spring security3教程系列--自定义过滤链

本文章摘编、转载需要注明来源 http://write.blog.csdn.net/postedit/8576449


spring security3 网上的教程很多,但基本都是大同小异,大部分都是用标签配置,所以找了点时间看了下源码,我用的spring security3.1版本,使用bean声明的方式配置过滤链,看本文章需要读者对spring security3 有一定程度的了解


先来配置下web.xml,HttpSessionEventPublisher是使用session管理时需要用到的


<!-- spring security -->
	<filter>
		<filter-name>securityFilterChainProxy</filter-name>
		<filter-class>
			org.springframework.web.filter.DelegatingFilterProxy
		</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>securityFilterChainProxy</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>


接着我们要配置一条过滤链(值得注意的是这个bean的id要跟web.xml里配置的filter-name要一致才可以)

<!-- 自定义SPRING SECURITY过滤链 -->
	<bean id="securityFilterChainProxy"
		class="org.springframework.security.web.FilterChainProxy">
		<constructor-arg>
			<list>
				<security:filter-chain pattern="/services/**"
					filters="none" />
				<security:filter-chain pattern="/test*" filters="none" />
				<security:filter-chain pattern="/**"
					filters="concurrentSessionFilter,securityContextPersistenceFilter,logoutFilter,usernamePasswordAuthenticationFilter,rememberMeAuthenticationFilter,sessionManagementFilter,anonymousAuthFilter,exceptionTranslationFilter,filterSecurityInterceptor" />
			</list>
		</constructor-arg>
	</bean>

下面我们逐个filter来看

首先是filterSecurityInterceptor,这是资源访问第一个要过的filter,至于这里面的属性注入请看我之前的spring security3 自定义权限管理的那篇文章

<!-- 自定义UserDetailsService认证  -->
	<bean id="userDetailsService"
		class="com.shadow.security.service.UserDetailsServiceImpl" />

	<!-- 自定义资源权限关系认证 -->
	<bean id="accessDecisionManager"
		class="com.shadow.security.service.AccessDecisionManagerImpl" />

	<!-- 自定义资源权限关系集合 -->
	<bean id="securityMetadataSource"
		class="com.shadow.security.service.SecurityMetadataSourceExtendImpl">
		<property name="matcher" value="ant" />
	</bean>

	<!-- 自定义认证管理,资源,权限  -->
	<bean id="filterSecurityInterceptor"
		class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
		<property name="authenticationManager"
			ref="authenticationManager" />
		<property name="accessDecisionManager"
			ref="accessDecisionManager" />
		<property name="securityMetadataSource"
			ref="securityMetadataSource" />
	</bean>
        
        <!-- 页面标签权限功能依赖 -->
        <bean id="webInvocationFilter"
               class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
               <constructor-arg ref="filterSecurityInterceptor" />
        </bean>



然后是异常捕获的filter,里面有两个属性需要注入,authenticationEntryPoint是配置默认跳转的,accessDeniedHandler是配置当检测无权限访问跳转

<!-- 异常处理过滤器 -->
	<bean id="exceptionTranslationFilter"
		class="org.springframework.security.web.access.ExceptionTranslationFilter">
		<property name="authenticationEntryPoint"
			ref="authenticationEntryPoint" />
		<property name="accessDeniedHandler">
			<!-- 拒绝未授权访问跳转 -->
			<bean
				class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
				<property name="errorPage" value="/error/audit.jsp" />
			</bean>
		</property>
	</bean>



然后是sessionManagementFilter,这个过滤器配置是否在登录后重新生成一个session防止伪造攻击

	<!-- SESSION固化保护,以及并发控制 -->
	<bean id="sessionManagementFilter"
		class="org.springframework.security.web.session.SessionManagementFilter">
		<constructor-arg name="securityContextRepository"
			ref="securityContextRepository" />
		<property name="sessionAuthenticationStrategy"
			ref="concurrentSessionControlStrategy" />
	</bean>

	<!-- SESSION并发配置 -->
	<bean id="concurrentSessionControlStrategy"
		class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
		<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
		<property name="maximumSessions" value="1" />
		<property name="exceptionIfMaximumExceeded" value="false" />
	</bean>

	<bean id="sessionRegistry"
		class="org.springframework.security.core.session.SessionRegistryImpl" />

	<!-- SESSION并发处理 -->
	<bean id="concurrentSessionFilter"
		class="org.springframework.security.web.session.ConcurrentSessionFilter">
		<property name="sessionRegistry" ref="sessionRegistry" />
		<property name="expiredUrl" value="/error/timeout.jsp" />
		<property name="logoutHandlers">
			<list>
				<ref bean="logoutHandler" />
			</list>
		</property>
	</bean>


然后是rememberMeAuthenticationFilter,这个过滤器主要是配置记住密码功能

<!-- 记住密码功能(COOKIE方式) -->
	<bean id="rememberMeAuthenticationFilter"
		class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
		<property name="rememberMeServices" ref="rememberMeServices" />
		<property name="authenticationManager"
			ref="authenticationManager" />
	</bean>
	<bean id="rememberMeServices"
		class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
		<property name="userDetailsService" ref="userDetailsService" />
		<property name="parameter" value="rememberMe" />
		<!-- 默认时间604800秒(一个星期) -->
		<property name="tokenValiditySeconds" value="604800" />
		<property name="key" value="springRocks" />
	</bean>
	<bean id="rememberMeAuthenticationProvider"
		class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
		<property name="key" value="springRocks" />
	</bean>


然后是usernamePasswordAuthenticationFilter请参考我之前的spring security3自定义权限管理那篇文章


然后是logoutFilter,这个过滤器主要是做安全注销功能,注入rememberMeServices属性是为了安全退出的时候把记住密码的状态也删除了

<!-- 注销过滤器 -->
	<bean id="logoutFilter"
		class="org.springframework.security.web.authentication.logout.LogoutFilter">
		<constructor-arg value="/logout.jsp" />
		<constructor-arg>
			<array>
				<ref bean="logoutHandler" />
				<ref bean="rememberMeServices" />
			</array>
		</constructor-arg>
		<property name="filterProcessesUrl" value="/logout" />
	</bean>

	<!-- 注销监听器  -->
	<bean id="logoutHandler"
		class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
	</bean>


然后是securityContextPersistenceFilter,这个过滤器是为了持久化SecurityContext实例

<!-- 持久化SecurityContext过滤器 -->
	<bean id="securityContextPersistenceFilter"
		class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
		<property name="securityContextRepository"
			ref="securityContextRepository" />
	</bean>

	<!-- 生成HttpSessionSecurityContextRepository -->
	<bean id="securityContextRepository"
		class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
		<property name="allowSessionCreation" value="true" />
		<property name="disableUrlRewriting" value="false" />
	</bean>


然后是concurrentSessionFilter,这个过滤器是控制session并发问题

<!-- SESSION并发处理 -->
	<bean id="concurrentSessionFilter"
		class="org.springframework.security.web.session.ConcurrentSessionFilter">
		<property name="sessionRegistry" ref="sessionRegistry" />
		<property name="expiredUrl" value="/error/timeout.jsp" />
		<property name="logoutHandlers">
			<list>
				<ref bean="logoutHandler" />
			</list>
		</property>
	</bean>



然后大致的过滤链就配置好了,对于cas等那些有需要用到的filter就自己看看源码,放到链条里就可以了

展开阅读全文

没有更多推荐了,返回首页