相关的代码如下(包含5个关键类):
* @(#) MyFilterSecurityInterceptor.java 2011-3-23 上午07:53:03
*
* Copyright 2011 by Sparta
*/
package avatar.base.security;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
id="Codehighlighter1_758_1029_Closed_Image" style="DISPLAY: none" alt="" /> /**
* 该过滤器的主要作用就是通过spring著名的IoC生成securityMetadataSource。
* securityMetadataSource相当于本包中自定义的MyInvocationSecurityMetadataSourceService。
* 该MyInvocationSecurityMetadataSourceService的作用提从数据库提取权限和资源,装配到HashMap中,
* 供Spring Security使用,用于权限校验。
* @author sparta 11/3/29
*
*/
public class MyFilterSecurityInterceptor
extends AbstractSecurityInterceptor
id="Codehighlighter1_1129_2335_Closed_Image" style="DISPLAY: none" alt="" /> implements Filter {
private FilterInvocationSecurityMetadataSource securityMetadataSource;
public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException{
FilterInvocation fi = new FilterInvocation( request, response, chain );
invoke(fi);
}
/> id="Codehighlighter1_1512_1553_Closed_Image" style="DISPLAY: none" alt="" /> public FilterInvocationSecurityMetadataSource getSecurityMetadataSource(){
return this.securityMetadataSource;
}
id="Codehighlighter1_1611_1647_Closed_Image" style="DISPLAY: none" alt="" /> public Class<? extends Object> getSecureObjectClass(){
return FilterInvocation.class;
}
id="Codehighlighter1_1731_1929_Closed_Image" style="DISPLAY: none" alt="" /> public void invoke( FilterInvocation fi ) throws IOException, ServletException{
InterceptorStatusToken token = super.beforeInvocation(fi);
Codehighlighter1_1806_1872_Open_Image" alt="" /> id="Codehighlighter1_1806_1872_Closed_Image" style="DISPLAY: none" alt="" /> try{
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
Codehighlighter1_1880_1923_Open_Image" alt="" /> id="Codehighlighter1_1880_1923_Closed_Image" style="DISPLAY: none" alt="" /> }finally{
super.afterInvocation(token, null);
}
}
@Override
id="Codehighlighter1_2008_2049_Closed_Image" style="DISPLAY: none" alt="" /> public SecurityMetadataSource obtainSecurityMetadataSource(){
return this.securityMetadataSource;
}
id="Codehighlighter1_2156_2215_Closed_Image" style="DISPLAY: none" alt="" /> public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource){
this.securityMetadataSource = securityMetadataSource;
}
Codehighlighter1_2243_2249_Open_Image" alt="" /> id="Codehighlighter1_2243_2249_Closed_Image" style="DISPLAY: none" alt="" /> public void destroy(){
}
Codehighlighter1_2323_2329_Open_Image" alt="" /> id="Codehighlighter1_2323_2329_Closed_Image" style="DISPLAY: none" alt="" /> public void init( FilterConfig filterconfig ) throws ServletException{
}
}
id="Codehighlighter1_2341_2455_Open_Image" alt="" /> id="Codehighlighter1_2341_2455_Closed_Image" style="DISPLAY: none" alt="" />/*
* @(#) MyInvocationSecurityMetadataSourceService.java 2011-3-23 下午02:58:29
*
* Copyright 2011 by Sparta
*/
package avatar.base.security;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.hibernate.Session;
import org.hibernate.SessionFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.ApplicationContext;
import org.springframework.context.support.ClassPathXmlApplicationContext;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.AntUrlPathMatcher;
import org.springframework.security.web.util.UrlMatcher;
import org.springframework.stereotype.Service;
import avatar.base.security.dao.PubAuthoritiesResourcesHome;
id="Codehighlighter1_3607_3693_Open_Image" alt="" /> id="Codehighlighter1_3607_3693_Closed_Image" style="DISPLAY: none" alt="" />/**
* 最核心的地方,就是提供某个资源对应的权限定义,即getAttributes方法返回的结果。 此类在初始化时,应该取到所有资源及其对应角色的定义。
*
*/
@Service
public class MyInvocationSecurityMetadataSourceService implements
id="Codehighlighter1_3811_6435_Open_Image" alt="" /> id="Codehighlighter1_3811_6435_Closed_Image" style="DISPLAY: none" alt="" /> FilterInvocationSecurityMetadataSource {
@Autowired
private PubAuthoritiesResourcesHome pubAuthoritiesResourcesHome;
private UrlMatcher urlMatcher = new AntUrlPathMatcher();
private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
Codehighlighter1_4082_4109_Open_Image" alt="" /> id="Codehighlighter1_4082_4109_Closed_Image" style="DISPLAY: none" alt="" /> public MyInvocationSecurityMetadataSourceService() {
loadResourceDefine();
}
Codehighlighter1_4147_5631_Open_Image" alt="" /> id="Codehighlighter1_4147_5631_Closed_Image" style="DISPLAY: none" alt="" /> private void loadResourceDefine() {
ApplicationContext context = new ClassPathXmlApplicationContext(
"classpath:applicationContext.xml");
SessionFactory sessionFactory = (SessionFactory) context
.getBean("sessionFactory");
Session session = sessionFactory.openSession();
String username = "";
String sql = "";
// 在Web服务器启动时,提取系统中的所有权限。
sql = "select authority_name from pub_authorities";
List<String> query = session.createSQLQuery(sql).list();
Codehighlighter1_4590_4681_Open_Image" alt="" /> id="Codehighlighter1_4590_4681_Closed_Image" style="DISPLAY: none" alt="" /> /*
* 应当是资源为key, 权限为value。 资源通常为url, 权限就是那些以ROLE_为前缀的角色。 一个资源可以由多个权限来访问。
* sparta
*/
resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
