过以上的分析 , 要想使用acegi 做页面的显示控制仅仅靠角色(Role)是不行的,因为用户可能随时定义出新的角色,所以只能 基于方法(Function)的控制。可是acegi 只是提供了基于 角色的 接口GrantedAuthority ,怎么办? ,如法炮制。 首先定义出我们自己的GrantedFunction,实现也雷同 GrantedAuthorityImpl
java代码:
package sample.auth;
import java.io.Serializable;
public class GrantedFunctionImpl implements GrantedFunction , Serializable{
private String function;
//~ Constructors ===========================================================
public GrantedFunctionImpl(String function) {
super();
this.function = function;
}
protected GrantedFunctionImpl() {
throw new IllegalArgumentException("Cannot use default constructor");
}
//~ Methods ================================================================
public String getFunction() {
return this.function;
}
public boolean equals(Object obj) {
if (obj instanceof String) {
return obj.equals(this.function);
}
if (obj instanceof GrantedFunction) {
GrantedFunction attr = (GrantedFunction) obj;
return this.function.equals(attr.getFunction());
}
return false;
}
public int hashCode() {
return this.function.hashCode();
}
public String toString() {
return this.function;
}
}
以 下是我的标志实现,大致思路是 根据 页面 的传来的 方法名(即 FunctionName)查询出对应的Functions,并且包装成grantedFunctions ,然后根据用户的角色查询出用户对应的Functions ,再取这两个集合的交集,最后再根据这个集合是否为空判断是否显示标志体的内容。
java代码:
package sample.auth;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.Tag;
import javax.servlet.jsp.tagext.TagSupport;
import org.acegisecurity.Authentication;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.springframework.util.StringUtils;
import org.springframework.web.util.ExpressionEvaluationUtils;
import sample.web.action.AppContext;
/**
*
* @author limq
*
*/
public class AuthorizeActionTag extends TagSupport{
private String ifAllGranted = "";
private String ifAnyGranted = "";
private String ifNotGranted = "";
public void setIfAllGranted(String ifAllGranted) throws JspException {
this.ifAllGranted = ifAllGranted;
}
public String getIfAllGranted() {
return ifAllGranted;
}
public void setIfAnyGranted(String ifAnyGranted) throws JspException {
this.ifAnyGranted = ifAnyGranted;
}
public String getIfAnyGranted() {
return ifAnyGranted;
}
public void setIfNotGranted(String ifNotGranted) throws JspException {
this.ifNotGranted = ifNotGranted;
}
public String getIfNotGranted() {
return ifNotGranted;
}
public int doStartTag() throws JspException {
if (((null == ifAllGranted) || "".equals(ifAllGranted))
&& ((null == ifAnyGranted) || "".equals(ifAnyGranted))
&& ((null == ifNotGranted) || "".equals(ifNotGranted))) {
return Tag.SKIP_BODY;
}
final Collection granted = getPrincipalFunctionByAuthorities();
final String evaledIfNotGranted = ExpressionEvaluationUtils
.evaluateString("ifNotGranted", ifNotGranted, pageContext);
if ((null != evaledIfNotGranted) && !"".equals(evaledIfNotGranted)) {
Set grantedCopy = retainAll(granted,
parseSecurityString(evaledIfNotGranted));
if (!grantedCopy.isEmpty()) {
return Tag.SKIP_BODY;
}
}
final String evaledIfAllGranted = ExpressionEvaluationUtils
.evaluateString("ifAllGranted", ifAllGranted, pageContext);
if ((null != evaledIfAllGranted) && !"".equals(evaledIfAllGranted)) {
if (!granted.containsAll(parseSecurityString(evaledIfAllGranted))) {
return Tag.SKIP_BODY;
}
}
final String evaledIfAnyGranted = ExpressionEvaluationUtils
.evaluateString("ifAnyGranted", ifAnyGranted, pageContext);
if ((null != evaledIfAnyGranted) && !"".equals(evaledIfAnyGranted)) {
Set grantedCopy = retainAll(granted,
parseSecurityString(evaledIfAnyGranted));
if (grantedCopy.isEmpty()) {
return Tag.SKIP_BODY;
}
}
return Tag.EVAL_BODY_INCLUDE;
}
/**
* 得到用户的Authentication,并且从Authentication中获得 Authorities,进而得到 授予用户的 Function
* @return
*/
private Collection getPrincipalFunctionByAuthorities() {
Authentication currentUser = SecurityContextHolder.getContext()
.getAuthentication();
if (null == currentUser) {
return Collections.EMPTY_LIST;
}
if ((null == currentUser.getAuthorities())
|| (currentUser.getAuthorities().length < 1)) {
return Collections.EMPTY_LIST;
}
// currentUser.getAuthorities() 返回的是 GrantedAuthority[]
List granted = Arrays.asList(currentUser.getAuthorities());
