用acegi作权限管理

经过几天的努力终于将acegi成功配好了。我使用的是acegisecurity-1.0.7，可以到http://acegisecurity.org下载最新版。

 

首先在Web.xml中添加

 

<context-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:/applicationContext.xml,classpath:/applicationContext-acegi.xml</param-value> </context-param> <!--acegi 的filter链代理--> <filter> <filter-name>Acegi Filter Chain Proxy</filter-name> <filter-class> org.acegisecurity.util.FilterToBeanProxy </filter-class> <init-param> <param-name>targetClass</param-name> <param-value> org.acegisecurity.util.FilterChainProxy </param-value> </init-param> </filter> <filter-mapping> <filter-name>Acegi Filter Chain Proxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <servlet>

 

applicationContext-acegi.xml

 

      如果concurrentSessionController的exceptionIfMaximumExceeded属性设置为true，么一旦并发HttpSession数量超过限额，将会重定向到expiredUrl指定的路径。exceptionIfMaximumExceeded一般设置为false. 为true时, 如果已有一个该用户登录了,那么在另一个地方登录该用户将抛出异常 如果设置为false, 那么, 如果已有一个该用户登录了系统, 那么在另一个地方也可以登录,登录后前者会被逼退出系统。

 

<bean id="concurrentSessionFilter" class="org.acegisecurity.concurrent.ConcurrentSessionFilter"> <property name="sessionRegistry" ref="sessionRegistry"></property> <property name="expiredUrl"> <value>/userlogin/concurrentError.jsp</value> </property> </bean> <bean id="sessionRegistry" class="org.acegisecurity.concurrent.SessionRegistryImpl"> </bean> <bean id="concurrentSessionController" class="org.acegisecurity.concurrent.ConcurrentSessionControllerImpl"> <property name="maximumSessions" value="1"></property> <property name="sessionRegistry" ref="sessionRegistry"></property> <property name="exceptionIfMaximumExceeded" value="false"></property> </bean>   

 

      设置一个安全上下文。其中HttpSessionIntegrationFilter适用于大多数情形。它将Authentication对象保存在HTTP会话中，使之能够跨越多个请求。

 

<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegrationFilter"/>

 

在做认证时可以从数据库中读取帐号密码，关键在<bean id="SecurityUserDetailService" class="com.jlcatvum.web.dao.SecurityUserDetailService">
     <property name="usersByUsernameQuery">
      <value>?</value>
     </property>
    </bean>这个SecurityUserDetailService就是读取自己数据库的bean。

 

<!-- 表单认证处理filter --> <bean id="authenticationProcessingFilter" class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationFailureUrl" value="/userlogin/userLogin.jsp?login_error=1" /><!-- 认证失败后转向的页面 --> <property name="defaultTargetUrl" value="/form/Frameset.jsp" /> <!-- 认证成功后转向的页面 --> <property name="filterProcessesUrl" value="/j_acegi_security_check" /> <property name="rememberMeServices" ref="rememberMeServices"/> </bean> <!-- 认证管理器 --> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"><!-- 可有多个认证提供器,其中一个证通过就可以了 --> <list> <ref local="daoAuthenticationProvider" /> <ref local="anonymousAuthenticationProvider" /> <ref local="rememberMeAuthenticationProvider" /> </list> </property> <property name="sessionController" ref="concurrentSessionController"> </property> </bean> <!-- 定义用户资料读取方式--> <bean id="daoAuthenticationProvider" class="org.acegisecurity.providers.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="SecurityUserDetailService" /> </bean> <!-- 自定义用户资料，从数据库中读取--> <bean id="SecurityUserDetailService" class="com.jlcatvum.web.dao.SecurityUserDetailService"> <property name="usersByUsernameQuery"> <value>?</value> </property> </bean> <bean id="securityContextHolderAwareRequestFilter" class="org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter"/> <!-- ======================== 匿名用户验证 ======================= --> <!-- 匿名用户登录 --> <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> <property name="key" value="changeThis"/> <property name="userAttribute" value="anonymousUser,ROLE_ANONYMOUS"/> </bean> <!-- 匿名验证Provider --> <bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> <property name="key" value="javargb" /> </bean>

 

