配置文件网上一大堆,随下一个都问题不大,但结合自己的配置有几个点要注意:
1.这里控制文件访问权限:
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"
ref="authenticationManager"/>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<!-- property name="objectDefinitionSource"
ref="filterDefinitionSource"/-->
<!--
filterInvocationInterceptor在执行转向url前检查objectDefinitionSource中设定的用户权限信息
过程:
首先,objectDefinitionSource中定义了访问URL需要的属性信息(这里的属性信息仅仅是标志,告诉accessDecisionManager要用哪些voter来投票)
然后,authenticationManager掉用自己的provider来对用户的认证信息进行校验。
最后,有投票者根据用户持有认证和访问url需要的属性,调用自己的voter来投票,决定是否允许访问。
-->
<property name="objectDefinitionSource">
<value>
[color=red]CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/admin/**=ROLE_ADMIN,ROLE_USER
/users/**=ROLE_USER,ROLE_ADMINISTRATOR
/web-inf/users/**=ROLE_ADMINISTRATOR[/color] </value>
</property>
</bean>
其中ROLE_ADMIN,ROLE_USER是你数据库表里存的角色名,随便你改吧.
2.此处可以把sql语句写在这,也可以自己写UserDetailsService 实现.
目的是返回这个user给它
org.acegisecurity.userdetails.User(username, user.getPassword(),
true, true, true, true, this.grantedAuthArray);
如是:
<bean id="daoAuthenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<!-- 此处可以自己写DAO实现userDetailsService -->
<property name="userDetailsService" ref="userDetailsService"/>
<property name="userCache" ref="userCache"/>
<!-- <property name="passwordEncoder" ref="passwordEncoder"/> -->
</bean>
<bean id="userDetailsService"
[color=red]class="com.lottery.service.AcegiUserDeitailsService">
<property name="dbManager" ref="dbManager" />
</bean>[/color]
如我的:
public class AcegiUserDeitailsService implements UserDetailsService {
private final Log LOG = LogFactory.getLog(AcegiUserDeitailsService.class);
/* 依赖注入 */
private DBManager dbManager;
/* 用户所有的权限 */
//private final List<GrantedAuthority> grantedAuthList = new ArrayList<GrantedAuthority>(6);
private GrantedAuthority[] grantedAuthArray;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
if(LOG.isDebugEnabled()) {
LOG.debug("Loading UserDetails of userName: " + username);
}
/* 取得用户信息 */
List<LotteryUsers> userList = findAllByUsername(username);
LotteryUsers user = null;
if(userList!=null&&!userList.isEmpty()){
user = (LotteryUsers)userList.get(0);
}
if(user == null) {
LOG.warn("UserDetails load failed: No such UserRole with userName: " + username);
throw new UsernameNotFoundException("User name is not found.");
}
/* 取得所有用户权限 */
List<String> userRoleList = findGroupNameByUsername(username);
if(userRoleList == null || userRoleList.size() == 0) {
LOG.warn("UserRole load failed: No such UserRole with userName: " + username);
throw new UsernameNotFoundException("UserRole is not found.");
}
/* 取得用户的所有角色 */
int size = userRoleList.size();
grantedAuthArray = new GrantedAuthority[size];
int j = 0;
for(int i = 0; i < size; i++) {
String userRole = userRoleList.get(i);
if(userRole != null) {
this.grantedAuthArray[j++] = new GrantedAuthorityImpl(userRole.toUpperCase());
}
}
LOG.info("UserName: " + username + " loaded successfully.");
return new org.acegisecurity.userdetails.User(username, user.getPassword(),
true, true, true, true, this.grantedAuthArray);
}
//按用户名查找user
public List<LotteryUsers> findAllByUsername(String username) {
List<LotteryUsers> list = new ArrayList<LotteryUsers>();
LotteryUsers user = new LotteryUsers();
String sql = "SELECT * FROM "+Constants.DATABASEPRE_KEY+"users u WHERE u.username='"+username+"' and u.enable=1";
ResultSet rs = dbManager.execute(sql);
try {
while(rs.next()){
user.setUsername(rs.getString("username"));
user.setPassword(rs.getString("password"));
user.setEnable(rs.getShort("enabled"));
list.add(user);
}
} catch (SQLException e) {
// TODO Auto-generated catch block
System.out.println("class LotteryUsersDAOImpl's method findAllByUsername() error");
e.printStackTrace();
}finally{
try {
rs.close();
dbManager.close();
} catch (SQLException e) {
System.out.println(" class lotteryUsersDAOImpl's method findAllByUsername() close dbManager accoure error");
e.printStackTrace();
}
}
return list;