AuthDao authDao =(AuthDao) AppContext.getInstance().getAppContext().getBean("authDao");
Collection grantedFunctions = authDao.getFunctionsByRoles(granted);
return grantedFunctions;
}
/**
* 得到用户功能(Function)的集合,并且验证是否合法
* @param c Collection 类型
* @return Set类型
*/
private Set SecurityObjectToFunctions(Collection c) {
Set target = new HashSet();
for (Iterator iterator = c.iterator(); iterator.hasNext();) {
GrantedFunction function = (GrantedFunction) iterator.next();
if (null == function.getFunction()) {
throw new IllegalArgumentException(
"Cannot process GrantedFunction objects which return null from getFunction() - attempting to process "
+ function.toString());
}
target.add(function.getFunction());
}
return target;
}
/**
* 处理页面标志属性 ,用' ,'区分
*/
private Set parseSecurityString(String functionsString) {
final Set requiredFunctions = new HashSet();
final String[] functions = StringUtils
.commaDelimitedListToStringArray(functionsString);
for (int i = 0; i < functions.length; i++) {
String authority = functions[i];
// Remove the role's whitespace characters without depending on JDK 1.4+
// Includes space, tab, new line, carriage return and form feed.
String function = StringUtils.replace(authority, " ", "");
function = StringUtils.replace(function, "\t", "");
function = StringUtils.replace(function, "\r", "");
function = StringUtils.replace(function, "\n", "");
function = StringUtils.replace(function, "\f", "");
requiredFunctions.add(new GrantedFunctionImpl(function));
}
return requiredFunctions;
}
/**
* 获得用户所拥有的Function 和 要求的 Function 的交集
* @param granted 用户已经获得的Function
* @param required 所需要的Function
* @return
*/
private Set retainAll(final Collection granted, final Set required) {
Set grantedFunction = SecurityObjectToFunctions(granted);
Set requiredFunction = SecurityObjectToFunctions(required);
// retailAll() 获得 grantedFunction 和 requiredFunction 的交集
// 即删除 grantedFunction 中 除了 requiredFunction 的项
grantedFunction.retainAll(requiredFunction);
return rolesToAuthorities(grantedFunction, granted);
}
/**
*
* @param grantedFunctions 已经被过滤过的Function
* @param granted 未被过滤过的,即用户所拥有的Function
* @return
*/
private Set rolesToAuthorities(Set grantedFunctions, Collection granted) {
Set target = new HashSet();
for (Iterator iterator = grantedFunctions.iterator(); iterator.hasNext();) {
String function = (String) iterator.next();
for (Iterator grantedIterator = granted.iterator();
grantedIterator.hasNext();) {
GrantedFunction grantedFunction = (GrantedFunction) grantedIterator
.next();
if (grantedFunction.getFunction().equals(function)) {
target.add(grantedFunction);
break;
}
}
}
return target;
}
}
再说明一下吧,通过 AppContext 获得了Spring的上下文,以及AuthDao(实际意义上讲以不再是单纯的Dao,应该是Service)
java代码:
package sample.auth;
import java.util.Collection;
public interface AuthDao {
/**
* 根据用户的角色集合 得到 用户的 操作权限
* @param granted 已授予用户的角色集合
* @return 操作权限的集合
*/
public Collection getFunctionsByRoles(Collection granted);
}
以下是AuthDao 的实现
java代码:
package sample.auth;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.acegisecurity.GrantedAuthority;
import sample.auth.cache.FunctionCache;
import sample.auth.cache.info.RoleByNameCache;
import sample.dao.IBaseDao;
import sample.mappings.function.Function;
import sample.mappings.role.Role;
public class AuthDaoImpl implements AuthDao {
private IBaseDao baseDao;
private FunctionCache cache;
private RoleByNameCache roleCache;
public RoleByNameCache getRoleCache() {
return roleCache;
}
public void setRoleCache(RoleByNameCache roleCache) {
this.roleCache = roleCache;
}
public FunctionCache getCache() {
return cache;
}
public void setCache(FunctionCache cache) {
this.cache = cache;
}
public IBaseDao getBaseDao() {
return baseDao;
}
public void setBaseDao(IBaseDao baseDao) {
this.baseDao = baseDao;
}
public Collection getFunctionsByRoles(Collection granted) {
Set set = new HashSet();
if(null == granted) throw new IllegalArgumentException("Granted Roles cannot be null");
for(Iterator it = granted.iterator();it.hasNext();){
GrantedAuthority grantedAuthority = (GrantedAuthority)it.next();
Role role = roleCache.getRoleByRoleNameCache(grantedAuthority.getAuthority()); //
if(role == null){
