spring security

最新推荐文章于 2024-04-20 16:32:09 发布
最新推荐文章于 2024-04-20 16:32:09 发布
阅读量95 收藏
点赞数
分类专栏: spring 文章标签: Security Spring Hibernate Myeclipse Bean

    关于web中的权限管理,一直是很麻烦的事,有人说struts2提供的拦截器的功能可以轻松实现权限的控制,我这边实现了一下,发现不是很完美,例如,页面的访问就控制不了,但是网上也提供了解决的方案,可以用过虑器来控制页面,也就是struts2的拦截器控制action的权限,过虑器来控制页面访问权限,貌似不错,但是代价太高了,另一种方案是采用spring security,反正是SSH的项目,spring security的应用还是相对成熟一些,做了一个实现,发现不少问题,记录下来。

表结构:

采用传统的 用户,角色,权限(资源),角色权限,用户角色 的模式,本来都是多对多的,为了简便都改成一对多和多对一了。

User表 写道
User的mapping.

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN"
"http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
<!--
Mapping file autogenerated by MyEclipse Persistence Tools
-->
<hibernate-mapping>
<class name="com.coc.model.User" table="user">
<meta attribute="implement-equals">true</meta>
<cache usage="read-write"/>
<id name="id" type="java.lang.Integer">
<column name="userid" />
<generator class="assigned" />
</id>
<property name="username" type="java.lang.String">
<column name="username" length="40" not-null="true" />
</property>
<property name="nickname" type="java.lang.String">
<column name="nickname" length="40" not-null="true" />
</property>
<property name="password" type="java.lang.String">
<column name="password" length="40" not-null="true" />
</property>
<property name="email" type="java.lang.String">
<column name="email" length="100" not-null="true" />
</property>
<!-- <property name="deptid" type="java.lang.Integer">
<column name="deptid" not-null="true" />
</property>
-->
<property name="mobilepin" type="java.lang.String">
<column name="mobilepin" length="50" not-null="true" />
</property>
<property name="islockout" type="java.lang.Integer">
<column name="islockout" not-null="true" />
</property>
<property name="dtcreate" type="java.util.Date">
<column name="dtcreate" length="19" not-null="true" />
</property>
<property name="failtry" type="java.lang.Integer">
<column name="failtry" not-null="true" />
</property>
<property name="picurl" type="java.lang.String">
<column name="picurl" not-null="true" />
</property>
<property name="sex" type="java.lang.Integer">
<column name="sex" not-null="true" />
</property>
<property name="zip" type="java.lang.String">
<column name="zip" length="20" not-null="true" />
</property>
<property name="age" type="java.lang.Integer">
<column name="age" not-null="true" />
</property>
<property name="birthday" type="java.util.Date">
<column name="birthday" length="19" not-null="true" />
</property>
<property name="ismarry" type="java.lang.Integer">
<column name="ismarry" not-null="true" />
</property>
<property name="address" type="java.lang.String">
<column name="address" not-null="true" />
</property>
<property name="identity" type="java.lang.String">
<column name="identity" length="20" not-null="true" />
</property>
<property name="description" type="java.lang.String">
<column name="description" length="65535" not-null="true" />
</property>
<property name="issuper" type="java.lang.Integer">
<column name="issuper" not-null="true" />
</property>
<set name="useroles" cascade="all" inverse="true">
<key>
<column name="userid"/>
</key>
<one-to-many class="com.coc.model.Userole"/>
</set>
<many-to-one name="department" column="deptid" class="com.coc.model.Department"/>
</class>
</hibernate-mapping>

User Pojo:
import java.util.ArrayList;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;

import org.springframework.security.GrantedAuthority;
import org.springframework.security.GrantedAuthorityImpl;
import org.springframework.security.userdetails.UserDetails;

/**
* User entity.
*
* @author MyEclipse Persistence Tools
*/

public class User implements java.io.Serializable, UserDetails {

// Fields

/**
*
*/
private static final long serialVersionUID = 1L;
private Integer id;
private String username;
private String nickname;
private String password;
private String email;
private Integer deptid;
private String mobilepin;
private Integer islockout;
private Date dtcreate;
private Integer failtry;
private String picurl;
private Integer sex;
private String zip;
private Integer age;
private Date birthday;
private Integer ismarry;
private String address;
private String identity;
private String description;
private Integer issuper;
private Set <Userole> useroles =new HashSet<Userole>();
private Department department;
// Constructors