这是SecurityUserDetailService的代码

 

package com.jlcatvum.web.dao; import org.acegisecurity.userdetails.User; import org.acegisecurity.userdetails.UserDetails; import org.acegisecurity.userdetails.UserDetailsService; import org.acegisecurity.userdetails.UsernameNotFoundException; import org.acegisecurity.userdetails.memory.UserAttribute; import org.acegisecurity.userdetails.memory.UserAttributeEditor; import org.springframework.dao.DataAccessException; import com.jlcatvum.db.table.Users; public class SecurityUserDetailService implements UserDetailsService { private String usersByUsernameQuery; public UserDetails loadUserByUsername(String arg0) throws UsernameNotFoundException, DataAccessException { // TODO Auto-generated method stub Users user = getUser(arg0); // --- if (user == null) return null; UserAttributeEditor configAttribEd = new UserAttributeEditor(); String userInfo = user.getPassword() + "," + user.getEnable(); //logger.info("userInfo:" + userInfo); configAttribEd.setAsText(userInfo); UserAttribute attr = (UserAttribute) configAttribEd.getValue(); if (attr != null) { org.acegisecurity.userdetails.UserDetails userDetails = new User( arg0, attr.getPassword(), attr.isEnabled(), true, true, true, attr.getAuthorities()); //logger.info("userDetails:" + userDetails); return userDetails; } return null; } private Users getUser(String name) { Users list = new Users(); UserDAO userdao = new UserDAO(name); userdao.findByName(); list = userdao.getList(); if (list != null) return list; else return null; } public void setUsersByUsernameQuery(String usersByUsernameQuery) { this.usersByUsernameQuery = usersByUsernameQuery; } public String getUsersByUsernameQuery() { return usersByUsernameQuery; } }

 

在filterInvocationInterceptor过滤器里设好资源的权限后，就能够在没有登录的情况下访问资源时跳转到登录界面。当然在后面异常处理的过滤器中要指定跳转的页面。

 

<!-- ======================== 授权 ======================= --> <!-- 授权管理器--> <bean id="accessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions"><!-- 是否让全部弃权的通过 --> <value>false</value> </property> <property name="decisionVoters"><!-- 投票者们 --> <ref bean="roleVoter"/> </property> </bean> <!-- 投票者的类--> <bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter"> <property name="rolePrefix"> <value>ROLE_</value><!-- 可以改成别的 --> </property> </bean> <!-- ======================== 资源权限管理 ======================= --> <!-- 资源权限管理 --> <bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager"/> <property name="accessDecisionManager"> <bean class="org.acegisecurity.vote.AffirmativeBased"> <property name="allowIfAllAbstainDecisions" value="false"/> <property name="decisionVoters"> <list> <bean class="org.acegisecurity.vote.RoleVoter"/> <bean class="org.acegisecurity.vote.AuthenticatedVoter"/> </list> </property> </bean> </property> <property name="objectDefinitionSource"> <value><!--[CDATA[ CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /admin/**=ROLE_SUPERVISOR /form/**=IS_AUTHENTICATED_REMEMBERED /system/**=ROLE_SUPERVISOR /userlogin/**=IS_AUTHENTICATED_ANONYMOUSLY /**=IS_AUTHENTICATED_ANONYMOUSLY ]]--></value> </property> </bean>

 

最后就是异常处理和注销处理，没什么特别照例子做就行。只是要指定出现异常时要制定的页面。

 

<!--利用cookie自动登陆--> <bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> <property name="authenticationManager" ref="authenticationManager"/> <property name="rememberMeServices" ref="rememberMeServices"/> </bean> <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> <property name="userDetailsService" ref="SecurityUserDetailService"/> <property name="key" value="javargb"/> </bean> <bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> <property name="key" value="javargb"/> </bean> <!-- ======================== 注销处理filter ======================= --> <bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter"> <constructor-arg value="/userlogin/userLogin.jsp"/> <!-- 注销后转向页面 --> <constructor-arg> <list> <ref bean="rememberMeServices"/> <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/> </list> </constructor-arg> </bean> <!-- ======================== 异常处理filter ======================= --> <bean id="exceptionTranslationFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter"> <property name="authenticationEntryPoint"> <bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint"> <property name="loginFormUrl" value="/userlogin/userLogin.jsp" /> <property name="forceHttps" value="false" /> </bean> </property> <property name="accessDeniedHandler"> <bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl"> <property name="errorPage" value="/userlogin/accessDenied.faces" /> </bean> </property> </bean>