role = (Role)baseDao.loadByKey(Role.class, "name", grantedAuthority.getAuthority());
roleCache.putRoleInCache(role);
}
GrantedFunction[] grantedFunctions = cache.getFunctionFromCache(role.getName());
if(grantedFunctions == null){
Set functions = role.getFunctions();
for(Iterator it2 = functions.iterator();it2.hasNext();){
Function function = (Function)it2.next();
GrantedFunction grantedFunction = new GrantedFunctionImpl(function.getName());
set.add( grantedFunction );
}
grantedFunctions = (GrantedFunction[]) set.toArray(new GrantedFunction[0]);
cache.putFuncitonInCache(role.getName(),grantedFunctions);
}
for(int i = 0 ; i < grantedFunctions.length; i++){
GrantedFunction grantedFunction = grantedFunctions[i];
set.add(grantedFunction);
}
}
return set;
}
}
3 基于hibernate的用户验证
acegi 默认的 的 用户验证是 通过UserDetailsService 接口 实现的 也就是说我们只要实现了 它的loadUserByUsername 方法。
java代码:
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException;
以下是我的实现
java代码:
package sample.auth;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.userdetails.User;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UserDetailsService;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.springframework.dao.DataAccessException;
import sample.auth.cache.AuthorityBasedUserCache;
import sample.dao.IBaseDao;
import sample.mappings.role.Role;
import sample.utils.MisUtils;
public class HibernateDaoImpl implements UserDetailsService{
private String rolePrefix = "";
private boolean usernameBasedPrimaryKey = false;
private AuthorityBasedUserCache cache;
private IBaseDao baseDao;
public String getRolePrefix() {
return rolePrefix;
}
public void setRolePrefix(String rolePrefix) {
this.rolePrefix = rolePrefix;
}
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
UserDetails user = getUsersByUsernameQuery(username);
if(user == null) return null;
GrantedAuthority[] arrayAuths =getAuthoritiesByUsernameQuery(username);
if (arrayAuths.length == 0) {
throw new UsernameNotFoundException("User has no GrantedAuthority");
}
return new User(username, user.getPassword(), user.isEnabled(),
true, true, true, arrayAuths);
}
/**
* 根据用户名查找用户
* @param username
* @return
* @throws DataAccessException
*/
public UserDetails getUsersByUsernameQuery(String username)throws DataAccessException {
sample.mappings.user.User misUser = (sample.mappings.user.User)baseDao.loadByKey(sample.mappings.user.User.class,"name",username);
if(misUser != null)
{
org.acegisecurity.userdetails.UserDetails user =
new User(misUser.getName(),misUser.getPassword(),MisUtils.parseBoolean(misUser.getEnable()),true,true,true,getAuthoritiesByUsernameQuery(username));
return user;
}else
return null;
}
/**
* 根据用户名查找角色
* @param username
* @return GrantedAuthority[] 用户角色
* @throws DataAccessException
*/
public GrantedAuthority[] getAuthoritiesByUsernameQuery(String username)
throws DataAccessException {
sample.mappings.user.User misUser
= (sample.mappings.user.User)baseDao.loadByKey(sample.mappings.user.User.class,"name",username);
if(misUser != null){
GrantedAuthority[] grantedAuthoritys = cache.getAuthorityFromCache(misUser.getName());
if(grantedAuthoritys == null){
Set roles = misUser.getRoles();
Iterator it = roles.iterator();
List list = new ArrayList();
while(it.hasNext() ){
GrantedAuthorityImpl gai = new GrantedAuthorityImpl( ((Role)it.next()).getName() );
list.add(gai);
}
grantedAuthoritys =(GrantedAuthority[]) list.toArray(new GrantedAuthority[0]);
cache.putAuthorityInCache(misUser.getName(),grantedAuthoritys);
return grantedAuthoritys;
}
return grantedAuthoritys;
}
return null;
}
public IBaseDao getBaseDao() {
return baseDao;
}
public void setBaseDao(IBaseDao baseDao) {
this.baseDao = baseDao;
}
public AuthorityBasedUserCache getCache() {
return cache;
}
public void setCache(AuthorityBasedUserCache cache) {
this.cache = cache;
}
}
通过以上对acegi 的 处理,足以满足我们目前在spring下基于RBAC的动态权限管理。同时在对频繁的数据库查询上使用了Ehcache作为缓存,在性能上有了很大的改善。
想来想去好像只有spring 的aop 可以做到,在调用到 接口 中的方法时,首先检查用户的权限,如果检查通过则继续执行,否则抛出异常。但是新的问题又出现了,如何在逻辑层上来得到当前用户的id,以致用户的 角色,总不能每次都要从web中传来一个 httprequest,或者 session 这类的吧。在网上看了很多资料,发现了acegi,恰好解决了以上的难题,具体的实现原理这里就不多说了,网上有很多相关资料。
