spring security已经成为企业软件中应用最为广泛的Java安全框架之一,它可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC(依赖注入,也称控制反转)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。它提供了全面的认证、授权、基于实例的访问控制、channel安全及人类用户检验能力。
Spring Security 2.0构建在Acegi Security坚实的基础之上,并在此基础上增加了许多新特性,现在本文的重点是要讲spring security简化的基于命名空间的配置,旧式配置可能需要上百行的XML.
通过下面的例子,你会了解到基于命名空间的配置是如何的简单。
spring security 2.0 例子:
开发环境:MyEclipse 6.0
服务器 :tomcat 6.x
开发架构:struts 1.2 + spring 2.5
spring security 版本:2.0
1.首先要搭好应用的款架,struts和spring(省略)
2.在web.xml里把spring-security 的配置文件路径添加进来
3.在web.xml中添加过spring的过滤器代理
4.添加相关的监听器,以便spring的监听管理
具体web.xml文件如下:
5.创建spring-security-ns.xml配置文件(具体看配置文件):
6.创建相关的jsp页面和action,见附件.
有兴趣的可以下载附件运行看看!
附件中还包含了spring-security 的jar包
Spring Security 2.0构建在Acegi Security坚实的基础之上,并在此基础上增加了许多新特性,现在本文的重点是要讲spring security简化的基于命名空间的配置,旧式配置可能需要上百行的XML.
通过下面的例子,你会了解到基于命名空间的配置是如何的简单。
spring security 2.0 例子:
开发环境:MyEclipse 6.0
服务器 :tomcat 6.x
开发架构:struts 1.2 + spring 2.5
spring security 版本:2.0
1.首先要搭好应用的款架,struts和spring(省略)
2.在web.xml里把spring-security 的配置文件路径添加进来
3.在web.xml中添加过spring的过滤器代理
4.添加相关的监听器,以便spring的监听管理
具体web.xml文件如下:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<!-- 装载spring配置文件 -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring-security-ns.xml
/WEB-INF/applicationContext.xml
</param-value>
</context-param>
<context-param>
<param-name>log4jConfigLocation</param-name>
<param-value>/WEB-INF/classes/log4j.properties</param-value>
</context-param>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<!--bean的名字是springSecurityFilterChain,这是由命名空间创建的用于处理web安全的一个内部机制 -->
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!--
- Loads the root application context of this web app at startup.
- The application context is then available via
- WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--
- Publishes events for session creation and destruction through the application
- context. Optional unless concurrent session control is being used.
-->
<listener>
<listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
</listener>
<servlet>
<servlet-name>action</servlet-name>
<servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
<init-param>
<param-name>config</param-name>
<param-value>/WEB-INF/struts-config.xml</param-value>
</init-param>
<init-param>
<param-name>debug</param-name>
<param-value>3</param-value>
</init-param>
<init-param>
<param-name>detail</param-name>
<param-value>3</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>login.jsp</welcome-file>
</welcome-file-list>
<error-page>
<error-code>403</error-code>
<location>/error.html</location>
</error-page>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
5.创建spring-security-ns.xml配置文件(具体看配置文件):
<?xml version="1.0" encoding="UTF-8"?>
<!--
- 基于名称空间配置
-->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<global-method-security secured-annotations="enabled" >
<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
-->
</global-method-security>
<http access-denied-page="/error.jsp" access-decision-manager-ref="accessDecisionManager"
session-fixation-protection="newSession" auto-config="true" path-type="ant" ><!--session-fixation-protection属性可以防止session固定攻击 -->
<!-- 权限入口的顺序十分重要,注意必须把特殊的URL权限写在一般的URL权限之前。 -->
<intercept-url pattern="/acegiTest.do" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_REMEMBERED" />
<intercept-url pattern="/roleA/**.jsp" access="ROLE_A"/>
<intercept-url pattern="/roleB/**.jsp" access="ROLE_B"/>
<intercept-url pattern="/roleC/**.jsp" access="ROLE_C"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<!--
x509认证
<x509 />
-->
<!-- All of this is unnecessary if auto-config="true"
<form-login />
<anonymous />
<http-basic />
<logout />
<remember-me />
-->
<form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?login_error=1" />
<anonymous key="cookie_key" username="ananoymous" granted-authority="IS_AUTHENTICATED_ANONYMOUSLY"/>
<logout invalidate-session="true" />
<!-- session并发控制 -->
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /><!-- exception-if-maximum-exceeded="true" 第二次登入失效 -->
</http>
<!-- 访问决策管理 -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="allowIfAllAbstainDecisions" value="true"/>
<beans:property name="decisionVoters"><!-- 投票者列表 -->
<beans:list>
<beans:bean class="org.springframework.security.vote.RoleVoter"/>
<beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<authentication-provider><!-- user-service-ref="userDetailsService" -->
<!-- 基于内存存储用户 -->
<user-service>
<user name="admin" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B, ROLE_C, ROLE_SUPERVISOR"/>
<user name="userab" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B"/>
<user name="usera" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A"/>
<user name="userb" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_B"/>
</user-service>
<!--密码md5加密-->
<password-encoder hash="md5"/>
<!--
<jdbc-user-service data-source-ref="f3CenterDS"
users-by-username-query="select name as 'username',password`,'true' as 'enabled' from users where name = ?"
authorities-by-username-query="select name as 'username',authorities as 'authority' from authentication where name = ?"
/>
-->
</authentication-provider>
<!--用户信息存在在数据库的验证-->
<!--
<beans:bean id="userDetailsService"
class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
<beans:property name="dataSource" ref="f3CenterDS" />
<beans:property name="usersByUsernameQuery">
<beans:value>
select name as 'username',password,'true' as 'enabled' from users where name = ?
</beans:value>
</beans:property>
<beans:property name="authoritiesByUsernameQuery">
<beans:value>
select name as 'username',authorities as 'authority' from authentication where name = ?
</beans:value>
</beans:property>
</beans:bean>
-->
</beans:beans>
6.创建相关的jsp页面和action,见附件.
有兴趣的可以下载附件运行看看!
附件中还包含了spring-security 的jar包
1469
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