Codehighlighter1_4780_5627_Open_Image" alt="" /> id="Codehighlighter1_4780_5627_Closed_Image" style="DISPLAY: none" alt="" /> for (String auth : query) {
ConfigAttribute ca = new SecurityConfig(auth);
List<String> query1 = session
.createSQLQuery(
"select b.resource_string "
+ "from Pub_Authorities_Resources a, Pub_Resources b, "
+ "Pub_authorities c where a.resource_id = b.resource_id "
+ "and a.authority_id=c.authority_id and c.Authority_name='"
+ auth + "'").list();
Codehighlighter1_5187_5622_Open_Image" alt="" /> id="Codehighlighter1_5187_5622_Closed_Image" style="DISPLAY: none" alt="" /> for (String res : query1) {
String url = res;
Codehighlighter1_5220_5313_Open_Image" alt="" /> id="Codehighlighter1_5220_5313_Closed_Image" style="DISPLAY: none" alt="" /> /*
* 判断资源文件和权限的对应关系,如果已经存在相关的资源url,则要通过该url为key提取出权限集合,将权限增加到权限集合中。
* sparta
*/
Codehighlighter1_5353_5477_Open_Image" alt="" /> id="Codehighlighter1_5353_5477_Closed_Image" style="DISPLAY: none" alt="" /> if (resourceMap.containsKey(url)) {
Collection<ConfigAttribute> value = resourceMap.get(url);
value.add(ca);
resourceMap.put(url, value);
Codehighlighter1_5484_5616_Open_Image" alt="" /> id="Codehighlighter1_5484_5616_Closed_Image" style="DISPLAY: none" alt="" /> } else {
Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
atts.add(ca);
resourceMap.put(url, atts);
}
}
}
}
@Override
Codehighlighter1_5706_5725_Open_Image" alt="" /> id="Codehighlighter1_5706_5725_Closed_Image" style="DISPLAY: none" alt="" /> public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
// 根据URL,找到相关的权限配置。
@Override
public Collection<ConfigAttribute> getAttributes(Object object)
Codehighlighter1_5860_6359_Open_Image" alt="" /> id="Codehighlighter1_5860_6359_Closed_Image" style="DISPLAY: none" alt="" /> throws IllegalArgumentException {
// object 是一个URL,被用户请求的url。
String url = ((FilterInvocation) object).getRequestUrl();
int firstQuestionMarkIndex = url.indexOf("?");
Codehighlighter1_6054_6124_Open_Image" alt="" /> id="Codehighlighter1_6054_6124_Closed_Image" style="DISPLAY: none" alt="" /> if (firstQuestionMarkIndex != -1) {
url = url.substring(0, firstQuestionMarkIndex);
}
Iterator<String> ite = resourceMap.keySet().iterator();
Codehighlighter1_6210_6340_Open_Image" alt="" /> id="Codehighlighter1_6210_6340_Closed_Image" style="DISPLAY: none" alt="" /> while (ite.hasNext()) {
String resURL = ite.next();
Codehighlighter1_6294_6336_Open_Image" alt="" /> id="Codehighlighter1_6294_6336_Closed_Image" style="DISPLAY: none" alt="" /> if (urlMatcher.pathMatchesUrl(url, resURL)) {
return resourceMap.get(resURL);
}
}
return null;
}
@Override
Codehighlighter1_6413_6432_Open_Image" alt="" /> id="Codehighlighter1_6413_6432_Closed_Image" style="DISPLAY: none" alt="" /> public boolean supports(Class<?> arg0) {
return true;
}
}
id="Codehighlighter1_6439_6532_Open_Image" alt="" /> id="Codehighlighter1_6439_6532_Closed_Image" style="DISPLAY: none" alt="" />/*
* @(#) MyUserDetailsService.java 2011-3-23 上午09:04:31
*
* Copyright 2011 by Sparta
*/
package avatar.base.security;
import java.util.ArrayList;
import java.util.Collection;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserCache;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import avatar.base.security.dao.PubAuthoritiesResourcesHome;
import avatar.base.security.dao.PubUsersHome;
id="Codehighlighter1_7330_7441_Open_Image" alt="" /> id="Codehighlighter1_7330_7441_Closed_Image" style="DISPLAY: none" alt="" />/**
*该类的主要作用是为Spring Security提供一个经过用户认证后的UserDetails。
*该UserDetails包括用户名、密码、是否可用、是否过期等信息。
*sparta 11/3/29
*/
@Service
id="Codehighlighter1_7516_9090_Open_Image" alt="" /> id="Codehighlighter1_7516_9090_Closed_Image" style="DISPLAY: none" alt="" />public class MyUserDetailsService implements UserDetailsService {
@Autowired
private PubUsersHome pubUsersHome;
@Autowired
private PubAuthoritiesResourcesHome pubAuthoritiesResourcesHome;
@Autowired
private DataSource dataSource;
@Autowired
private UserCache userCache;
@Override
public UserDetails loadUserByUsername(String username)
Codehighlighter1_7862_8208_Open_Image" alt="" /> id="Codehighlighter1_7862_8208_Closed_Image" style="DISPLAY: none" alt="" /> throws UsernameNotFoundException, DataAccessException {
Collection<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
//得到用户的权限
auths = pubUsersHome.loadUserAuthoritiesByName( username );
String password = null;
//取得用户的密码
password = pubUsersHome.getPasswordByUsername( username );
return new User( username, password, true, "", true, true, true, auths);
}
//set PubUsersHome
Codehighlighter1_8290_8332_Open_Image" alt="" /> id="Codehighlighter1_8290_8332_Closed_Image" style="DISPLAY: none" alt="" /> public void setPubUsersHome( PubUsersHome pubUsersHome ){
this.pubUsersHome = pubUsersHome;
}
Codehighlighter1_8374_8400_Open_Image" alt="" /> id="Codehighlighter1_8374_8400_Closed_Image" style="DISPLAY: none" alt="" /> public PubUsersHome getPubUsersHome(){
return pubUsersHome;
}
//set PubAuthoritiesResourcesHome