/** default constructor */
public User() {
}
// Property accessors

public String getUsername() {
return this.username;
}

public void setUsername(String username) {
this.username = username;
}

public String getNickname() {
return this.nickname;
}

public void setNickname(String nickname) {
this.nickname = nickname;
}

public String getPassword() {
return this.password;
}

public void setPassword(String password) {
this.password = password;
}

public String getEmail() {
return this.email;
}

public void setEmail(String email) {
this.email = email;
}

public Integer getDeptid() {
return this.deptid;
}

public void setDeptid(Integer deptid) {
this.deptid = deptid;
}

public String getMobilepin() {
return this.mobilepin;
}

public void setMobilepin(String mobilepin) {
this.mobilepin = mobilepin;
}

public Integer getIslockout() {
return this.islockout;
}

public void setIslockout(Integer islockout) {
this.islockout = islockout;
}

public Date getDtcreate() {
return this.dtcreate;
}

public void setDtcreate(Date dtcreate) {
this.dtcreate = dtcreate;
}

public Integer getFailtry() {
return this.failtry;
}

public void setFailtry(Integer failtry) {
this.failtry = failtry;
}

public String getPicurl() {
return this.picurl;
}

public void setPicurl(String picurl) {
this.picurl = picurl;
}

public Integer getSex() {
return this.sex;
}

public void setSex(Integer sex) {
this.sex = sex;
}

public String getZip() {
return this.zip;
}

public void setZip(String zip) {
this.zip = zip;
}

public Integer getAge() {
return this.age;
}

public void setAge(Integer age) {
this.age = age;
}

public Date getBirthday() {
return this.birthday;
}

public void setBirthday(Date birthday) {
this.birthday = birthday;
}

public Integer getIsmarry() {
return this.ismarry;
}

public void setIsmarry(Integer ismarry) {
this.ismarry = ismarry;
}

public String getAddress() {
return this.address;
}

public void setAddress(String address) {
this.address = address;
}

public String getIdentity() {
return this.identity;
}

public void setIdentity(String identity) {
this.identity = identity;
}

public String getDescription() {
return this.description;
}

public void setDescription(String description) {
this.description = description;
}

public Integer getIssuper() {
return this.issuper;
}

public void setIssuper(Integer issuper) {
this.issuper = issuper;
}

public Set<Userole> getUseroles() {
return useroles;
}

public void setUseroles(Set<Userole> useroles) {
this.useroles = useroles;
}

public GrantedAuthority[] getAuthorities() {
List<GrantedAuthorityImpl> authoritis =new ArrayList<GrantedAuthorityImpl>();
Iterator<Userole> iter =useroles.iterator();
while(iter.hasNext())
{
Userole userole =(Userole)iter.next();
authoritis.add(new GrantedAuthorityImpl(userole.getRole().getRolename()));
}
return authoritis.toArray(new GrantedAuthorityImpl[authoritis.size()]);
}

public boolean isAccountNonExpired() {

return true;
}

public boolean isAccountNonLocked() {

return true;
}

public boolean isCredentialsNonExpired() {

return true;
}

public boolean isEnabled() {

return true;
}

public Integer getId() {
return id;
}

public void setId(Integer id) {
this.id = id;
}

public Department getDepartment() {
return department;
}

public void setDepartment(Department department) {
this.department = department;
}

}

 Userole表:

Userole表的mapping&pojo 写道
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN"
"http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
<!--
Mapping file autogenerated by MyEclipse Persistence Tools
-->
<hibernate-mapping>
<class name="com.coc.model.Userole" table="userole" >
<meta attribute="implement-equals">true</meta>
<cache usage="read-write"/>
<id name="id" type="java.lang.Integer">
<column name="id" />
<generator class="assigned" />
</id>
<!--
<property name="userid" type="java.lang.Integer">
<column name="userid" not-null="true" />
</property>
<property name="roleid" type="java.lang.Integer">
<column name="roleid" not-null="true" />
</property>
-->
<many-to-one name="user" column="userid" class="com.coc.model.User" not-null="true"/>
<many-to-one name="role" column="roleid" class="com.coc.model.Role" not-null="true"/>
</class>
</hibernate-mapping>

Userole的pojo
public class Userole implements java.io.Serializable {

// Fields

private Integer id;
private Integer userid;
private Integer roleid;
private Role role;
private User user;