}
public List<String> findGroupNameByUsername(String username) {
List<String> list = new ArrayList<String>();
String sql = "SELECT g.name name FROM "+Constants.DATABASEPRE_KEY+"users u,"+Constants.DATABASEPRE_KEY+"groups g"+
" WHERE g.id=u.group_id and u.username='"+username+"' and u.enable=1";
ResultSet rs = dbManager.execute(sql);
try {
while(rs.next()){
list.add(rs.getString("name"));
}
} catch (SQLException e) {
System.out.println(this.getClass().getName()+"dbManager execute error");
e.printStackTrace();
}finally{
try {
rs.close();
dbManager.close();
} catch (SQLException e) {
System.out.println(" class lotteryUsersDAOImpl's method findGroupNameByUsername() close dbManager accoure error");
e.printStackTrace();
}
}
return list;
}
public DBManager getDbManager() {
return dbManager;
}
public void setDbManager(DBManager dbManager) {
this.dbManager = dbManager;
}
}
也可以:
<bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
<property name="usersByUsernameQuery">
<value>select username, password, enabled from user where username = ? and enabled = 1</value>
</property>
<property name="authoritiesByUsernameQuery">
<value>
select u.username, a.authority
from user u, authorities a, user_auth ua
where u.id=ua.user_id and a.id=ua.auth_id and u.username=?
</value>
</property>
</bean>
3.类,方法的权限控制(两种):
<bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="validateConfigAttributes" value="false" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<bean class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
<property name="attributes">
<!-- 利用1.5Annotation的設定方式 -->
<bean class="org.acegisecurity.annotation.SecurityAnnotationAttributes" />
</property>
</bean>
</property>
</bean>
<!-- 利用Spring的自动代理功能实现AOP代理 -->
<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>methodSecurityInterceptor</value>
</list>
</property>
<property name="beanNames">
<list>
<!-- 需要保护的方法,在方法中用注释@Transactional(readOnly=true)
@Secured({"ROLE_MANAGER"})
-->
<value>lotteryOddsImpl</value>
<value>lotteryUsersDAOImpl</value>
</list>
</property>
<!--property name="proxyTargetClass" value="true"/-->
</bean>
然后在相应的接口方法中用注释:
@Secured({"ROLE_ADMIN"})
public void update(Users Users);
也可以:
<!-- 过滤拦截器 -->
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
PATTERN_TYPE_APACHE_ANT
<!-- 所有用户的权限 -->
/searchUser.do=AUTH_USER,AUTH_ROOT,AUTH_RELEASER,AUTH_AUDITOR
/updateInformation.do=AUTH_USER,AUTH_ROOT,AUTH_RELEASER,AUTH_AUDITOR
<!-- 普通用户的权限 -->
/preOrderAd.do=AUTH_USER
/orderAd.do=AUTH_USER
/myAdList.do=AUTH_USER
/findReOrderAd.do=AUTH_USER
/ReOrder.do=AUTH_USER
<!--==== 超级管理员的权限 ====-->
<!-- 审核员的权限 -->
/noaudit.do=AUTH_AUDITOR,AUTH_ROOT
/allAuditAdNoPass.do=AUTH_AUDITOR,AUTH_ROOT
/auditedAd.do=AUTH_AUDITOR
/audited.do=AUTH_AUDITOR,AUTH_ROOT
/notify.do=AUTH_AUDITOR,AUTH_ROOT
/editAuditedEmail.do=AUTH_AUDITOR,AUTH_ROOT
<!-- 发布员的权限 -->
/unpaymentOrderList.do=AUTH_RELEASER,AUTH_ROOT
/paymentOrderList.do=AUTH_RELEASER,AUTH_ROOT
<!-- 超级管理员的权限 -->
/manageAdpos.do=AUTH_ROOT
/manageUser.do=AUTH_ROOT
/addNewAdpos.do=AUTH_ROOT
</value>
</property>
</bean>
1.这里控制文件访问权限:
<bean id="filterInvocationInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"
ref="authenticationManager"/>
<property name="accessDecisionManager">
<ref local="accessDecisionManager"/>
</property>
<!-- property name="objectDefinitionSource"
ref="filterDefinitionSource"/-->
<!--
filterInvocationInterceptor在执行转向url前检查objectDefinitionSource中设定的用户权限信息
过程:
首先,objectDefinitionSource中定义了访问URL需要的属性信息(这里的属性信息仅仅是标志,告诉accessDecisionManager要用哪些voter来投票)
然后,authenticationManager掉用自己的provider来对用户的认证信息进行校验。
最后,有投票者根据用户持有认证和访问url需要的属性,调用自己的voter来投票,决定是否允许访问。
-->
<property name="objectDefinitionSource">
<value>
[color=red]CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/admin/**=ROLE_ADMIN,ROLE_USER
/users/**=ROLE_USER,ROLE_ADMINISTRATOR
/web-inf/users/**=ROLE_ADMINISTRATOR[/color] </value>
</property>
</bean>
其中ROLE_ADMIN,ROLE_USER是你数据库表里存的角色名,随便你改吧.