说正题,首先来看看acegi 的官方 example ,我下载的是acegi-security-1.0.0-RC1,解压缩后可以看到acegi-security-sample-contacts-filter.war,打开配置文件有这样几句
java代码:
<bean id="contactManagerSecurity" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="businessAccessDecisionManager"/></property>
<property name="afterInvocationManager"><ref local="afterInvocationManager"/></property>
<property name="objectDefinitionSource">
<value>
sample.contact.ContactManager.create=ROLE_USER
sample.contact.ContactManager.getAllRecipients=ROLE_USER
sample.contact.ContactManager.getAll=ROLE_USER,AFTER_ACL_COLLECTION_READ
sample.contact.ContactManager.getById=ROLE_USER,AFTER_ACL_READ
sample.contact.ContactManager.delete=ACL_CONTACT_DELETE
sample.contact.ContactManager.deletePermission=ACL_CONTACT_ADMIN
sample.contact.ContactManager.addPermission=ACL_CONTACT_ADMIN
</value>
</property>
</bean>
可以看到它是通过读配置文件来判断执行某个方法所需要的角色的,再看这几句
java代码:
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/index.jsp=ROLE_ANONYMOUS,ROLE_USER
/hello.htm=ROLE_ANONYMOUS,ROLE_USER
/logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
/switchuser.jsp=ROLE_SUPERVISOR
/j_acegi_switch_user=ROLE_SUPERVISOR
/acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
/**=ROLE_USER
</value>
</property>
</bean>
同样是将页面的访问权限写死在配置文件中,再来看看它的tag是如何处理的
java代码:
<auth:authorize ifAnyGranted="ROLE_DELETE">
<a href="">删除</a>
</auth:authorize>
可见它是要求我们对链接或者其他资源的保护时提供 用户角色,可是既然角色是用户自己添加的我们又如何来写死在这里呢?
还有就是它对用户验证默认使用的是jdbc,即 JdbcDaoImpl
java代码:
<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource"><ref local="dataSource"/></property>
</bean>
而我们希望基于Hibernate的Dao来实现。
可见仅仅使用现有的acegi 是 无法满足我们项目开发的需求的。
解决方法:
1: 开发基于数据库的保护资源。
看过acegi的源代码就会知道,对保护资源的定义是通过实现ObjectDefinitionSource这个接口来实现的,而且acegi为我们提供了默认实现的抽象类
java代码:
public abstract class AbstractMethodDefinitionSource
implements MethodDefinitionSource {
//~ Static fields/initializers =============================================
private static final Log logger = LogFactory.getLog(AbstractMethodDefinitionSource.class);
//~ Methods ================================================================
public ConfigAttributeDefinition getAttributes(Object object)
throws IllegalArgumentException {
Assert.notNull(object, "Object cannot be null");
if (object instanceof MethodInvocation) {
return this.lookupAttributes(((MethodInvocation) object).getMethod());
}
if (object instanceof JoinPoint) {
JoinPoint jp = (JoinPoint) object;
Class targetClazz = jp.getTarget().getClass();
String targetMethodName = jp.getStaticPart().getSignature().getName();
Class[] types = ((CodeSignature) jp.getStaticPart().getSignature())
.getParameterTypes();
if (logger.isDebugEnabled()) {
logger.debug("Target Class: " + targetClazz);
logger.debug("Target Method Name: " + targetMethodName);
for (int i = 0; i < types.length; i++) {
if (logger.isDebugEnabled()) {
logger.debug("Target Method Arg #" + i + ": "
+ types[i]);
}
}
}
try {
return this.lookupAttributes(targetClazz.getMethod(targetMethodName, types));
} catch (NoSuchMethodException nsme) {
throw new IllegalArgumentException("Could not obtain target method from JoinPoint: " + jp);
}
}
throw new IllegalArgumentException("Object must be a MethodInvocation or JoinPoint");
}
public boolean supports(Class clazz) {
return (MethodInvocation.class.isAssignableFrom(clazz)
|| JoinPoint.class.isAssignableFrom(clazz));
}
protected abstract ConfigAttributeDefinition lookupAttributes(Method method);
}
我们要做的就是实现它的
protected abstract ConfigAttributeDefinition lookupAttributes(Method method);方法,
以下是我的实现方法,大致思路是这样,通过由抽象类传来的Method 对象得到
调 用这个方法的 包名,类名,方法名 也就是secureObjectName, 查询数据库并将结果映射为Function 也就是secureObject ,由于Function 与 Role 的多对多关系 可以得到 Function所对应的 Roles ,在将role 包装成GrantedAuthority (也就是acegi中的角色)。其中由于频繁的对数据库的查询 所以使用Ehcache 来作为缓存。
java代码:
package sample.auth;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.acegisecurity.ConfigAttributeDefinition;
import org.acegisecurity.ConfigAttributeEditor;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.intercept.method.AbstractMethodDefinitionSource;
import org.springframework.util.Assert;
import sample.auth.cache.AuthorityBasedFunctionCache;