// Constructors

/** default constructor */
public Userole() {
}

// Property accessors

public Integer getId() {
return this.id;
}

public void setId(Integer id) {
this.id = id;
}

public Integer getUserid() {
return this.userid;
}

public void setUserid(Integer userid) {
this.userid = userid;
}

public Integer getRoleid() {
return this.roleid;
}

public void setRoleid(Integer roleid) {
this.roleid = roleid;
}

public Role getRole() {
return role;
}

public void setRole(Role role) {
this.role = role;
}

public User getUser() {
return user;
}

public void setUser(User user) {
this.user = user;
}

}

 

Role 表的mapping&pojo

Role表的mapping 

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN"
"http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
<!-- 
    Mapping file autogenerated by MyEclipse Persistence Tools
-->
<hibernate-mapping>
    <class name="com.coc.model.Role" table="role">
       <meta attribute="implement-equals">true</meta>    
  		<cache usage="read-write"/>
        <id name="roleid" type="java.lang.Integer">
            <column name="roleid" />
            <generator class="assigned" />
        </id>
        <property name="rolename" type="java.lang.String">
            <column name="rolename" length="50" not-null="true" />
        </property>
        <property name="issysrole" type="java.lang.Integer">
            <column name="issysrole" not-null="true" />
        </property>
        <property name="islockout" type="java.lang.Integer">
            <column name="islockout" not-null="true" />
        </property>
        <property name="description" type="java.lang.String">
            <column name="description" not-null="true" />
        </property>
        
        <set name="useroles" cascade="all" inverse="true">
        <key>
          <column name="roleid"/>
        </key>
          <one-to-many class="com.coc.model.Userole"/>
        </set>
        
        <set name="rolePermissions" cascade="all" inverse="true">
        <key>
        <column name="roleid"/>
        </key>
        <one-to-many class="com.coc.model.Rolepermission"/>
        </set>
    </class>
</hibernate-mapping>

Role表的pojo
public class Role implements java.io.Serializable {

	// Fields

	private Integer roleid;
	private String rolename;
	private Integer issysrole;
	private Integer islockout;
	private String description;
    private Set<Userole> useroles =new HashSet<Userole>();
    private Set<Rolepermission> rolePermissions =new HashSet<Rolepermission>();
	// Constructors

	/** default constructor */
	public Role() {
	}

	// Property accessors

	public Integer getRoleid() {
		return this.roleid;
	}

	public void setRoleid(Integer roleid) {
		this.roleid = roleid;
	}

	public String getRolename() {
		return this.rolename;
	}

	public void setRolename(String rolename) {
		this.rolename = rolename;
	}

	public Integer getIssysrole() {
		return this.issysrole;
	}

	public void setIssysrole(Integer issysrole) {
		this.issysrole = issysrole;
	}

	public Integer getIslockout() {
		return this.islockout;
	}

	public void setIslockout(Integer islockout) {
		this.islockout = islockout;
	}

	public String getDescription() {
		return this.description;
	}

	public void setDescription(String description) {
		this.description = description;
	}

	

	public void setUseroles(HashSet<Userole> useroles) {
		this.useroles = useroles;
	}



	public void setRolePermissions(HashSet<Rolepermission> rolePermissions) {
		this.rolePermissions = rolePermissions;
	}

	public Set<Userole> getUseroles() {
		return useroles;
	}

	public void setUseroles(Set<Userole> useroles) {
		this.useroles = useroles;
	}

	public Set<Rolepermission> getRolePermissions() {
		return rolePermissions;
	}

	public void setRolePermissions(Set<Rolepermission> rolePermissions) {
		this.rolePermissions = rolePermissions;
	}

}

 

Permission表的mapping及pojo

Permission 表的mapping

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN"
"http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
<!-- 
    Mapping file autogenerated by MyEclipse Persistence Tools
-->
<hibernate-mapping>
    <class name="com.coc.model.Permission" table="permission">
        <meta attribute="implement-equals">true</meta>    
  		<cache usage="read-write"/>
        <id name="permitid" type="java.lang.Integer">
            <column name="permitid" />
            <generator class="assigned" />
        </id>
        <property name="permitname" type="java.lang.String">
            <column name="permitname" length="50" not-null="true" />
        </property>
        <property name="module" type="java.lang.String">
            <column name="module" length="100" not-null="true" />
        </property>
        <property name="action" type="java.lang.String">
            <column name="action" length="100" not-null="true" />
        </property>
        <property name="permitvalue" type="java.lang.String">
            <column name="permitvalue" not-null="true" />
        </property>
        <property name="parentid" type="java.lang.Integer">
            <column name="parentid" not-null="true" />
        </property>
        <property name="type" type="java.lang.Integer">
            <column name="type" not-null="true" />
        </property>
        <property name="description" type="java.lang.String">
            <column name="description" not-null="true" />
        </property>
        <set name="rolePermissions" cascade="all" inverse="true">
        <key>
           <column name="permitid"/>
        </key>
           <one-to-many class="com.coc.model.Rolepermission"/>
        </set>
    </class>
</hibernate-mapping>

