这篇主要的内容
Spring Security 保护业务代码的执行
准备工作 .
1.创建HelloService接口
package zyk.service;
//import org.springframework.security.access.annotation.Secured;
public interface HelloService {
//@Secured({ "ROLE_USER", "ROLE_ADMIN" })
public String sayHi(String userName);
//@Secured({"ROLE_ADMIN"})
public String sayBye(String userName);
}
2.实现类HelloServiceImpl
package zyk.service.impl;
import zyk.service.HelloService;
public class HelloServiceImpl implements HelloService {
public String sayHi(String userName) {
return "大家好!我是:" + userName;
}
public String sayBye(String userName) {
return userName + " 跟大家说再见!";
}
}
3.配置applicationContext.xml 使HelloService 交给Spring 管理.
<bean id="helloService" class="zyk.service.impl.HelloServiceImpl" />
4.创建 HelloServlet
package zyk.servlet;
import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.context.ApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
import zyk.service.HelloService;
public class HelloServlet extends HttpServlet {
/**
*
*/
private static final long serialVersionUID = 1L;
/**
* Constructor of the object.
*/
public HelloServlet() {
super();
}
/**
* Destruction of the servlet. <br>
*/
public void destroy() {
super.destroy(); // Just puts "destroy" string in log
// Put your code here
}
/**
* The doGet method of the servlet. <br>
*
* This method is called when a form has its tag value method equals to get.
*
* @param request
* the request send by the client to the server
* @param response
* the response send by the server to the client
* @throws ServletException
* if an error occurred
* @throws IOException
* if an error occurred
*/
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
response.setCharacterEncoding("UTF-8");
String userName = request.getParameter("userName");
String method = request.getParameter("method");
ApplicationContext ctx = WebApplicationContextUtils
.getWebApplicationContext(this.getServletContext());
HelloService helloService = ctx.getBean("helloService",
HelloService.class);
PrintWriter out = response.getWriter();
out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">");
out.println("<HTML>");
out.println(" <HEAD><TITLE></TITLE></HEAD>");
out.println(" <BODY>");
if (method.equals("sayHi")) {
out.println(helloService.sayHi(userName));
} else {
out.println(helloService.sayBye(userName));
}
out.println(" </BODY>");
out.println("</HTML>");
out.flush();
out.close();
}
/**
* The doPost method of the servlet. <br>
*
* This method is called when a form has its tag value method equals to
* post.
*
* @param request
* the request send by the client to the server
* @param response
* the response send by the server to the client
* @throws ServletException
* if an error occurred
* @throws IOException
* if an error occurred
*/
public void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
doGet(request, response);
}
/**
* Initialization of the servlet. <br>
*
* @throws ServletException
* if an error occurs
*/
public void init() throws ServletException {
// Put your code here
}
}
5.在web.xml 中配置 HelloServlet 的映射路径.
<servlet> <description>This is the description of my J2EE component</description> <display-name>This is the display name of my J2EE component</display-name> <servlet-name>HelloServlet</servlet-name> <servlet-class>zyk.servlet.HelloServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloServlet</servlet-name> <url-pattern>/hello.action</url-pattern> </servlet-mapping>
6.在Index.jsp 中添加链接.
<a href="${pageContext.request.contextPath}/hello.action?method=sayHi&userName=<sec:authentication property="name" />">SayHi!</a>
<br />
<a href="${pageContext.request.contextPath}/hello.action?method=sayBye&userName=<sec:authentication property="name" />">SayBye!</a>
第一次测试 User 和 admin 均可以调用 SayHi 和 SayBye 方法.
接下来 要实现的是
admin 可以 调用 SayHi 和 SayBye 方法.
user 只能 调用 SayHi 方法..
A)使用XML的方式
1.在applicationContext.xml 中 配置
<!-- XML 的方式 --> <security:global-method-security> <!-- 拥有ROLE_USER或者ROLE_ADMIN 权限的用户 可以访问 包 zyk.service 下的任意个类 里 返回值类型为任意类型 并 方法名为sayHi 的方法--> <security:protect-pointcut access="ROLE_USER,ROLE_ADMIN" expression="execution(* zyk.service.*.sayHi(..))"/> <!-- 第一个* :表示返回任意类型 第二个 * :表示任意的类 第三个* : 以say开头的任意方法 名 对应的是 : 拥有ROLE_ADMIN 权限的用户 可以访问 包 zyk.service 下的任意个类 里 返回值类型为任意类型 并以say开头的方法 (例如 sayHi 和 sayBye) --> <security:protect-pointcut access="ROLE_ADMIN" expression="execution(* zyk.service.*.say*(..))"/> </security:global-method-security>
第二次测试 Ok 。将上面的配置注释掉.换用Annotation 的方式 .
B)使用Annotation的方式
1.启用Annotation 配置applicationContext.xml
<!-- 启用annotation --> <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
2.给HelloService接口里的方法加上 SpringSecurity的注解.用法很明显.
package zyk.service;
import org.springframework.security.access.annotation.Secured;
public interface HelloService {
@Secured({ "ROLE_USER", "ROLE_ADMIN" })
public String sayHi(String userName);
@Secured({"ROLE_ADMIN"})
public String sayBye(String userName);
}
再次测试 Ok。
到此学习的资料 全部来自第一篇下的附件.《一步一步教你使用SpringSecurity》