我们已经经历了对认证和授权源码的探索,现在是时候把两者结合起来了!
- 配置过滤器(在web.xml加入以下代码)
<!-- 配置过滤器 -->
<listener>
<!--为了启用登录并发控制,即同一个用户的登录人数限制。-->
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<!-- 这个Fileter name:springSecurityFilterChain是有意思的用于查找自动创建的过滤器bean。 -->
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
- 配置security-spring.xml
<!-- 配置不受权限束缚的资源 -->
<security:http pattern="/login.html" security="none"/>
<security:http auto-config="true">
<!-- 配置SecurityProcessingFilter,自定义登录界面 -->
<security:form-login login-page="/login.jsp" login-processing-url="login" username-parameter="username"
password-parameter="password"
<!-- 配置登陆成功处理类,相对的有登陆失败处理类 -->
<!-- 配置了它则default-target-url和always-use-default-target失效 -->
authentication-success-handler-ref="authSuccess"/>
<security:intercept-url pattern="/**" access="ROLE_USER"/>
<!-- 配置认证的Filter,一般实现类为UsernamePasswordAuthenticationFilter -->
<security:custom-filter ref="myProcessingFilter" before="FORM_LOGIN_FILTER"/>
<!-- 配置授权的Filter,一般实现为FilterSecurityInterceptor -->
<security:custom-filter ref="myInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>
<!-- 配置授权失败的处理类 -->
<security:access-denied-handler ref="accessDeniedHandler"/>
</security:http>
<!-- 登陆成功处理类 -->
<bean id="authSuccess" class="com.xxx.AuthenticationSuccessHandlerImpl"/>
<!-- 配置登陆过滤器 -->
<bean id="myProcessingFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="usernameParameter" value="username"></property>
<property name="passwordParameter" value="password"></property>
<property name="filterProcessesUrl" value="/login"></property>
<!-- 设置认证管理器 -->
<property name="authenticationManager" ref="myAuthenticationManager"></property>
</bean>
<!-- 这里为什么要传入这三个参数?请回忆授权的过程 -->
<bean id="myInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<!-- 设置认证管理器 -->
<property name="authenticationManager" ref="myAuthenticationManager" />
<!-- 设置决策管理器 -->
<property name="accessDecisionManager" ref="myAccessDecisionManager" />
<!-- 设置获取资源对应的权限的实现类 -->
<property name="securityMetadataSource" ref="mySecurityMetadataSource" />
</bean>
<!-- 授权失败处理类 -->
<bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
<!-- 配置跳转页面,默认是直接返回授权失败信息而不进行跳转 -->
<property name="errorPage" value="/index.html"></property>
</bean>
<!-- 配置认证管理器 -->
<security:authentication-manager alias="myAuthenticationManager">
<!-- 配置UserDetailsService,我们采用的是数据库存储用户,所以用JdbcDaoImpl -->
<security:authentication-provider user-service-ref="myUserDetailsService">
<!-- 配置加密类 -->
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<!-- 配置UserDetailsService -->
<bean id="myUserDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl" >
</bean>
<!-- 配置加密类 -->
<bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
</bean>
<!-- 配置授权管理器 -->
<!-- 如果不存在角色继承关系则简单配置第一行即可,其他默认 -->
<bean id="myAccessDecisionManagerBean" class="com.hhit.core.authorization.security.CustomAccessDecisionManager">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<property name="expressionHandler" ref="webSecurityExpressionHandler"/>
</bean>
<bean class="org.springframework.security.access.vote.RoleHierarchyVoter">
<constructor-arg ref="roleHierarchy" />
</bean>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
<bean id="roleHierarchy"
class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<property name="hierarchy"><!-- 角色继承关系 -->
<value>
ROLE_ADMIN > ROLE_USER
ROLE_A > ROLE_B
ROLE_B > ROLE_C
ROLE_C > ROLE_D
</value>
</property>
</bean>
<!-- 配置获取资源-权限的实现类 -->
<bean id="mySecurityMetadataSource"
class="org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource">
</bean>