Permission 表的pojo
public class Permission implements java.io.Serializable {

	// Fields

	/**
	 * 
	 */
	private static final long serialVersionUID = 1L;
	private Integer permitid;
	private String permitname;
	private String module;
	private String action;
	private String permitvalue;
	private Integer parentid;
	private Integer type;
	private String description;
    private Set<Rolepermission> rolePermissions =new HashSet<Rolepermission>();
	// Constructors

	/** default constructor */
	public Permission() {
	}

	// Property accessors

	public Integer getPermitid() {
		return this.permitid;
	}

	public void setPermitid(Integer permitid) {
		this.permitid = permitid;
	}

	public String getPermitname() {
		return this.permitname;
	}

	public void setPermitname(String permitname) {
		this.permitname = permitname;
	}

	public String getModule() {
		return this.module;
	}

	public void setModule(String module) {
		this.module = module;
	}

	public String getAction() {
		return this.action;
	}

	public void setAction(String action) {
		this.action = action;
	}

	public String getPermitvalue() {
		return this.permitvalue;
	}

	public void setPermitvalue(String permitvalue) {
		this.permitvalue = permitvalue;
	}

	public Integer getParentid() {
		return this.parentid;
	}

	public void setParentid(Integer parentid) {
		this.parentid = parentid;
	}

	public Integer getType() {
		return this.type;
	}

	public void setType(Integer type) {
		this.type = type;
	}

	public String getDescription() {
		return this.description;
	}

	public void setDescription(String description) {
		this.description = description;
	}

	public Set<Rolepermission> getRolePermissions() {
		return rolePermissions;
	}

	public void setRolePermissions(Set<Rolepermission> rolePermissions) {
		this.rolePermissions = rolePermissions;
	}
}

 

最后是RolePermission的

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE hibernate-mapping PUBLIC "-//Hibernate/Hibernate Mapping DTD 3.0//EN"
"http://hibernate.sourceforge.net/hibernate-mapping-3.0.dtd">
<!-- 
    Mapping file autogenerated by MyEclipse Persistence Tools
-->
<hibernate-mapping>
    <class name="com.coc.model.Rolepermission" table="rolepermission">
        <meta attribute="implement-equals">true</meta>    
  		<cache usage="read-write"/>
        <id name="id" type="java.lang.Integer">
            <column name="id" />
            <generator class="assigned" />
        </id>
        <!--  
        <property name="roleid" type="java.lang.Integer">
            <column name="roleid" not-null="true" />
        </property>
        <property name="permitid" type="java.lang.Integer">
            <column name="permitid" not-null="true" />
        </property>
        -->
        <many-to-one name="role" column="roleid" class="com.coc.model.Role" not-null="true" />
        <many-to-one name="permission" column="permitid" class="com.coc.model.Permission" not-null="true"/>
    </class>
</hibernate-mapping>


public class Rolepermission implements java.io.Serializable {

	// Fields

	private Integer id;
	private Integer roleid;
	private Integer permitid;
	private Role role;
	private Permission permission;

	// Constructors

	/** default constructor */
	public Rolepermission() {
	}

	// Property accessors

	public Integer getId() {
		return this.id;
	}

	public void setId(Integer id) {
		this.id = id;
	}

	public Integer getRoleid() {
		return this.roleid;
	}

	public void setRoleid(Integer roleid) {
		this.roleid = roleid;
	}

	public Integer getPermitid() {
		return this.permitid;
	}

	public void setPermitid(Integer permitid) {
		this.permitid = permitid;
	}

	public Role getRole() {
		return role;
	}

	public void setRole(Role role) {
		this.role = role;
	}

	public Permission getPermission() {
		return permission;
	}

	public void setPermission(Permission permission) {
		this.permission = permission;
	}
}

 以上代码没得什么特别的,除了User实现了UserDetails的接口外,没有什么,可以看到这个接口是spring security提供的,其实现的具体方法是getAuthorities()通俗地说也就是把这个user所有角色的角色名提取出来.