2.此处可以把sql语句写在这,也可以自己写UserDetailsService 实现.
目的是返回这个user给它
org.acegisecurity.userdetails.User(username, user.getPassword(),
true, true, true, true, this.grantedAuthArray);
如是:
<bean id="daoAuthenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<!-- 此处可以自己写DAO实现userDetailsService -->
<property name="userDetailsService" ref="userDetailsService"/>
<property name="userCache" ref="userCache"/>
<!-- <property name="passwordEncoder" ref="passwordEncoder"/> -->
</bean>
<bean id="userDetailsService"
[color=red]class="com.lottery.service.AcegiUserDeitailsService">
<property name="dbManager" ref="dbManager" />
</bean>[/color]
如我的:
public class AcegiUserDeitailsService implements UserDetailsService {
private final Log LOG = LogFactory.getLog(AcegiUserDeitailsService.class);
/* 依赖注入 */
private DBManager dbManager;
/* 用户所有的权限 */
//private final List<GrantedAuthority> grantedAuthList = new ArrayList<GrantedAuthority>(6);
private GrantedAuthority[] grantedAuthArray;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
if(LOG.isDebugEnabled()) {
LOG.debug("Loading UserDetails of userName: " + username);
}
/* 取得用户信息 */
List<LotteryUsers> userList = findAllByUsername(username);
LotteryUsers user = null;
if(userList!=null&&!userList.isEmpty()){
user = (LotteryUsers)userList.get(0);
}
if(user == null) {
LOG.warn("UserDetails load failed: No such UserRole with userName: " + username);
throw new UsernameNotFoundException("User name is not found.");
}
/* 取得所有用户权限 */
List<String> userRoleList = findGroupNameByUsername(username);
if(userRoleList == null || userRoleList.size() == 0) {
LOG.warn("UserRole load failed: No such UserRole with userName: " + username);
throw new UsernameNotFoundException("UserRole is not found.");
}
/* 取得用户的所有角色 */
int size = userRoleList.size();
grantedAuthArray = new GrantedAuthority[size];
int j = 0;
for(int i = 0; i < size; i++) {
String userRole = userRoleList.get(i);
if(userRole != null) {
this.grantedAuthArray[j++] = new GrantedAuthorityImpl(userRole.toUpperCase());
}
}
LOG.info("UserName: " + username + " loaded successfully.");
return new org.acegisecurity.userdetails.User(username, user.getPassword(),
true, true, true, true, this.grantedAuthArray);
}
//按用户名查找user
public List<LotteryUsers> findAllByUsername(String username) {
List<LotteryUsers> list = new ArrayList<LotteryUsers>();
LotteryUsers user = new LotteryUsers();
String sql = "SELECT * FROM "+Constants.DATABASEPRE_KEY+"users u WHERE u.username='"+username+"' and u.enable=1";
ResultSet rs = dbManager.execute(sql);
try {
while(rs.next()){
user.setUsername(rs.getString("username"));
user.setPassword(rs.getString("password"));
user.setEnable(rs.getShort("enabled"));
list.add(user);
}
} catch (SQLException e) {
// TODO Auto-generated catch block
System.out.println("class LotteryUsersDAOImpl's method findAllByUsername() error");
e.printStackTrace();
}finally{
try {
rs.close();
dbManager.close();
} catch (SQLException e) {
System.out.println(" class lotteryUsersDAOImpl's method findAllByUsername() close dbManager accoure error");
e.printStackTrace();
}
}
return list;
}
public List<String> findGroupNameByUsername(String username) {
List<String> list = new ArrayList<String>();