Codehighlighter1_8543_8615_Open_Image" alt="" /> id="Codehighlighter1_8543_8615_Closed_Image" style="DISPLAY: none" alt="" /> public void setPubAuthoritiesResourcesHome( PubAuthoritiesResourcesHome pubAuthoritiesResourcesHome ){
this.pubAuthoritiesResourcesHome = pubAuthoritiesResourcesHome;
}
Codehighlighter1_8687_8731_Open_Image" alt="" /> id="Codehighlighter1_8687_8731_Closed_Image" style="DISPLAY: none" alt="" /> public PubAuthoritiesResourcesHome getPubAuthoritiesResourcesHome(){
return pubAuthoritiesResourcesHome;
}
//set DataSource
Codehighlighter1_8804_8839_Open_Image" alt="" /> id="Codehighlighter1_8804_8839_Closed_Image" style="DISPLAY: none" alt="" /> public void setDataSource( DataSource dataSource ){
this.dataSource = dataSource;
}
Codehighlighter1_8877_8901_Open_Image" alt="" /> id="Codehighlighter1_8877_8901_Closed_Image" style="DISPLAY: none" alt="" /> public DataSource getDataSource(){
return dataSource;
}
//设置用户缓存功能。
Codehighlighter1_8968_9010_Open_Image" alt="" /> id="Codehighlighter1_8968_9010_Closed_Image" style="DISPLAY: none" alt="" /> public void setUserCache(UserCache userCache) {
this.userCache = userCache;
}
Codehighlighter1_9052_9086_Open_Image" alt="" /> id="Codehighlighter1_9052_9086_Closed_Image" style="DISPLAY: none" alt="" /> public UserCache getUserCache(){
return this.userCache;
}
}
id="Codehighlighter1_9093_9189_Open_Image" alt="" /> id="Codehighlighter1_9093_9189_Closed_Image" style="DISPLAY: none" alt="" />/*
* @(#) MyAccessDecisionManager.java 2011-3-23 下午04:41:12
*
* Copyright 2011 by Sparta
*/
package avatar.base.security;
import java.util.Collection;
import java.util.Iterator;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
id="Codehighlighter1_9736_10894_Open_Image" alt="" /> id="Codehighlighter1_9736_10894_Closed_Image" style="DISPLAY: none" alt="" />/**
*AccessdecisionManager在Spring security中是很重要的。
*
*在验证部分简略提过了,所有的Authentication实现需要保存在一个GrantedAuthority对象数组中。
*这就是赋予给主体的权限。 GrantedAuthority对象通过AuthenticationManager
*保存到 Authentication对象里,然后从AccessDecisionManager读出来,进行授权判断。
*
*Spring Security提供了一些拦截器,来控制对安全对象的访问权限,例如方法调用或web请求。
*一个是否允许执行调用的预调用决定,是由AccessDecisionManager实现的。
*这个 AccessDecisionManager 被AbstractSecurityInterceptor调用,
*它用来作最终访问控制的决定。 这个AccessDecisionManager接口包含三个方法:
*
void decide(Authentication authentication, Object secureObject,
List<ConfigAttributeDefinition> config) throws AccessDeniedException;
boolean supports(ConfigAttribute attribute);
boolean supports(Class clazz);
从第一个方法可以看出来,AccessDecisionManager使用方法参数传递所有信息,这好像在认证评估时进行决定。
特别是,在真实的安全方法期望调用的时候,传递安全Object启用那些参数。
比如,让我们假设安全对象是一个MethodInvocation。
很容易为任何Customer参数查询MethodInvocation,
然后在AccessDecisionManager里实现一些有序的安全逻辑,来确认主体是否允许在那个客户上操作。
如果访问被拒绝,实现将抛出一个AccessDeniedException异常。
这个 supports(ConfigAttribute) 方法在启动的时候被
AbstractSecurityInterceptor调用,来决定AccessDecisionManager
是否可以执行传递ConfigAttribute。
supports(Class)方法被安全拦截器实现调用,
包含安全拦截器将显示的AccessDecisionManager支持安全对象的类型。
*/
id="Codehighlighter1_10966_11810_Open_Image" alt="" /> id="Codehighlighter1_10966_11810_Closed_Image" style="DISPLAY: none" alt="" />public class MyAccessDecisionManager implements AccessDecisionManager {
public void decide( Authentication authentication, Object object,
Collection<ConfigAttribute> configAttributes)
Codehighlighter1_11155_11663_Open_Image" alt="" /> id="Codehighlighter1_11155_11663_Closed_Image" style="DISPLAY: none" alt="" /> throws AccessDeniedException, InsufficientAuthenticationException{
Codehighlighter1_11193_11209_Open_Image" alt="" /> id="Codehighlighter1_11193_11209_Closed_Image" style="DISPLAY: none" alt="" /> if( configAttributes == null ) {
return ;
}
Iterator<ConfigAttribute> ite = configAttributes.iterator();
Codehighlighter1_11303_11615_Open_Image" alt="" /> id="Codehighlighter1_11303_11615_Closed_Image" style="DISPLAY: none" alt="" /> while( ite.hasNext()){
ConfigAttribute ca = ite.next();
String needRole = ((SecurityConfig)ca).getAttribute();
//ga 为用户所被赋予的权限。 needRole 为访问相应的资源应该具有的权限。
Codehighlighter1_11514_11607_Open_Image" alt="" /> id="Codehighlighter1_11514_11607_Closed_Image" style="DISPLAY: none" alt="" /> for( GrantedAuthority ga: authentication.getAuthorities()){
Codehighlighter1_11577_11597_Open_Image" alt="" /> id="Codehighlighter1_11577_11597_Closed_Image" style="DISPLAY: none" alt="" /> if(needRole.trim().equals(ga.getAuthority().trim())){
return;
}
}
}
throw new AccessDeniedException("");
}
Codehighlighter1_11720_11742_Open_Image" alt="" /> id="Codehighlighter1_11720_11742_Closed_Image" style="DISPLAY: none" alt="" /> public boolean supports( ConfigAttribute attribute ){
return true;
}
Codehighlighter1_11786_11805_Open_Image" alt="" /> id="Codehighlighter1_11786_11805_Closed_Image" style="DISPLAY: none" alt="" /> public boolean supports(Class<?> clazz){
return true;
}
}
数据库的SQL及预置数据:
prompt Created on 2011年6月1日 by Administrator
set feedback off
set define off
prompt Creating SYS_AUTHORITIES
create table SYS_AUTHORITIES
(
AUTHORITY_ID VARCHAR2 ( 32 ) not null ,
AUTHORITY_NAME VARCHAR2 ( 40 ),
AUTHORITY_DESC VARCHAR2 ( 100 ),
ENABLED NUMBER ( 1 ),
ISSYS NUMBER ( 1 ),
MODULE VARCHAR2 ( 4 )
)
tablespace SCJD
pctfree 10
initrans 1