 

另外在User的service的实现层也实现了spring security的一个接口,代码如下.

import java.util.List;

import org.springframework.dao.DataAccessException;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;
import org.springframework.security.userdetails.UsernameNotFoundException;

import com.coc.hibernate.dao.UserDao;
import com.coc.model.User;
import com.coc.service.UserManager;

public class UserManagerImpl implements UserManager,UserDetailsService {

	private UserDao userDao;

	public User getUserByName(String userName) {
		return userDao.findUserByName(userName);

	}

	public UserDao getUserDao() {
		return userDao;
	}

	public void setUserDao(UserDao userDao) {
		this.userDao = userDao;
	}

	public UserDetails loadUserByUsername(String userName)
			throws UsernameNotFoundException, DataAccessException {
		
		User user = this.getUserByName(userName);
		if(user==null)
		{
			throw new UsernameNotFoundException("User not found!");
		}
		return user;
	}

	public List<User> findAllUser(int start, int limit, String sortName,String order) {
		
		return userDao.findAllUser(start, limit,sortName,order);
	}

	public Object getPageCount() {
		
		return userDao.getPageCount();
	}

	public User loadUserById(Integer userId) {
		
		return userDao.loadUserById(userId);
	}
	
	public void updateUser(User user)
	{
		userDao.saveorupdate(user);
	}

}

 到此为止,可以看出spring security通过实现这两个接口,拥有了用户及其角色的信息。

 

接下来要实现一个interceptor,spring security通过这个interceptor来判断用户的各个角色是否拥有相应的权限,如果有则放行,如果没有就拦截了,具体代码如下.

import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

import javax.servlet.ServletContext;

import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.ConfigAttributeDefinition;
import org.springframework.security.ConfigAttributeEditor;
import org.springframework.security.intercept.web.FilterInvocation;
import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
import org.springframework.security.util.AntUrlPathMatcher;
import org.springframework.security.util.RegexUrlPathMatcher;
import org.springframework.security.util.UrlMatcher;
import org.springframework.web.context.support.WebApplicationContextUtils;

import com.coc.model.Permission;
import com.coc.model.Rolepermission;
import com.coc.service.PermissionManager;

public class SecureResourceFilterInvocationDefinitionSource implements
		FilterInvocationDefinitionSource, InitializingBean {

	private UrlMatcher urlMatcher;

	private boolean useAntPath = true;

	private boolean lowercaseComparisons = true;
    private PermissionManager permissionManager;
	/**
	 * @param useAntPath
	 *            the useAntPath to set
	 */
	public void setUseAntPath(boolean useAntPath) {
		this.useAntPath = useAntPath;
	}

	/**
	 * @param lowercaseComparisons
	 */
	public void setLowercaseComparisons(boolean lowercaseComparisons) {
		this.lowercaseComparisons = lowercaseComparisons;
	}

	/*
	 * (non-Javadoc)
	 * 
	 * @see org.springframework.beans.factory.InitializingBean#afterPropertiesSet()
	 */
	public void afterPropertiesSet() throws Exception {

		//System.out.println("=========afterPropertiesSet()==========");
		// default url matcher will be RegexUrlPathMatcher
		this.urlMatcher = new RegexUrlPathMatcher();

		if (useAntPath) { // change the implementation if required
			this.urlMatcher = new AntUrlPathMatcher();
		}

		// Only change from the defaults if the attribute has been set
		if ("true".equals(lowercaseComparisons)) {
			if (!this.useAntPath) {
				((RegexUrlPathMatcher) this.urlMatcher)
						.setRequiresLowerCaseUrl(true);
			}
		} else if ("false".equals(lowercaseComparisons)) {
			if (this.useAntPath) {
				((AntUrlPathMatcher) this.urlMatcher)
						.setRequiresLowerCaseUrl(false);
			}
		}

	}

	/*
	 * (non-Javadoc)
	 * 
	 * @see org.springframework.security.intercept.ObjectDefinitionSource#getAttributes(java.lang.Object)
	 */
	public ConfigAttributeDefinition getAttributes(Object filter)
			throws IllegalArgumentException {
		//System.out.println("=========getAttributes==========");
		FilterInvocation filterInvocation = (FilterInvocation) filter;
		String requestURI = filterInvocation.getRequestUrl();
		requestURI=StringUtils.removeStart(requestURI, "/");
		Map<String, String> urlAuthorities = this
				.getUrlAuthorities(filterInvocation);

		String grantedAuthorities = null;
		for (Iterator<Map.Entry<String, String>> iter = urlAuthorities
				.entrySet().iterator(); iter.hasNext();) {
			Map.Entry<String, String> entry = iter.next();
			String url = entry.getKey();
            //System.out.println("============url key is "+url+"=================\n");
            //System.out.println("============requestURI is "+requestURI+"=================\n");
			if (urlMatcher.pathMatchesUrl(url, requestURI)) {
				grantedAuthorities = entry.getValue();
				System.out.println("============\n match url is "+url+"\n requestURI is +"+requestURI+"\n=================grantedAuthorities is "+grantedAuthorities+"\n");
				break;
			}