import sample.auth.cache.info.FunctionByNameCache;
import sample.dao.IBaseDao;
import sample.mappings.function.Function;
import sample.mappings.role.Role;
public class DatabaseDrivenMethodDefinitionSourcew extends
AbstractMethodDefinitionSource {
// baseDao 提供通过HIbenate对数据库操作的实现
private IBaseDao baseDao;
// AuthorityBasedFunctionCache 通过Function 查 Role 时缓存
private AuthorityBasedFunctionCache cache;
// FunctionByNameCache 由反射到的方法名查找 数据库对应的Function 时的缓存
private FunctionByNameCache functionCache;
public FunctionByNameCache getFunctionCache() {
return functionCache;
}
public void setFunctionCache(FunctionByNameCache functionCache) {
this.functionCache = functionCache;
}
protected ConfigAttributeDefinition lookupAttributes(Method mi) {
Assert.notNull(mi,"lookupAttrubutes in the DatabaseDrivenMethodDefinitionSourcew is null");
String secureObjectName=mi.getDeclaringClass().getName() +"."+ mi.getName();
//Function 为数据库中保护资源的映射
Function secureObject=functionCache.getFunctionByCache(secureObjectName);
if(secureObject==null)//if secure object not exist in database
{
secureObject=(Function)baseDao.loadByKey(Function.class, "protectfunction", secureObjectName);
functionCache.putFunctionInCache(secureObject);
}
if(secureObject==null)
Assert.notNull(secureObject,"secureObject(Function) not found in db");
//retrieving roles associated with this secure object
Collection roles = null;
GrantedAuthority[] grantedAuthoritys = cache.getAuthorityFromCache(secureObject.getName());
// 如果是第一次 cache 为空
if(grantedAuthoritys == null){
Set rolesSet = secureObject.getRoles();
Iterator it = rolesSet.iterator();
List list = new ArrayList();
while(it.hasNext()){
Role role = (Role)it.next();
GrantedAuthority g = new GrantedAuthorityImpl(role.getName());
list.add(g);
}
grantedAuthoritys = (GrantedAuthority[])list.toArray(new GrantedAuthority[0]);
cache.putAuthorityInCache(secureObject.getName(),grantedAuthoritys);
roles = Arrays.asList(grantedAuthoritys);
}else{
roles = Arrays.asList(grantedAuthoritys);
}
if(!roles.isEmpty()){
ConfigAttributeEditor configAttrEditor=new ConfigAttributeEditor();
StringBuffer rolesStr=new StringBuffer();
for(Iterator it = roles.iterator();it.hasNext();){
GrantedAuthority role=(GrantedAuthority)it.next();
rolesStr.append(role.getAuthority()).append(",");
}
configAttrEditor.setAsText( rolesStr.toString().substring(0,rolesStr.length()-1) );
ConfigAttributeDefinition configAttrDef=(ConfigAttributeDefinition)configAttrEditor.getValue();
return configAttrDef;
}
Assert.notEmpty(roles,"collection of roles is null or empty");
return null;
}
public Iterator getConfigAttributeDefinitions() {
return null;
}
public IBaseDao getBaseDao() {
return baseDao;
}
public void setBaseDao(IBaseDao baseDao) {
this.baseDao = baseDao;
}
public AuthorityBasedFunctionCache getCache() {
return cache;
}
public void setCache(AuthorityBasedFunctionCache cache) {
this.cache = cache;
}
}
2:定义 基于方法的 自定义标志
通过以上的分析 , 要想使用acegi 做页面的显示控制仅仅靠角色(Role)是不行的,因为用户可能随时定义出新的角色,所以只能 基于方法(Function)的控制。可是acegi 只是提供了基于 角色的 接口GrantedAuthority ,怎么办? ,如法炮制。 首先定义出我们自己的GrantedFunction,实现也雷同 GrantedAuthorityImpl
java代码:
package sample.auth;
import java.io.Serializable;
public class GrantedFunctionImpl implements GrantedFunction , Serializable{
private String function;
//~ Constructors ===========================================================
public GrantedFunctionImpl(String function) {
super();
this.function = function;
}
protected GrantedFunctionImpl() {
throw new IllegalArgumentException("Cannot use default constructor");
}
//~ Methods ================================================================
public String getFunction() {
return this.function;
}
public boolean equals(Object obj) {
if (obj instanceof String) {
return obj.equals(this.function);
}
if (obj instanceof GrantedFunction) {
GrantedFunction attr = (GrantedFunction) obj;
return this.function.equals(attr.getFunction());
}
return false;
}
public int hashCode() {
return this.function.hashCode();
}
public String toString() {
return this.function;
}
}
以 下是我的标志实现,大致思路是 根据 页面 的传来的 方法名(即 FunctionName)查询出对应的Functions,并且包装成grantedFunctions ,然后根据用户的角色查询出用户对应的Functions ,再取这两个集合的交集,最后再根据这个集合是否为空判断是否显示标志体的内容。