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
comment on table SYS_AUTHORITIES
is ' 权限表 ' ;
comment on column SYS_AUTHORITIES.MODULE
is ' 所属的子系统,比如平台里面包括10个系统,分别为成本、作业、集输等。 ' ;
alter table SYS_AUTHORITIES
add constraint PK_PUB_AUTHORITIES primary key (AUTHORITY_ID)
using index
tablespace SCJD
pctfree 10
initrans 2
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
prompt Creating SYS_RESOURCES
create table SYS_RESOURCES
(
RESOURCE_ID VARCHAR2 ( 32 ) not null ,
RESOURCE_NAME VARCHAR2 ( 100 ),
RESOURCE_DESC VARCHAR2 ( 100 ),
RESOURCE_TYPE VARCHAR2 ( 40 ),
RESOURCE_STRING VARCHAR2 ( 200 ),
PRIORITY NUMBER ( 1 ),
ENABLED NUMBER ( 1 ),
ISSYS NUMBER ( 1 ),
MODULE VARCHAR2 ( 4 )
)
tablespace SCJD
pctfree 10
initrans 1
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
comment on table SYS_RESOURCES
is ' 资源表 ' ;
comment on column SYS_RESOURCES.PRIORITY
is ' (暂不用,保留) ' ;
comment on column SYS_RESOURCES.MODULE
is ' 所属的子系统,比如平台里面包括10个系统,分别为成本、作业、集输等。 (暂不用,保留) ' ;
alter table SYS_RESOURCES
add constraint PK_PUB_RESOURCES primary key (RESOURCE_ID)
using index
tablespace SCJD
pctfree 10
initrans 2
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
prompt Creating SYS_AUTHORITIES_RESOURCES
create table SYS_AUTHORITIES_RESOURCES
(
ID NUMBER ( 13 ) not null ,
AUTHORITY_ID VARCHAR2 ( 32 ),
RESOURCE_ID VARCHAR2 ( 32 ),
ENABLED NUMBER ( 1 )
)
tablespace SCJD
pctfree 10
initrans 1
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
comment on table SYS_AUTHORITIES_RESOURCES
is ' 权限资源表 ' ;
alter table SYS_AUTHORITIES_RESOURCES
add constraint PK_PUB_AUTHORITIES_RE primary key (ID)
using index
tablespace SCJD
pctfree 10
initrans 2
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
alter table SYS_AUTHORITIES_RESOURCES
add constraint FK_PUB_AUTHORITIES_RE_AU foreign key (AUTHORITY_ID)
references SYS_AUTHORITIES (AUTHORITY_ID);
alter table SYS_AUTHORITIES_RESOURCES
add constraint FK_PUB_AUTHORITIES_RE_RE foreign key (RESOURCE_ID)
references SYS_RESOURCES (RESOURCE_ID);
prompt Creating SYS_ROLES
create table SYS_ROLES
(
ROLE_ID VARCHAR2 ( 32 ) not null ,
ROLE_NAME VARCHAR2 ( 40 ),
ROLE_DESC VARCHAR2 ( 100 ),
ENABLED NUMBER ( 1 ),
ISSYS NUMBER ( 1 ),
MODULE VARCHAR2 ( 4 )
)
tablespace SCJD
pctfree 10
initrans 1
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
comment on table SYS_ROLES
is ' 角色表 ' ;
comment on column SYS_ROLES.MODULE
is ' 所属的子系统,比如平台里面包括10个系统,分别为成本、作业、集输等。 ' ;
alter table SYS_ROLES
add constraint PK_PUB_ROLES primary key (ROLE_ID)
using index
tablespace SCJD
pctfree 10
initrans 2
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
prompt Creating SYS_ROLES_AUTHORITIES
create table SYS_ROLES_AUTHORITIES
(
ID NUMBER ( 13 ) not null ,
ROLE_ID VARCHAR2 ( 32 ),
AUTHORITY_ID VARCHAR2 ( 32 ),
ENABLED NUMBER ( 1 )
)
tablespace SCJD
pctfree 10
initrans 1
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
comment on table SYS_ROLES_AUTHORITIES
is ' 角色权限表 ' ;
alter table SYS_ROLES_AUTHORITIES
add constraint PK_PUB_ROLES_AUTHORITY primary key (ID)
using index
tablespace SCJD
pctfree 10
initrans 2
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
alter table SYS_ROLES_AUTHORITIES
add constraint FK_PUB_ROLES_AUTHORITIES_AU foreign key (AUTHORITY_ID)
references SYS_AUTHORITIES (AUTHORITY_ID);
alter table SYS_ROLES_AUTHORITIES
add constraint FK_PUB_ROLES_AUTHORITIES_ROLES foreign key (ROLE_ID)
references SYS_ROLES (ROLE_ID);
prompt Creating SYS_USERS
create table SYS_USERS
(
USER_ID VARCHAR2 ( 32 ) not null ,
USER_ACCOUNT VARCHAR2 ( 30 ),
USER_NAME VARCHAR2 ( 40 ),
USER_PASSWORD VARCHAR2 ( 100 ),
USER_DESC VARCHAR2 ( 100 ),
ENABLED NUMBER ( 1 ),
ISSYS NUMBER ( 1 ),
USER_DEPT VARCHAR2 ( 20 ),
USER_DUTY VARCHAR2 ( 10 ),
SUB_SYSTEM VARCHAR2 ( 30 )
)
tablespace SCJD
pctfree 10
initrans 1
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
comment on table SYS_USERS
is ' 用户表 ' ;
comment on column SYS_USERS.USER_PASSWORD
is ' 该密码是经加盐值加密的,格式为password{username}。 比如用户的密码为user,用户名为user,那么通过MD5进行加密的串为: user{user} ' ;
comment on column SYS_USERS.ISSYS
is ' 是否是超级用户 ' ;
comment on column SYS_USERS.USER_DEPT
is ' 所在单位 ' ;
comment on column SYS_USERS.USER_DUTY
is ' 经理或主任 ' ;
comment on column SYS_USERS.SUB_SYSTEM
is ' 该用户所负责的各子系统,可多个,中间用逗号分隔。(目前暂未用,作为保留字段) ' ;
alter table SYS_USERS
add constraint PK_PUB_USERS primary key ( USER_ID )
using index
tablespace SCJD
pctfree 10
initrans 2
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
prompt Creating SYS_USERS_ROLES
create table SYS_USERS_ROLES
(
ID NUMBER ( 13 ) not null ,
USER_ID VARCHAR2 ( 32 ),
ROLE_ID VARCHAR2 ( 32 ),
ENABLED NUMBER ( 1 )
)
tablespace SCJD
pctfree 10
initrans 1
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
comment on table SYS_USERS_ROLES
is ' 用户角色表 ' ;
alter table SYS_USERS_ROLES
add constraint PK_PUB_USERS_ROLES primary key (ID)
using index
tablespace SCJD
pctfree 10
initrans 2
maxtrans 255
storage
(
initial 64K
minextents 1
maxextents unlimited
);
alter table SYS_USERS_ROLES
add constraint FK_USERS_ROLES_ROLES foreign key (ROLE_ID)
references SYS_ROLES (ROLE_ID);
alter table SYS_USERS_ROLES
