sexurity的xml文件里
1、在<http auto-config="true">上面加上如下代码
<beans:bean id="customWebInvocationPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
<beans:constructor-arg name="securityInterceptor" ref="filterSecurityInterceptor" />
</beans:bean>
2、ref="filterSecurityInterceptor" 这里是自定义的过滤器
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor" autowire="byType">
<beans:property name="securityMetadataSource" ref="filterInvocationSecurityMetadataSource" />
<beans:property name="authenticationManager" ref="org.springframework.security.authenticationManager"/>
</beans:bean>
<beans:bean id="filterInvocationSecurityMetadataSource"
class="com.iqilu.security.JdbcFilterInvocationDefinitionSourceFactoryBean">
<beans:property name="dataSource" ref="dataSource"/>
<beans:property name="resourceQuery" value="
select re.c_res_string,r.c_name
from t_role r
join t_resc_role rr on r.C_ID=rr.C_ROLE_ID
join t_resc re on re.C_ID=rr.C_RESC_ID
order by re.c_priority
"/>
</beans:bean>
完整的配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<beans:bean id="customWebInvocationPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">
<beans:constructor-arg name="securityInterceptor" ref="filterSecurityInterceptor" />
</beans:bean>
<!-- 对于一些css、js、图片等文件不进行过滤 -->
<http pattern="/css/**" security="none" />
<http pattern="/js/**" security="none" />
<http pattern="/images/**" security="none" />
<http pattern="/themes/**" security="none" />
<http auto-config="true" access-denied-page="/accessDenied.jsp">
<intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/upload.jsp" access="ROLE_ADMIN" />
<intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
<form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?error=true"
default-target-url="/index.jsp" />
<logout invalidate-session="true"
logout-success-url="/login.jsp"
logout-url="/j_spring_security_logout"/>
<custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
</http>
<!-- 认证管理器 -->
<authentication-manager>
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select C_ACCOUNT as username,C_PASSWORD as password, 1 as enabled from t_user where C_ACCOUNT=?"
authorities-by-username-query="select u.C_ACCOUNT as username,r.c_name as authority
from t_user u
join t_user_role ur
on u.C_BH=ur.c_user_id
join t_role r
on r.c_id=ur.c_role_id
where u.C_ACCOUNT=?"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor" autowire="byType">
<beans:property name="securityMetadataSource" ref="filterInvocationSecurityMetadataSource" />
<beans:property name="authenticationManager" ref="org.springframework.security.authenticationManager"/>
</beans:bean>
<beans:bean id="filterInvocationSecurityMetadataSource"
class="com.iqilu.security.JdbcFilterInvocationDefinitionSourceFactoryBean">
<beans:property name="dataSource" ref="dataSource"/>
<beans:property name="resourceQuery" value="
select re.c_res_string,r.c_name
from t_role r
join t_resc_role rr on r.C_ID=rr.C_ROLE_ID
join t_resc re on re.C_ID=rr.C_RESC_ID
order by re.c_priority
"/>
</beans:bean>
</beans:beans>
4、过滤器代码:
package com.iqilu.security;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Collection;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.sql.DataSource;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.jdbc.core.support.JdbcDaoSupport;
import org.springframework.jdbc.object.MappingSqlQuery;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.ConfigAttributeEditor;
import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.AntPathRequestMatcher;
import org.springframework.security.web.util.RequestMatcher;
@SuppressWarnings({ "rawtypes", "deprecation" })
public class JdbcFilterInvocationDefinitionSourceFactoryBean
extends JdbcDaoSupport implements FactoryBean {
private String resourceQuery;
public boolean isSingleton() {
return true;
}
public Class getObjectType() {
return FilterInvocationSecurityMetadataSource.class;
}
public Object getObject() {
return new DefaultFilterInvocationSecurityMetadataSource(this
.buildRequestMap());
}
@SuppressWarnings("unchecked")
protected Map<String, String> findResources() {
ResourceMapping resourceMapping = new ResourceMapping(getDataSource(),
resourceQuery);
Map<String, String> resourceMap = new LinkedHashMap<String, String>();
for (Resource resource : (List<Resource>) resourceMapping.execute()) {
String url = resource.getUrl();
String role = resource.getRole();
if (resourceMap.containsKey(url)) {
String value = resourceMap.get(url);
resourceMap.put(url, value + "," + role);
} else {
resourceMap.put(url, role);
}
}
return resourceMap;
}
@SuppressWarnings({ "unchecked" })
protected LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> buildRequestMap() {
LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap =
null;
requestMap = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();
ConfigAttributeEditor editor = new ConfigAttributeEditor();
Map<String, String> resourceMap = this.findResources();
for (Map.Entry<String, String> entry : resourceMap.entrySet()) {
String key = entry.getKey();
editor.setAsText(entry.getValue());
requestMap.put(new AntPathRequestMatcher(key),
(Collection<ConfigAttribute>) editor.getValue());
}
return requestMap;
}
public void setResourceQuery(String resourceQuery) {
this.resourceQuery = resourceQuery;
}
private class Resource {
private String url;
private String role;
public Resource(String url, String role) {
this.url = url;
this.role = role;
}
public String getUrl() {
return url;
}
public String getRole() {
return role;
}
}
private class ResourceMapping extends MappingSqlQuery {
protected ResourceMapping(DataSource dataSource,
String resourceQuery) {
super(dataSource, resourceQuery);
compile();
}
protected Object mapRow(ResultSet rs, int rownum)
throws SQLException {
String url = rs.getString(1);
String role = rs.getString(2);
Resource resource = new Resource(url, role);
return resource;
}
}
}