String sql = "SELECT g.name name FROM "+Constants.DATABASEPRE_KEY+"users u,"+Constants.DATABASEPRE_KEY+"groups g"+
" WHERE g.id=u.group_id and u.username='"+username+"' and u.enable=1";
ResultSet rs = dbManager.execute(sql);
try {
while(rs.next()){
list.add(rs.getString("name"));
}
} catch (SQLException e) {
System.out.println(this.getClass().getName()+"dbManager execute error");
e.printStackTrace();
}finally{
try {
rs.close();
dbManager.close();
} catch (SQLException e) {
System.out.println(" class lotteryUsersDAOImpl's method findGroupNameByUsername() close dbManager accoure error");
e.printStackTrace();
}
}
return list;
}
public DBManager getDbManager() {
return dbManager;
}
public void setDbManager(DBManager dbManager) {
this.dbManager = dbManager;
}
}
也可以:
<bean id="jdbcDaoImpl" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
<property name="usersByUsernameQuery">
<value>select username, password, enabled from user where username = ? and enabled = 1</value>
</property>
<property name="authoritiesByUsernameQuery">
<value>
select u.username, a.authority
from user u, authorities a, user_auth ua
where u.id=ua.user_id and a.id=ua.auth_id and u.username=?
</value>
</property>
</bean>
3.类,方法的权限控制(两种):
<bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="validateConfigAttributes" value="false" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<bean class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
<property name="attributes">
<!-- 利用1.5Annotation的設定方式 -->
<bean class="org.acegisecurity.annotation.SecurityAnnotationAttributes" />
</property>
</bean>
</property>
</bean>
<!-- 利用Spring的自动代理功能实现AOP代理 -->
<bean id="autoProxyCreator" class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>methodSecurityInterceptor</value>
</list>
</property>
<property name="beanNames">
<list>
<!-- 需要保护的方法,在方法中用注释@Transactional(readOnly=true)
@Secured({"ROLE_MANAGER"})
-->
<value>lotteryOddsImpl</value>
<value>lotteryUsersDAOImpl</value>
</list>
</property>
<!--property name="proxyTargetClass" value="true"/-->
</bean>
然后在相应的接口方法中用注释:
@Secured({"ROLE_ADMIN"})
public void update(Users Users);
也可以:
<!-- 过滤拦截器 -->
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager"><ref bean="authenticationManager"/></property>
<property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
<property name="objectDefinitionSource">
<value>
PATTERN_TYPE_APACHE_ANT
<!-- 所有用户的权限 -->
/searchUser.do=AUTH_USER,AUTH_ROOT,AUTH_RELEASER,AUTH_AUDITOR
/updateInformation.do=AUTH_USER,AUTH_ROOT,AUTH_RELEASER,AUTH_AUDITOR
<!-- 普通用户的权限 -->
/preOrderAd.do=AUTH_USER
/orderAd.do=AUTH_USER
/myAdList.do=AUTH_USER
/findReOrderAd.do=AUTH_USER
/ReOrder.do=AUTH_USER
<!--==== 超级管理员的权限 ====-->
<!-- 审核员的权限 -->
/noaudit.do=AUTH_AUDITOR,AUTH_ROOT
/allAuditAdNoPass.do=AUTH_AUDITOR,AUTH_ROOT
/auditedAd.do=AUTH_AUDITOR
/audited.do=AUTH_AUDITOR,AUTH_ROOT
/notify.do=AUTH_AUDITOR,AUTH_ROOT
/editAuditedEmail.do=AUTH_AUDITOR,AUTH_ROOT
<!-- 发布员的权限 -->
/unpaymentOrderList.do=AUTH_RELEASER,AUTH_ROOT
/paymentOrderList.do=AUTH_RELEASER,AUTH_ROOT
<!-- 超级管理员的权限 -->
/manageAdpos.do=AUTH_ROOT
/manageUser.do=AUTH_ROOT
/addNewAdpos.do=AUTH_ROOT
</value>
</property>
</bean>