add constraint FK_USERS_ROLES_USERS foreign key ( USER_ID )
references SYS_USERS ( USER_ID );
prompt Disabling triggers for SYS_AUTHORITIES
alter table SYS_AUTHORITIES disable all triggers;
prompt Disabling triggers for SYS_RESOURCES
alter table SYS_RESOURCES disable all triggers;
prompt Disabling triggers for SYS_AUTHORITIES_RESOURCES
alter table SYS_AUTHORITIES_RESOURCES disable all triggers;
prompt Disabling triggers for SYS_ROLES
alter table SYS_ROLES disable all triggers;
prompt Disabling triggers for SYS_ROLES_AUTHORITIES
alter table SYS_ROLES_AUTHORITIES disable all triggers;
prompt Disabling triggers for SYS_USERS
alter table SYS_USERS disable all triggers;
prompt Disabling triggers for SYS_USERS_ROLES
alter table SYS_USERS_ROLES disable all triggers;
prompt Disabling foreign key constraints for SYS_AUTHORITIES_RESOURCES
alter table SYS_AUTHORITIES_RESOURCES disable constraint FK_PUB_AUTHORITIES_RE_AU;
alter table SYS_AUTHORITIES_RESOURCES disable constraint FK_PUB_AUTHORITIES_RE_RE;
prompt Disabling foreign key constraints for SYS_ROLES_AUTHORITIES
alter table SYS_ROLES_AUTHORITIES disable constraint FK_PUB_ROLES_AUTHORITIES_AU;
alter table SYS_ROLES_AUTHORITIES disable constraint FK_PUB_ROLES_AUTHORITIES_ROLES;
prompt Disabling foreign key constraints for SYS_USERS_ROLES
alter table SYS_USERS_ROLES disable constraint FK_USERS_ROLES_ROLES;
alter table SYS_USERS_ROLES disable constraint FK_USERS_ROLES_USERS;
prompt Deleting SYS_USERS_ROLES
delete from SYS_USERS_ROLES;
commit ;
prompt Deleting SYS_USERS
delete from SYS_USERS;
commit ;
prompt Deleting SYS_ROLES_AUTHORITIES
delete from SYS_ROLES_AUTHORITIES;
commit ;
prompt Deleting SYS_ROLES
delete from SYS_ROLES;
commit ;
prompt Deleting SYS_AUTHORITIES_RESOURCES
delete from SYS_AUTHORITIES_RESOURCES;
commit ;
prompt Deleting SYS_RESOURCES
delete from SYS_RESOURCES;
commit ;
prompt Deleting SYS_AUTHORITIES
delete from SYS_AUTHORITIES;
commit ;
prompt Loading SYS_AUTHORITIES
insert into SYS_AUTHORITIES (AUTHORITY_ID, AUTHORITY_NAME, AUTHORITY_DESC, ENABLED, ISSYS, MODULE)
values ( ' 1303910437484 ' , ' AUTH_xxx ' , ' xxx ' , null , null , ' 01 ' );
insert into SYS_AUTHORITIES (AUTHORITY_ID, AUTHORITY_NAME, AUTHORITY_DESC, ENABLED, ISSYS, MODULE)
values ( ' AUTH_LOGIN4 ' , ' AUTH_LOGIN ' , ' 登录 ' , 1 , 0 , ' 01 ' );
insert into SYS_AUTHORITIES (AUTHORITY_ID, AUTHORITY_NAME, AUTHORITY_DESC, ENABLED, ISSYS, MODULE)
values ( ' AUTH_AFTERLOGINWELCOME5 ' , ' AUTH_AFTERLOGINWELCOME ' , ' 登录后欢迎界面 ' , 1 , 0 , ' 01 ' );
insert into SYS_AUTHORITIES (AUTHORITY_ID, AUTHORITY_NAME, AUTHORITY_DESC, ENABLED, ISSYS, MODULE)
values ( ' AUTH_XTSZ_DEPT1 ' , ' AUTH_XTSZ_DEPT ' , ' 单位设置 ' , 1 , 0 , ' 01 ' );
insert into SYS_AUTHORITIES (AUTHORITY_ID, AUTHORITY_NAME, AUTHORITY_DESC, ENABLED, ISSYS, MODULE)
values ( ' AUTH_XTSZ_USER2 ' , ' AUTH_XTSZ_USER ' , ' 用户设置、横向查询 ' , 1 , 0 , ' 01 ' );
insert into SYS_AUTHORITIES (AUTHORITY_ID, AUTHORITY_NAME, AUTHORITY_DESC, ENABLED, ISSYS, MODULE)
values ( ' AUTH_NODE_MGR3 ' , ' AUTH_NODE_MGR ' , ' 节点管理、纵向查询 ' , 1 , 0 , ' 01 ' );
commit ;
prompt 6 records loaded
prompt Loading SYS_RESOURCES
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' 1303909883031 ' , ' ff ' , ' ff ' , ' action ' , ' b.jsp ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' 1303909847687 ' , ' ff1 ' , ' ff1 ' , ' action ' , ' b.jsp ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' node_mgr3 ' , ' node_mgr ' , ' 节点管理 ' , ' url ' , ' /*/*/Tree.jsp ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' login4 ' , ' login ' , ' 登录 ' , ' url ' , ' /login.jsp ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' index5 ' , ' index ' , ' 登录后欢迎页面 ' , ' url ' , ' /index.jsp ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' resources_mgr ' , ' resources_mgr ' , ' 资源管理 ' , ' action ' , ' /managerResource ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' horizontal_qry6 ' , ' horizontal_qry ' , ' 横向查询 ' , ' action ' , ' /horizontalQuery ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' vertical_qry7 ' , ' vertical_qry ' , ' 纵向查询 ' , ' action ' , ' /verticalQuery ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' dep_mgr1 ' , ' dep_mgr ' , ' 单位管理 ' , ' action ' , ' /UnitsManager ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' user_mgr2 ' , ' user_mgr ' , ' 用户管理 ' , ' action ' , ' /managerUser ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' authority_mgr ' , ' authority_mgr ' , ' 权限管理 ' , ' action ' , ' /managerAuthority ' , null , 1 , 0 , null );
insert into SYS_RESOURCES (RESOURCE_ID, RESOURCE_NAME, RESOURCE_DESC, RESOURCE_TYPE, RESOURCE_STRING, PRIORITY, ENABLED, ISSYS, MODULE)
values ( ' role_mgr ' , ' role_mgr ' , ' 角色管理 ' , ' action ' , ' /managerRole ' , null , null , null , null );
commit ;
prompt 12 records loaded
prompt Loading SYS_AUTHORITIES_RESOURCES
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 1 , ' AUTH_AFTERLOGINWELCOME5 ' , ' index5 ' , 1 );
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 2 , ' AUTH_LOGIN4 ' , ' login4 ' , 1 );
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 3 , ' AUTH_NODE_MGR3 ' , ' node_mgr3 ' , 1 );
