有段时间没更新puma代码了,最近看到群里有很多朋友都在问关于3.1+版本spring security的问题,所以干脆我做了个3.1的demo,把常用配置用法列举在里面,供有需要的人参考一下,毕竟,没有很多人能耐心看完spring security那么so long的文档。
在进入正题前,我要强烈介绍一个网站:http://www.mossle.com/,作者很讲究,把官方文档都翻译了一遍,而且自己还写了个权限管理手册,并且带demo,应该能出书了,强烈建议大家看看这个网站里面的内容,能更好的理解spring security。
我需要用spring security实现下面的功能:
演示系统有两个界面:
1. /login GET 不拦截
2. /main GET 拦截,需要权限
实现功能:
1. 自定义登录请求的url为:/login
2. 一个url同时支持支持ajax认证请求和普通表单认证
3. 无权限用户访问main.html,自动跳转至login.html。登录成功后,返回跳转前页面:main.html
4. 实现Remember me功能。
5 .实现将Remember Me Token存在数据库
6. 实现权限自定义,而不是在配置文件中直接access="ROLE_*****"。
7. 实现对restful url的拦截。
由于内容较多,估计分次编写,首先贴出security配置文件,详细内容慢慢再写:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- <security:global-method-security secured-annotations="enabled" pre-post-annotations="enabled" proxy-target-class = "true"/> -->
<security:http pattern="/resources/**" security="none" />
<security:http pattern="/**/login.html" security="none" />
<security:http auto-config="false" entry-point-ref="pumaLoginUrlEntryPoint" >
<security:anonymous enabled='false'/>
<security:access-denied-handler ref="pumaAccessDeniedHandler" />
<security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="pumaFilter"/>
<security:custom-filter position="FORM_LOGIN_FILTER" ref="pumaLoginFilter" />
<security:custom-filter position="LOGOUT_FILTER" ref="pumaLogoutFilter"/>
<security:remember-me key="PUMA_REMEMBER_ME_KEY" services-ref="rememberMeServices" />
<security:session-management>
<security:concurrency-control expired-url="/login.html?status=123" session-registry-ref="sessionRegistry" max-sessions="1"/>
</security:session-management>
</security:http>
<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
</bean>
<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<security:authentication-manager alias="pumaAuthenticationManager">
<security:authentication-provider user-service-ref="security.memberdetailsservice">
<security:password-encoder hash="sha">
<security:salt-source user-property="id" />
</security:password-encoder>
</security:authentication-provider>
</security:authentication-manager>
<bean id="pumaFilter" class="com.puma.core.security.PumaFilterSecurityInterceptor">
<property name="authenticationManager" ref="pumaAuthenticationManager" />
<property name="accessDecisionManager" ref="pumaAccessDecisionManagerBean" />
<property name="securityMetadataSource" ref="pumaSecurityMetadataSource" />
</bean>
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 -->
<bean id="pumaAccessDecisionManagerBean" class="com.puma.core.security.PumaAccessDecisionManager" />
<!-- 资源源数据定义,将所有的资源和权限对应关系建立起来,即定义某一资源可以被哪些角色访问 -->
<bean id="pumaSecurityMetadataSource" class="com.puma.core.security.PumaInvocationSecurityMetadataSourceService"/>
<bean id="pumaAccessDeniedHandler" class="com.puma.core.security.PumaAccessDeniedHandler">
<property name="accessDeniedUrl" value="/login.html?status=403" />
</bean>
<bean id="pumaLoginUrlEntryPoint" class="com.puma.core.security.PumaLoginUrlEntryPoint">
<property name="loginFormUrl" value="/login.html" />
</bean>
<bean id="pumaLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="rememberMeServices" ref="rememberMeServices"/>
<property name="sessionAuthenticationStrategy" ref="sas" />
<property name="authenticationManager" ref="pumaAuthenticationManager"/>
<property name="authenticationFailureHandler" ref="pumaLoginFailureHandler"/>
<property name="authenticationSuccessHandler" ref="pumaLoginSuccessHandler"/>
<property name="filterProcessesUrl" value="/login"/>
<property name="usernameParameter" value="username"/>
<property name="passwordParameter" value="password"/>
</bean>
<bean id="pumaLoginFailureHandler" class="com.puma.core.security.PumaLoginFailureHandler">
<property name="defaultFailureUrl" value="/loginfailed.html"/>
</bean>
<bean id="pumaLoginSuccessHandler" class="com.puma.core.security.PumaLoginSuccessHandler">
<property name="useReferer" value="true"/>
</bean>
<bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
<bean id="pumaLogoutSuccessHandler" class="com.puma.core.security.PumaLogoutSuccessHandler">
<property name="useReferer" value="true"/>
</bean>
<bean id="pumaLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<property name="filterProcessesUrl" value="/logout"/>
<constructor-arg index="0" ref="pumaLogoutSuccessHandler"/>
<constructor-arg index="1">
<list>
<ref bean="securityContextLogoutHandler"/>
<ref bean="rememberMeServices"/>
</list>
</constructor-arg>
</bean>
<!-- <bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<constructor-arg value="PUMA_REMEMBER_ME_KEY"/>
<constructor-arg ref="security.memberdetailsservice"/>
<property name="cookieName" value="PUMA_REMEMBER_ME_COOKIE" />
<property name="alwaysRemember" value="false"/>
<property name="tokenValiditySeconds" value="300"/>
<property name="parameter" value="rememberme"/>
</bean> -->
<bean id="rememberMeServices"
class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<constructor-arg value="PUMA_REMEMBER_ME_KEY"/>
<constructor-arg ref="security.memberdetailsservice"/>
<constructor-arg ref="jdbcTokenRepositoryImpl"/>
<property name="cookieName" value="PUMA_REMEMBER_ME_COOKIE" />
<property name="alwaysRemember" value="false"/>
<property name="tokenValiditySeconds" value="30"/>
<property name="parameter" value="rememberme"/>
</bean>
<bean id="jdbcTokenRepositoryImpl" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<property name="createTableOnStartup" value="false"/>
<property name="dataSource" ref="dataSource"/>
</bean>
</beans>