		}

		if (grantedAuthorities != null) {
			
			ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();
			configAttrEditor.setAsText(grantedAuthorities);
			return (ConfigAttributeDefinition) configAttrEditor.getValue();
		}

		return null;
	}

	/*
	 * (non-Javadoc)
	 * 
	 * @see org.springframework.security.intercept.ObjectDefinitionSource#getConfigAttributeDefinitions()
	 */
	@SuppressWarnings("unchecked")
	public Collection getConfigAttributeDefinitions() {
		return null;
	}

	/*
	 * (non-Javadoc)
	 * 
	 * @see org.springframework.security.intercept.ObjectDefinitionSource#supports(java.lang.Class)
	 */
	@SuppressWarnings("unchecked")
	public boolean supports(Class clazz) {
		return true;
	}

	/**
	 * 
	 * @param filterInvocation
	 * @return
	 */
	@SuppressWarnings("unchecked")
	private Map<String, String> getUrlAuthorities(
			FilterInvocation filterInvocation) {
		System.out.println("=========getUrlAuthorities==========");
		ServletContext servletContext = filterInvocation.getHttpRequest()
				.getSession().getServletContext();
		
		permissionManager=(PermissionManager)WebApplicationContextUtils.getWebApplicationContext(servletContext).getBean("permissionManager");
		List<Permission> permissionList=permissionManager.loadUrlAuthorities();
		Map<String, String> urlAuthorities =new HashMap<String, String>();   
        for(int i=0;i<permissionList.size();i++)
        {
        	Permission permission=(Permission)permissionList.get(i);
        	Set rolePermission =permission.getRolePermissions();
        	Iterator iter=rolePermission.iterator();
        	List roleName =new ArrayList();
        	while(iter.hasNext())
        	{
        		Rolepermission rp =(Rolepermission)iter.next();
        		roleName.add(rp.getRole().getRolename());
        	}
        	//System.out.println("url value "+permission.getPermitvalue()+"\nrolenames "+StringUtils.join(roleName,","));
        	urlAuthorities.put(permission.getPermitvalue(), StringUtils.join(roleName,","));
        }
		return urlAuthorities;
//		return (Map<String, String>) servletContext
//				.getAttribute("urlAuthorities");
	}

	public PermissionManager getPermissionManager() {
		return permissionManager;
	}

	public void setPermissionManager(PermissionManager permissionManager) {
		this.permissionManager = permissionManager;
	}

}

 这里再将这些代码在spring scurity的配置文件中声明一下,就可以用了.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"  
    xmlns:beans="http://www.springframework.org/schema/beans"  
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd   
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">

<beans:bean id="loggerListener"
		class="org.springframework.security.event.authentication.LoggerListener" />  
		

<http access-denied-page="/403.jsp">  
        <intercept-url pattern="/static/**" filters="none" />  
        <intercept-url pattern="/template/**" filters="none" />  
        <intercept-url pattern="/images/**" filters="none" />
        <intercept-url pattern="/css/**" filters="none" />
        <intercept-url pattern="/js/**" filters="none" />
        <intercept-url pattern="/dwr/**" filters="none" />
        <intercept-url pattern="/uploads/**" filters="none" />
        <intercept-url pattern="/" filters="none" />  
        <intercept-url pattern="/login.jsp" filters="none" />  
        <form-login login-page="/login.jsp" authentication-failure-url="/login.action" default-target-url="/login.action" />  
        <logout logout-success-url="/login.jsp"/>  
        <http-basic />  
</http>		
		
<authentication-manager alias="authenticationManager"/>	
<authentication-provider user-service-ref="userManager">  
<!-- <password-encoder hash="md5"/>-->
</authentication-provider> 

<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">  
      <beans:property name="allowIfAllAbstainDecisions" value="false"/>  
      <beans:property name="decisionVoters">  
          <beans:list>  
              <beans:bean class="org.springframework.security.vote.RoleVoter"/>  
              <beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/>  
          </beans:list>  
      </beans:property>  
</beans:bean> 