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 4 , ' AUTH_XTSZ_DEPT1 ' , ' dep_mgr1 ' , 1 );
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 5 , ' AUTH_XTSZ_USER2 ' , ' user_mgr2 ' , 1 );
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 7 , ' AUTH_XTSZ_USER2 ' , ' horizontal_qry6 ' , 1 );
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 8 , ' AUTH_XTSZ_DEPT1 ' , ' vertical_qry7 ' , 1 );
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 12 , ' AUTH_XTSZ_USER2 ' , ' role_mgr ' , 1 );
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 10 , ' AUTH_XTSZ_USER2 ' , ' resources_mgr ' , 1 );
insert into SYS_AUTHORITIES_RESOURCES (ID, AUTHORITY_ID, RESOURCE_ID, ENABLED)
values ( 11 , ' AUTH_XTSZ_USER2 ' , ' authority_mgr ' , 1 );
commit ;
prompt 10 records loaded
prompt Loading SYS_ROLES
insert into SYS_ROLES (ROLE_ID, ROLE_NAME, ROLE_DESC, ENABLED, ISSYS, MODULE)
values ( ' 1303463518765 ' , ' ROLE_dd1 ' , ' dd1 ' , 1 , 0 , ' 01 ' );
insert into SYS_ROLES (ROLE_ID, ROLE_NAME, ROLE_DESC, ENABLED, ISSYS, MODULE)
values ( ' 1303463949640 ' , ' ROLE_rr1 ' , ' rr1 ' , 1 , 0 , ' 02 ' );
insert into SYS_ROLES (ROLE_ID, ROLE_NAME, ROLE_DESC, ENABLED, ISSYS, MODULE)
values ( ' ROLE_PLATFORMADMIN1 ' , ' ROLE_PLATFORMADMIN ' , ' 可管理整个平台的用户、单位设置。 ' , 1 , 1 , ' 01 ' );
insert into SYS_ROLES (ROLE_ID, ROLE_NAME, ROLE_DESC, ENABLED, ISSYS, MODULE)
values ( ' ROLE_USER2 ' , ' ROLE_USER ' , ' 普通用户 ' , 1 , 0 , ' 01 ' );
insert into SYS_ROLES (ROLE_ID, ROLE_NAME, ROLE_DESC, ENABLED, ISSYS, MODULE)
values ( ' ROLE_LOGINTOWELCOME4 ' , ' ROLE_LOGINTOWELCOME ' , ' 仅登录到欢迎界面! ' , 1 , 0 , ' 01 ' );
insert into SYS_ROLES (ROLE_ID, ROLE_NAME, ROLE_DESC, ENABLED, ISSYS, MODULE)
values ( ' ROLE_SYSADMIN3 ' , ' ROLE_SYSADMIN ' , ' 可管理本系统的用户、单位设置。 ' , 1 , 0 , ' 01 ' );
insert into SYS_ROLES (ROLE_ID, ROLE_NAME, ROLE_DESC, ENABLED, ISSYS, MODULE)
values ( ' ROLE_WORK ' , ' ROLE_WORK ' , ' 作业子系统的角色(试验) ' , 1 , 0 , ' 02 ' );
insert into SYS_ROLES (ROLE_ID, ROLE_NAME, ROLE_DESC, ENABLED, ISSYS, MODULE)
values ( ' ROLE_LOGIN ' , ' ROLE_LOGIN ' , ' 系统登录 ' , 1 , 0 , ' 01 ' );
commit ;
prompt 8 records loaded
prompt Loading SYS_ROLES_AUTHORITIES
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 1 , ' ROLE_LOGINTOWELCOME4 ' , ' AUTH_AFTERLOGINWELCOME5 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 2 , ' ROLE_PLATFORMADMIN1 ' , ' AUTH_AFTERLOGINWELCOME5 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 3 , ' ROLE_PLATFORMADMIN1 ' , ' AUTH_LOGIN4 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 4 , ' ROLE_PLATFORMADMIN1 ' , ' AUTH_NODE_MGR3 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 5 , ' ROLE_PLATFORMADMIN1 ' , ' AUTH_XTSZ_DEPT1 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 6 , ' ROLE_PLATFORMADMIN1 ' , ' AUTH_XTSZ_USER2 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 7 , ' ROLE_SYSADMIN3 ' , ' AUTH_XTSZ_DEPT1 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 8 , ' ROLE_SYSADMIN3 ' , ' AUTH_XTSZ_USER2 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 9 , ' ROLE_USER2 ' , ' AUTH_LOGIN4 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 10 , ' ROLE_LOGINTOWELCOME4 ' , ' AUTH_LOGIN4 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 11 , ' ROLE_USER2 ' , ' AUTH_AFTERLOGINWELCOME5 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 1303463962718 , ' 1303463949640 ' , ' AUTH_LOGIN4 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 1303463972234 , ' ROLE_WORK ' , ' AUTH_LOGIN4 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 1303463972235 , ' ROLE_WORK ' , ' AUTH_AFTERLOGINWELCOME5 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 1303463972250 , ' ROLE_WORK ' , ' AUTH_XTSZ_DEPT1 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 1303463972251 , ' ROLE_WORK ' , ' AUTH_XTSZ_USER2 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 1303463972265 , ' ROLE_WORK ' , ' AUTH_NODE_MGR3 ' , 1 );
insert into SYS_ROLES_AUTHORITIES (ID, ROLE_ID, AUTHORITY_ID, ENABLED)
values ( 1303287600015 , ' ROLE_LOGIN ' , ' AUTH_LOGIN4 ' , 1 );
commit ;
prompt 18 records loaded
prompt Loading SYS_USERS
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' 1304494573750 ' , ' lxb ' , ' lxb ' , ' c7d3f4c857bc8c145d6e5d40c1bf23d9 ' , null , 1 , 0 , ' 10011001 ' , null , ' 01 ' );
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' 1304490737406 ' , ' lxb ' , ' lxb ' , ' c7d3f4c857bc8c145d6e5d40c1bf23d9 ' , null , 1 , 0 , ' 10011001 ' , null , ' 01 ' );
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' 1304574079546 ' , ' ddd ' , ' ddd ' , ' 0a4f6a961276619f7f91356bcba5a746 ' , null , 0 , 0 , null , null , ' 01 ' );
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' 1304573363921 ' , ' lxb ' , ' 卢小兵 ' , ' 09eb37d219cfa835db40e5ab587f7082 ' , ' 普通仅登录到欢迎界面! ' , 0 , 0 , ' 1001 ' , null , ' 01 ' );
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' 1304573484515 ' , ' lll ' , ' lll ' , ' 47acedc22cef8c3762c21a435e262d67 ' , null , 1 , 0 , ' 1001 ' , null , ' 01 ' );