java代码:
package sample.auth;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.jsp.JspException;
import javax.servlet.jsp.tagext.Tag;
import javax.servlet.jsp.tagext.TagSupport;
import org.acegisecurity.Authentication;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.context.SecurityContextHolder;
import org.springframework.util.StringUtils;
import org.springframework.web.util.ExpressionEvaluationUtils;
import sample.web.action.AppContext;
/**
*
* @author limq
*
*/
public class AuthorizeActionTag extends TagSupport{
private String ifAllGranted = "";
private String ifAnyGranted = "";
private String ifNotGranted = "";
public void setIfAllGranted(String ifAllGranted) throws JspException {
this.ifAllGranted = ifAllGranted;
}
public String getIfAllGranted() {
return ifAllGranted;
}
public void setIfAnyGranted(String ifAnyGranted) throws JspException {
this.ifAnyGranted = ifAnyGranted;
}
public String getIfAnyGranted() {
return ifAnyGranted;
}
public void setIfNotGranted(String ifNotGranted) throws JspException {
this.ifNotGranted = ifNotGranted;
}
public String getIfNotGranted() {
return ifNotGranted;
}
public int doStartTag() throws JspException {
if (((null == ifAllGranted) || "".equals(ifAllGranted))
&& ((null == ifAnyGranted) || "".equals(ifAnyGranted))
&& ((null == ifNotGranted) || "".equals(ifNotGranted))) {
return Tag.SKIP_BODY;
}
final Collection granted = getPrincipalFunctionByAuthorities();
final String evaledIfNotGranted = ExpressionEvaluationUtils
.evaluateString("ifNotGranted", ifNotGranted, pageContext);
if ((null != evaledIfNotGranted) && !"".equals(evaledIfNotGranted)) {
Set grantedCopy = retainAll(granted,
parseSecurityString(evaledIfNotGranted));
if (!grantedCopy.isEmpty()) {
return Tag.SKIP_BODY;
}
}
final String evaledIfAllGranted = ExpressionEvaluationUtils
.evaluateString("ifAllGranted", ifAllGranted, pageContext);
if ((null != evaledIfAllGranted) && !"".equals(evaledIfAllGranted)) {
if (!granted.containsAll(parseSecurityString(evaledIfAllGranted))) {
return Tag.SKIP_BODY;
}
}
final String evaledIfAnyGranted = ExpressionEvaluationUtils
.evaluateString("ifAnyGranted", ifAnyGranted, pageContext);
if ((null != evaledIfAnyGranted) && !"".equals(evaledIfAnyGranted)) {
Set grantedCopy = retainAll(granted,
parseSecurityString(evaledIfAnyGranted));
if (grantedCopy.isEmpty()) {
return Tag.SKIP_BODY;
}
}
return Tag.EVAL_BODY_INCLUDE;
}
/**
* 得到用户的Authentication,并且从Authentication中获得 Authorities,进而得到 授予用户的 Function
* @return
*/
private Collection getPrincipalFunctionByAuthorities() {
Authentication currentUser = SecurityContextHolder.getContext()
.getAuthentication();
if (null == currentUser) {
return Collections.EMPTY_LIST;
}
if ((null == currentUser.getAuthorities())
|| (currentUser.getAuthorities().length < 1)) {
return Collections.EMPTY_LIST;
}
// currentUser.getAuthorities() 返回的是 GrantedAuthority[]
List granted = Arrays.asList(currentUser.getAuthorities());
AuthDao authDao =(AuthDao) AppContext.getInstance().getAppContext().getBean("authDao");
Collection grantedFunctions = authDao.getFunctionsByRoles(granted);
return grantedFunctions;
}
/**
* 得到用户功能(Function)的集合,并且验证是否合法
* @param c Collection 类型
* @return Set类型
*/
private Set SecurityObjectToFunctions(Collection c) {
Set target = new HashSet();
for (Iterator iterator = c.iterator(); iterator.hasNext();) {
GrantedFunction function = (GrantedFunction) iterator.next();
if (null == function.getFunction()) {
throw new IllegalArgumentException(
"Cannot process GrantedFunction objects which return null from getFunction() - attempting to process "
+ function.toString());
}
target.add(function.getFunction());
}
return target;
}
/**
* 处理页面标志属性 ,用' ,'区分
*/
private Set parseSecurityString(String functionsString) {
final Set requiredFunctions = new HashSet();
final String[] functions = StringUtils
.commaDelimitedListToStringArray(functionsString);
for (int i = 0; i < functions.length; i++) {
String authority = functions[i];
// Remove the role's whitespace characters without depending on JDK 1.4+
// Includes space, tab, new line, carriage return and form feed.