<beans:bean id="resourceSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">  
        <beans:property name="authenticationManager" ref="authenticationManager"/>  
        <beans:property name="accessDecisionManager" ref="accessDecisionManager"/>  
        <beans:property name="objectDefinitionSource" ref="secureResourceFilterInvocationDefinitionSource" />  
        <beans:property name="observeOncePerRequest" value="false" />  
        <custom-filter after="LAST" />  
</beans:bean> 

 <beans:bean id="secureResourceFilterInvocationDefinitionSource" class="com.coc.security.interceptor.SecureResourceFilterInvocationDefinitionSource" />  


<!-- internationalization--> 
<beans:bean id="messageSource"  
        class="org.springframework.context.support.ReloadableResourceBundleMessageSource">  
        <beans:property name="basename" value="classpath:/messages"/>  
</beans:bean>  
<beans:bean id="localeResolver" class="org.springframework.web.servlet.i18n.AcceptHeaderLocaleResolver"/> 

</beans:beans>

 http的定义中定义了不需要过滤的一些资源,当用户无权访问时将转到403.jsp的页面,其中如果用户成功登陆,我这里将其转至一个login.action,做一些后续的处理,而没有直接转入一个成功页面,其中<authentication-provider user-service-ref="userManager">  的userManager就是我们user的service层.因为实现了spring security的接口所以声明,另外还有SecureResourceFilterInvocationDefinitionSource的声明,这样,程序可以运行并做出权限的判断。

 

说明一下,数据库中没有指派给任何Role的资源视为是都可以访问的资源,一旦指明了Role,就要通过权限来访问了.

 

不知如何解决的问题:

1)登陆时用户名不能为中文,这个问题困扰了很久,没得解决,不知为什么!因为登陆交给了spring scurity,所以不知如何查,不知哪位高手解决过这个问题。

 

2)由于SecureResourceFilterInvocationDefinitionSource 这个interceptor要进行Role名与资源权限的判断以此来验证用户是否具有权限,有人提出在系统启动时将资源权限一次性load进来,但是如果有更新,不是要重启系统来重新载入!不知有没有更好的办法,我的里面是每次都取,这个显然的没有效率的.

 

 