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' admin1 ' , ' admin ' , ' 系统管理员 ' , ' ceb4f32325eda6142bd65215f4c0f371 ' , ' 超级系统管理员 ' , 1 , 1 , ' 1001 ' , null , ' 01 ' );
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' user2 ' , ' user ' , ' 普通用户 ' , ' 47a733d60998c719cf3526ae7d106d13 ' , ' 普通用户 ' , 1 , 0 , ' 1001 ' , null , ' 01 ' );
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' sysUser3 ' , ' sysUser ' , ' 系统设置维护 ' , ' 8f0295328c34f8eedc2362e9f4a10b7e ' , ' 系统设置用户 ' , 1 , 0 , ' 1001 ' , null , ' 01 ' );
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' lxb4 ' , ' lxb ' , ' 卢小兵 ' , ' c7d3f4c857bc8c145d6e5d40c1bf23d9 ' , ' 普通仅登录到欢迎界面! ' , 1 , 0 , ' 1001 ' , null , ' 01 ' );
insert into SYS_USERS ( USER_ID , USER_ACCOUNT, USER_NAME , USER_PASSWORD, USER_DESC, ENABLED, ISSYS, USER_DEPT, USER_DUTY, SUB_SYSTEM)
values ( ' 1304566319625 ' , ' lxb5 ' , ' lx5 ' , ' 1abe40ed6d0da1c834586e8ecef61fe7 ' , null , 0 , 0 , ' 10011001 ' , null , ' 01 ' );
commit ;
prompt 10 records loaded
prompt Loading SYS_USERS_ROLES
insert into SYS_USERS_ROLES (ID, USER_ID , ROLE_ID, ENABLED)
values ( 1 , ' admin1 ' , ' ROLE_PLATFORMADMIN1 ' , 1 );
insert into SYS_USERS_ROLES (ID, USER_ID , ROLE_ID, ENABLED)
values ( 2 , ' sysUser3 ' , ' ROLE_SYSADMIN3 ' , 1 );
insert into SYS_USERS_ROLES (ID, USER_ID , ROLE_ID, ENABLED)
values ( 3 , ' user2 ' , ' ROLE_USER2 ' , 1 );
insert into SYS_USERS_ROLES (ID, USER_ID , ROLE_ID, ENABLED)
values ( 4 , ' lxb4 ' , ' ROLE_LOGINTOWELCOME4 ' , 1 );
insert into SYS_USERS_ROLES (ID, USER_ID , ROLE_ID, ENABLED)
values ( 5 , ' 1304573484515 ' , ' 1303463518765 ' , null );
commit ;
prompt 5 records loaded
prompt Enabling foreign key constraints for SYS_AUTHORITIES_RESOURCES
alter table SYS_AUTHORITIES_RESOURCES enable constraint FK_PUB_AUTHORITIES_RE_AU;
alter table SYS_AUTHORITIES_RESOURCES enable constraint FK_PUB_AUTHORITIES_RE_RE;
prompt Enabling foreign key constraints for SYS_ROLES_AUTHORITIES
alter table SYS_ROLES_AUTHORITIES enable constraint FK_PUB_ROLES_AUTHORITIES_AU;
alter table SYS_ROLES_AUTHORITIES enable constraint FK_PUB_ROLES_AUTHORITIES_ROLES;
prompt Enabling foreign key constraints for SYS_USERS_ROLES
alter table SYS_USERS_ROLES enable constraint FK_USERS_ROLES_ROLES;
alter table SYS_USERS_ROLES enable constraint FK_USERS_ROLES_USERS;
prompt Enabling triggers for SYS_AUTHORITIES
alter table SYS_AUTHORITIES enable all triggers;
prompt Enabling triggers for SYS_RESOURCES
alter table SYS_RESOURCES enable all triggers;
prompt Enabling triggers for SYS_AUTHORITIES_RESOURCES
alter table SYS_AUTHORITIES_RESOURCES enable all triggers;
prompt Enabling triggers for SYS_ROLES
alter table SYS_ROLES enable all triggers;
prompt Enabling triggers for SYS_ROLES_AUTHORITIES
alter table SYS_ROLES_AUTHORITIES enable all triggers;
prompt Enabling triggers for SYS_USERS
alter table SYS_USERS enable all triggers;
prompt Enabling triggers for SYS_USERS_ROLES
alter table SYS_USERS_ROLES enable all triggers;
set feedback on
set define on
prompt Done.
相关配置文件:
web.xml与第一种方法同。
applicationContext-security.xml:
< b:beans xmlns ="http://www.springframework.org/schema/security"
xmlns:b ="http://www.springframework.org/schema/beans" xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation ="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd" >
< http auto-config ="true" access-denied-page ="/accessDenied.jsp" >
<!-- 不要过滤图片等静态资源 -->
< intercept-url pattern ="/**/*.jpg" filters ="none" />
< intercept-url pattern ="/**/*.png" filters ="none" />
< intercept-url pattern filters ="none" />
< intercept-url pattern ="/**/*.css" filters ="none" />
< intercept-url pattern ="/**/*.js" filters ="none" />
<!-- 登录页面和忘记密码页面不过滤 -->
< intercept-url pattern ="/login.jsp" filters ="none" />
< intercept-url pattern ="/jsp/forgotpassword.jsp"
filters ="none" />
< form-login login-page ="/login.jsp"
authentication-failure-url ="/login.jsp?error=true"
default-target-url ="/index.jsp" />
<!-- "记住我"功能,采用持久化策略(将用户的登录信息存放在数据库表中) -->
< remember-me data-source-ref ="dataSource" />
<!-- 检测失效的sessionId,超时时定位到另外一个URL -->
< session-management invalid-session-url ="/sessionTimeout.jsp" />
<!-- 增加一个自定义的filter,放在FILTER_SECURITY_INTERCEPTOR之前,
实现用户、角色、权限、资源的数据库管理。 -->
< custom-filter ref ="myFilter" before ="FILTER_SECURITY_INTERCEPTOR" />
</ http >
<!-- 一个自定义的filter,必须包含authenticationManager,
accessDecisionManager,securityMetadataSource三个属性。 -->
< b:bean id ="myFilter"
class ="avatar.base.security.MyFilterSecurityInterceptor" >
< b:property name ="authenticationManager"
ref ="authenticationManager" />
< b:property name ="accessDecisionManager"
ref ="myAccessDecisionManager" />
< b:property name ="securityMetadataSource"
ref ="mySecurityMetadataSource" />
</ b:bean >
<!-- 注意能够为authentication-manager 设置alias别名 -->
< authentication-manager alias ="authenticationManager" >
< authentication-provider user-service-ref ="userDetailsManager" >
< password-encoder ref ="passwordEncoder" >
< salt-source user-property ="username" />
</ password-encoder >
</ authentication-provider >
</ authentication-manager >