String function = StringUtils.replace(authority, " ", "");
function = StringUtils.replace(function, "\t", "");
function = StringUtils.replace(function, "\r", "");
function = StringUtils.replace(function, "\n", "");
function = StringUtils.replace(function, "\f", "");
requiredFunctions.add(new GrantedFunctionImpl(function));
}
return requiredFunctions;
}
/**
* 获得用户所拥有的Function 和 要求的 Function 的交集
* @param granted 用户已经获得的Function
* @param required 所需要的Function
* @return
*/
private Set retainAll(final Collection granted, final Set required) {
Set grantedFunction = SecurityObjectToFunctions(granted);
Set requiredFunction = SecurityObjectToFunctions(required);
// retailAll() 获得 grantedFunction 和 requiredFunction 的交集
// 即删除 grantedFunction 中 除了 requiredFunction 的项
grantedFunction.retainAll(requiredFunction);
return rolesToAuthorities(grantedFunction, granted);
}
/**
*
* @param grantedFunctions 已经被过滤过的Function
* @param granted 未被过滤过的,即用户所拥有的Function
* @return
*/
private Set rolesToAuthorities(Set grantedFunctions, Collection granted) {
Set target = new HashSet();
for (Iterator iterator = grantedFunctions.iterator(); iterator.hasNext();) {
String function = (String) iterator.next();
for (Iterator grantedIterator = granted.iterator();
grantedIterator.hasNext();) {
GrantedFunction grantedFunction = (GrantedFunction) grantedIterator
.next();
if (grantedFunction.getFunction().equals(function)) {
target.add(grantedFunction);
break;
}
}
}
return target;
}
}
再说明一下吧,通过 AppContext 获得了Spring的上下文,以及AuthDao(实际意义上讲以不再是单纯的Dao,应该是Service)
java代码:
package sample.auth;
import java.util.Collection;
public interface AuthDao {
/**
* 根据用户的角色集合 得到 用户的 操作权限
* @param granted 已授予用户的角色集合
* @return 操作权限的集合
*/
public Collection getFunctionsByRoles(Collection granted);
}
以下是AuthDao 的实现
java代码:
package sample.auth;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import org.acegisecurity.GrantedAuthority;
import sample.auth.cache.FunctionCache;
import sample.auth.cache.info.RoleByNameCache;
import sample.dao.IBaseDao;
import sample.mappings.function.Function;
import sample.mappings.role.Role;
public class AuthDaoImpl implements AuthDao {
private IBaseDao baseDao;
private FunctionCache cache;
private RoleByNameCache roleCache;
public RoleByNameCache getRoleCache() {
return roleCache;
}
public void setRoleCache(RoleByNameCache roleCache) {
this.roleCache = roleCache;
}
public FunctionCache getCache() {
return cache;
}
public void setCache(FunctionCache cache) {
this.cache = cache;
}
public IBaseDao getBaseDao() {
return baseDao;
}
public void setBaseDao(IBaseDao baseDao) {
this.baseDao = baseDao;
}
public Collection getFunctionsByRoles(Collection granted) {
Set set = new HashSet();
if(null == granted) throw new IllegalArgumentException("Granted Roles cannot be null");
for(Iterator it = granted.iterator();it.hasNext();){
GrantedAuthority grantedAuthority = (GrantedAuthority)it.next();
Role role = roleCache.getRoleByRoleNameCache(grantedAuthority.getAuthority()); //
if(role == null){
role = (Role)baseDao.loadByKey(Role.class, "name", grantedAuthority.getAuthority());
roleCache.putRoleInCache(role);
}
GrantedFunction[] grantedFunctions = cache.getFunctionFromCache(role.getName());
if(grantedFunctions == null){
Set functions = role.getFunctions();
for(Iterator it2 = functions.iterator();it2.hasNext();){
Function function = (Function)it2.next();
GrantedFunction grantedFunction = new GrantedFunctionImpl(function.getName());
set.add( grantedFunction );
}
grantedFunctions = (GrantedFunction[]) set.toArray(new GrantedFunction[0]);