iteye_3971
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
spring security原理和机制 | Spring Boot 35
学Java,找哪吒
06-25 5万+
一、SpringSecurity 框架简介 Spring 是非常流行和成功的 Java 应用开发框架,Spring Security 正是 Spring 家族中的 成员。Spring Security 基于 Spring 框架,提供了一套 Web 应用安全性的完整解决方 案。 正如你可能知道的关于安全方面的两个主要区域是“认证”和“授权”(或者访问控 制),一般来说,Web 应用的安全性包括用户认证(Authentication)和用户授权 (Authorization)两个部分,这两点也是 Spring
Spring Security 6.x 系列(4)—— 基于过滤器链的源码分析(一)
gmHappy
11-01 2万+
`Spring Security`默认的配置是由 `SecurityAutoConfiguration` 、 `UserDetailsServiceAutoConfiguration`、`SecurityFilterAutoConfiguration`这三个自动配置类实现的。
SpringSecurity
Java 技术专栏,从入门到精通,熟悉企业级开发
04-20 1万+
一般来说,Web 应用的安全性包括用户认证(Authentication)和用户授权 (Authorization)两个部分,这两点也是 Spring Security 重要核心功能。(1)用户认证指的是:验证某个用户是否为系统中的合法主体,也就是说用户能否访问 该系统。用户认证一般要求用户提供用户名和密码。系统通过校验用户名和密码来完成认 证过程。通俗点说就是系统认为用户是否能登录。(2)用户授权指的是验证某个用户是否有权限执行某个操作。在一个系统中,不同用户 所具有的权限是不同的。
Spring Security
qq_45429856的博客
11-22 3757
Spring Security简介 Spring Security是一个高度自定义的安全框架。利用Spring IOC/DI和AOP功能,为系统提供了声明式安全访问控制功能,减少了为系统安全而编写大量重复代码的工作 spring security 的核心功能主要包括: 认证 (系统认证用户是否登录) 授权 (系统判断用户是否有权限去做某些事情) 攻击防护 (防止伪造身份) Spring Security项目搭建 一:导入依赖 <!--导入spring security依赖-->
Spring Security 6.x 系列(1)—— 初识Spring Security
gmHappy
10-05 2万+
`Spring Security`作为一个功能完善的安全框架,具有以下特性: - **认证(Authentication)**:解决 "你是谁" 的问题,验证系统中是否有这个“用户”(用户/设备/系统),也就是我们常说的“登录”。 - **授权(Authorization)**:权限控制/鉴别,解决的是系统中某个用户能够访问哪些资源,即“你能干什么”的问题。`Spring Security` 支持基于 `URL` 的请求授权、方法访问授权、对象访问授权。
SpringSecurity自定义登录界面
weixin_43472934的博客
04-18 6568
为什么需要自定义登录界面? 答:因为SpringBoot整合SpringSecurity时,只需要一个依赖,无需其他配置,就可以实现认证功能。但是它的认证登录界面是固定那样的,如下图所示,但是我们希望自己搞个好看的登录界面,所以需要自定义登录界面。 第一步:创建springboot项目 <?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="ht
spring security CSRF防护
热门推荐
yjclsx的博客
07-31 45万+
CSRF是指跨站请求伪造(Cross-site request forgery),是web常见的攻击之一。 从Spring Security 4.0开始,默认情况下会启用CSRF保护,以防止CSRF攻击应用程序,Spring Security CSRF会针对PATCH,POST,PUT和DELETE方法进行防护。 我这边是spring boot项目,在启用了@EnableWebSecurity...
springsecurity教程
qq_35872777的博客
05-28 1万+
1、什么是springsecurity:
Spring Security详解
JAVA_KX的博客
05-15 2万+
AuthenticationManager进行认证时,将该认证管理器中的所有认证提供器遍历一遍,遍历过程中,首先检测认证提供器是否支持认证的票据类型,如果支持,则认证提供器开始进行认证。用于处理基于表单的登录请求,从表单中获取用户名和密码,默认情况下处理来自/login的请求,从表单中获取用户名和密码, 默认使用表单name值为username和password,这两个值可以通过这个过滤器的usernaemparamter个passwordParameter连个参数的值进行修改。
Spring Security 自定义授权服务器实践
分享技术干货和灵感、推荐新书和好玩的项目、分享Java面试题
08-18 4721
在之前我们已经对接过了GitHub、Gitee客户端,使用OAuth2 Client能够快速便捷的集成第三方登录,集成第三方登录一方面降低了企业的获客成本,同时为用户提供更为便捷的登录体验。但是随着企业的发展壮大,越来越有必要搭建自己的OAuth2服务器。OAuth2不仅包括前面的OAuth客户端,还包括了授权服务器,在这里我们要通过最小化配置搭建自己的授权服务器。授权服务器主要提供OAuth Client注册、用户认证、token分发、token验证、token刷新等功能。......
springsecurity
07-23
Spring Security 是一个强大的且高度可定制的身份验证和访问控制框架,专为Java应用程序设计。它为Web应用和企业级应用提供了全面的安全解决方案,包括登录、权限管理、会话管理、跨站请求伪造(CSRF)防护等核心...
Spring Security in Action
11-22
Spring Security 实践指南 Spring Security 是一个基于 Java 的安全框架,旨在提供身份验证、授权和访问控制等功能。下面是 Spring Security 的主要知识点: 一、身份验证(Authentication) 身份验证是指对用户...
SpringSecurity.zip
06-08
Spring Securityspring家族一员。是一个能够为基于Spring的企业应用系统提供声明式的安全访问控制解决方案的安全框架。它提供了一组可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC,DI(控制反转...
springSecurity
10-14
springSecurity
springboot+ spring security实现登录认证
05-04
SpringBoot结合Spring Security实现登录认证是企业级应用开发中常见的安全框架组合,它们为Web应用程序提供了强大的安全性。本文将深入探讨这两个技术的核心概念、配置以及如何整合以实现用户登录认证功能。 ...
2024年公关服务行业分析报告.pptx
07-09
行业报告
惠州市建筑物矢量数据(Shp格式+带高度).txt
最新发布
07-09
因文件较多,数据存放网盘,txt文件内包含下载链接及提取码,永久有效。失效会第一时间进行补充。
Matlab语言教程及案例
07-09
项目总结 本文详细介绍了Matlab的基础知识和一个完整的数据分析与可视化案例。内容包括: 1. **基本操作**:基本算术运算和矩阵操作。 2. **绘图**:二维和三维绘图。 3. **函数和脚本**:编写和运行Matlab函数和脚本。 4. **案例分析**:生成模拟数据,进行数据预处理、绘图和统计分析。 通过这个项目,读者可以掌握Matlab的基本使用方法,并了解如何在Matlab中进行数据分析和可视化。这对于初学者入门Matlab编程、提升数据处理和分析能力非常有帮助。希望本文能为读者提供有价值的参考,提升其Matlab编程和数据分析技能。
KB8825英文数据手册
07-09
三星KB8825英文数据手册

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值