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源。 -->
< b:bean id ="myAccessDecisionManager"
class ="avatar.base.security.MyAccessDecisionManager" >
</ b:bean >
<!-- 资源源数据定义,将所有的资源和权限对应关系建立起来,即定义某一资源可以被哪些角色去访问。 -->
< b:bean id ="mySecurityMetadataSource"
class ="avatar.base.security.MyInvocationSecurityMetadataSourceService" >
</ b:bean >
</ b:beans >
applicationContext-service.xml:
< beans xmlns ="http://www.springframework.org/schema/beans"
xmlns:xsi ="http://www.w3.org/2001/XMLSchema-instance"
xmlns:util ="http://www.springframework.org/schema/util"
xmlns:jee ="http://www.springframework.org/schema/jee"
xmlns:aop ="http://www.springframework.org/schema/aop"
xmlns:tx ="http://www.springframework.org/schema/tx"
xmlns:context ="http://www.springframework.org/schema/context"
xsi:schemaLocation ="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/aop
http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/tx
http://www.springframework.org/schema/tx/spring-tx-3.0.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd" >
<!-- 定义上下文返回的消息的国际化。 -->
< bean id ="messageSource"
class ="org.springframework.context.support.ReloadableResourceBundleMessageSource" >
< property name ="basename"
value ="classpath:org/springframework/security/messages_zh_CN" />
</ bean >
<!--
事件监听:实现了 ApplicationListener监听接口,
包括AuthenticationCredentialsNotFoundEvent 事件,
AuthorizationFailureEvent事件,AuthorizedEvent事件, PublicInvocationEvent事
件。 -->
< bean
class ="org.springframework.security.authentication.event.LoggerListener" />
<!-- 用户的密码加密或解密 -->
< bean id ="passwordEncoder"
class ="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
<!-- 用户详细信息管理:数据源、用户缓存(通过数据库管理用户、角色、权限、资源)。 -->
< bean id ="userDetailsManager" class ="avatar.base.security.MyUserDetailsService" >
< property name ="pubUsersHome" ref ="pubUsersHome" />
< property name ="pubAuthoritiesResourcesHome" ref ="pubAuthoritiesResourcesHome" />
< property name ="dataSource" ref ="dataSource" />
< property name ="userCache" ref ="userCache" />
</ bean >
<!-- 启用用户的缓存功能 -->
< bean id ="userCache"
class ="org.springframework.security.core.userdetails.cache.EhCacheBasedUserCache" >
< property name ="cache" ref ="userEhCache" />
</ bean >
< bean id ="userEhCache" class ="org.springframework.cache.ehcache.EhCacheFactoryBean" >
< property name ="cacheName" value ="userCache" />
< property name ="cacheManager" ref ="cacheManager" />
</ bean >
< bean id ="cacheManager"
class ="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />
<!-- spring security自带的与权限有关的数据读写Jdbc模板 -->
< bean id ="jdbcTemplate" class ="org.springframework.jdbc.core.JdbcTemplate" >
< property name ="dataSource" ref ="dataSource" />
</ bean >
</ beans >
第三种方法扩展后Spring Security3.0.2的验证和授权方法
为了叙述的严谨性,这里说的是Spring Security3.0.2,而非其他版本,这是因为我只读过Spring Security3.0.2的代码,并且在该版本上面扩展自定义的
动态管理用户、角色、权限和资源成功。 估计其他版本的验证和授权方法是差不太多的,因为没有接触过,也不敢大胆猜测。
在扩展后的Spring Security3.0.2中,验证及授权的过程如下:
1、当Web服务器启动时,通过Web.xml中对于Spring Security的配置,加载过滤器链,那么在加载MyFilterSecurityInterceptor类时,会注入MyInvocationSecurityMetadataSourceService、MyUserDetailsService、MyAccessDecisionManager类。
2、该MyInvocationSecurityMetadataSourceService类在执行时会提取数据库中所有的用户权限,形成权限列表;
并循环该权限列表,通过每个权限再从数据库中提取出该权限所对应的资源列表,并将资源(URL)作为key,权限列表作为value,形成Map结构的数据。
3、当用户登录时,AuthenticationManager进行响应,通过用户输入的用户名和密码,然后再根据用户定义的密码算法和盐值等进行计算并和数据库比对,
当正确时通过验证。此时MyUserDetailsService进行响应,根据用户名从数据库中提取该用户的权限列表,组合成UserDetails供Spring Security使用。
4、当用户点击某个功能时,触发MyAccessDecisionManager类,该类通过decide方法对用户的资源访问进行拦截。
用户点击某个功能时,实际上是请求某个URL或Action, 无论.jsp也好,.action或.do也好,在请求时无一例外的表现为URL。
还记得第2步时那个Map结构的数据吗? 若用户点击了"login.action"这个URL之后,那么这个URL就跟那个Map结构的数据中的key对比,若两者相同,
则根据该url提取出Map结构的数据中的value来,这说明:若要请求这个URL,必须具有跟这个URL相对应的权限值。这个权限有可能是一个单独的权限,
也有可能是一个权限列表,也就是说,一个URL有可能被多种权限访问。
那好,我们在MyAccessDecisionManager类的decide这个方法里,将通过URL取得的权限列表进行循环,然后跟第3步中登录的用户所具有的权限进行比对,若相同,则表明该用户具有访问该资源的权利。 不大明白吧? 简单地说, 在数据库中我们定义了访问“LOGIN”这个URL必须是具有ROLE_ADMIN权限的人来访问,那么,登录用户恰恰具有该ROLE_ADMIN权限,两者的比对过程中,就能够返回TRUE,可以允许该用户进行访问。就这么简单!
不过在第2步的时候,一定要注意,MyInvocationSecurityMetadataSoruceService类的loadResourceDefine()方法中,形成以URL为key,权限列表为value的Map时,
要注意key和Value的对应性,避免Value的不正确对应形成重复,这样会导致没有权限的人也能访问到不该访问到的资源。
还有getAttributes()方法,要有 url.indexOf("?")这样的判断,要通过判断对URL特别是Action问号之前的部分进行匹配,防止用户请求的带参数的URL与你数据库中定义的URL不匹配,造成访问拒绝!
第三种方法BTW
当然,你在设计了7张表之后,那么对于这些之间相互关联的关系内容及信息内容,就得由你来进行维护了,大约有用户、角色、权限、资源的增删改查,并还需要设置用户和角色、角色和权限、权限和资源之间的关系。可考虑分为三个菜单进行维护,用户设置、角色设置、资源设置。 在用户设置里分别管理用户、用户与角色的关系;在角色设置里管理角色、角色与权限的关系; 在资源设置里分别管理权限、权限与资源的关系等。
第四种方法
第四种方法就是直接修改源码以达到第三种方法的效果。
本来准备是直接从源码修改来的, 但是始终认为修改源码并非终极解决之道,有违OO的精神本质,再者由于时间关系,只是对代码进行了研究,但并没有进行实现或验证。只待以后时间稍稍宽松时再做为兴趣进行研究,在次不过多的讲解。但据我从代码上来看,一是将从配置文件中获取用户及权限的功能修改为从数据库中提取出来;二是将从配置文件中获取权限和资源的对应关系修改为从数据库中提取;三是修改User增加相关信息等。
始终还是围绕着JdbcDaoImpl和DefaultFilterInvocationSecurityMetadataSource还有User这3个类进行修改。
以实现从数据库提取用户、角色、权限和资源信息。
有兴趣的就先试试吧,等试好了告诉我一声哈。
Spring Security的优缺点
不可否认,Spring Security依赖于Spring的Ioc、AOP等机制,横切开系统的业务组件,将通用的权限功能注入到业务组件内部,实现了通用功能和业务功能的无缝整合,但又保证了通用功能和业务功能的实现上的分离,省却了一部分工作量,这是其存在的最重要意义。
但又不可否认,Spring Security所具有的缺乏动态资源管理的硬伤(若是能够提供用户、角色、权限和资源的数据库管理,并且提供管理界面那实在是太完美了,可惜这两样一样都不能实现),又令国人用户爱恨交加。
该何去何从,就请自己做个选择吧!