cache.putFuncitonInCache(role.getName(),grantedFunctions);
}
for(int i = 0 ; i < grantedFunctions.length; i++){
GrantedFunction grantedFunction = grantedFunctions[i];
set.add(grantedFunction);
}
}
return set;
}
}
3 基于hibernate的用户验证
acegi 默认的 的 用户验证是 通过UserDetailsService 接口 实现的 也就是说我们只要实现了 它的loadUserByUsername 方法。
java代码:
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException;
以下是我的实现
java代码:
package sample.auth;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.acegisecurity.GrantedAuthority;
import org.acegisecurity.GrantedAuthorityImpl;
import org.acegisecurity.userdetails.User;
import org.acegisecurity.userdetails.UserDetails;
import org.acegisecurity.userdetails.UserDetailsService;
import org.acegisecurity.userdetails.UsernameNotFoundException;
import org.springframework.dao.DataAccessException;
import sample.auth.cache.AuthorityBasedUserCache;
import sample.dao.IBaseDao;
import sample.mappings.role.Role;
import sample.utils.MisUtils;
public class HibernateDaoImpl implements UserDetailsService{
private String rolePrefix = "";
private boolean usernameBasedPrimaryKey = false;
private AuthorityBasedUserCache cache;
private IBaseDao baseDao;
public String getRolePrefix() {
return rolePrefix;
}
public void setRolePrefix(String rolePrefix) {
this.rolePrefix = rolePrefix;
}
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
UserDetails user = getUsersByUsernameQuery(username);
if(user == null) return null;
GrantedAuthority[] arrayAuths =getAuthoritiesByUsernameQuery(username);
if (arrayAuths.length == 0) {
throw new UsernameNotFoundException("User has no GrantedAuthority");
}
return new User(username, user.getPassword(), user.isEnabled(),
true, true, true, arrayAuths);
}
/**
* 根据用户名查找用户
* @param username
* @return
* @throws DataAccessException
*/
public UserDetails getUsersByUsernameQuery(String username)throws DataAccessException {
sample.mappings.user.User misUser = (sample.mappings.user.User)baseDao.loadByKey(sample.mappings.user.User.class,"name",username);
if(misUser != null)
{
org.acegisecurity.userdetails.UserDetails user =
new User(misUser.getName(),misUser.getPassword(),MisUtils.parseBoolean(misUser.getEnable()),true,true,true,getAuthoritiesByUsernameQuery(username));
return user;
}else
return null;
}
/**
* 根据用户名查找角色
* @param username
* @return GrantedAuthority[] 用户角色
* @throws DataAccessException
*/
public GrantedAuthority[] getAuthoritiesByUsernameQuery(String username)
throws DataAccessException {
sample.mappings.user.User misUser
= (sample.mappings.user.User)baseDao.loadByKey(sample.mappings.user.User.class,"name",username);
if(misUser != null){
GrantedAuthority[] grantedAuthoritys = cache.getAuthorityFromCache(misUser.getName());
if(grantedAuthoritys == null){
Set roles = misUser.getRoles();
Iterator it = roles.iterator();
List list = new ArrayList();
while(it.hasNext() ){
GrantedAuthorityImpl gai = new GrantedAuthorityImpl( ((Role)it.next()).getName() );
list.add(gai);
}
grantedAuthoritys =(GrantedAuthority[]) list.toArray(new GrantedAuthority[0]);
cache.putAuthorityInCache(misUser.getName(),grantedAuthoritys);
return grantedAuthoritys;
}
return grantedAuthoritys;
}
return null;
}
public IBaseDao getBaseDao() {
return baseDao;
}
public void setBaseDao(IBaseDao baseDao) {
this.baseDao = baseDao;
}
public AuthorityBasedUserCache getCache() {
return cache;
}
public void setCache(AuthorityBasedUserCache cache) {
this.cache = cache;
}
}
通过以上对acegi 的 处理,足以满足我们目前在spring下基于RBAC的动态权限管理。同时在对频繁的数据库查询上使用了Ehcache作为缓存,在性能上有了很大的改善。
167
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
