spring-security2.0.2初步配置

最新推荐文章于 2022-08-06 22:18:48 发布

wmj2003

最新推荐文章于 2022-08-06 22:18:48 发布

阅读量5.9k

点赞数

分类专栏： java spring security 文章标签： access bean spring class security acegi

本文链接：https://blog.csdn.net/wmj2003/article/details/2601016

版权

java 同时被 2 个专栏收录

31 篇文章 0 订阅

订阅专栏

spring security

1 篇文章 0 订阅

订阅专栏

使用了spring security之后，网页的显示速度明显变慢，看来spring security的使用还是需要优化配置的。



在web.xml中配置



 <!--  配置spring acegi 使用的  和com.work.core.QxglConstants.USE_ACEGI=true 配合使用

 <filter>

  <filter-name>springSecurityFilterChain</filter-name>

  <filter-class>

   org.springframework.web.filter.DelegatingFilterProxy

  </filter-class>

 </filter>



 <filter-mapping>

  <filter-name>springSecurityFilterChain</filter-name>

  <url-pattern>/*</url-pattern>

 </filter-mapping>



 <listener>



 <listener>

  <listener-class>

   org.springframework.web.context.ContextLoaderListener

  </listener-class>

 </listener>

  <listener-class>

   org.springframework.security.ui.session.HttpSessionEventPublisher

  </listener-class>

 </listener>

 -->



然后配置applicationContext-spring-security-2.0.2.xml



<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"

 xmlns:beans="http://www.springframework.org/schema/beans"

 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

 xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

  

 <authentication-manager alias="authenticationManager" />

 <beans:bean id="accessDecisionManager"

  class="org.springframework.security.vote.AffirmativeBased">

  <beans:property name="allowIfAllAbstainDecisions" value="false" /><!-- allowIfAllAbstainDecisions : 设定是否允许：“没人反对就通过”的投票策略 -->

  <beans:property name="decisionVoters"><!-- 定义投票者 -->

   <beans:list>

    <beans:bean class="org.springframework.security.vote.RoleVoter" />

    <beans:bean class="org.springframework.security.vote.AuthenticatedVoter" />

   </beans:list>

  </beans:property>

 </beans:bean>

 <beans:bean id="filterInvocationInterceptor"

  class="org.springframework.security.intercept.web.FilterSecurityInterceptor">

  <!--  配置上之后secureResourceFilter 没有被执行！不知道其他朋友们有没有碰到这个问题。如果也碰到了，请问您是如何解决的？-->

  <beans:property name="authenticationManager" ref="authenticationManager" />

  <beans:property name="accessDecisionManager" ref="accessDecisionManager" />

  <beans:property name="objectDefinitionSource" ref="secureResourceFilter" />

 </beans:bean>

 <beans:bean id="secureResourceFilter" class="com.work.qxgl.springsecurity.MySecureResourceFilter" />



 <http auto-config="true" access-denied-page="/commons/403.jsp">

  <intercept-url pattern="/" access="ROLE_USER"/>

  <intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

  <intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

  <intercept-url pattern="/imageszhuye/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

  <intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

  <intercept-url pattern="/ganjian*/**" access="ROLE_SUPERVISOR,ROLE_enterprise_manager"/>

  <intercept-url pattern="/qxgl/menutree/**" access="ROLE_SUPERVISOR,ROLE_USER"/>

  <intercept-url pattern="/qxgl*/**" access="ROLE_SUPERVISOR,ROLE_PERMITMANAGER"/>

  <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <!-- access="ROLE_ANONYMOUS" -->

  

  <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" />

  <form-login login-page="/acegilogin.jsp" authentication-failure-url="/acegilogin.jsp"

   default-target-url="/sysmain.action" />

   <!-- 在这里获取用户登陆的详细的信息 ,sysmain.action 在这里可以记录用户登陆的信息。成功执行！-->

  <logout logout-success-url="/logout.jsp" /><!-- j_spring_security_logout 这里是退出的URL，那么可以在这里做接口 在logout.jsp 中调用您自己的logout程序。  -->

 </http>

  <!-- Automatically receives AuthenticationEvent messages -->

 <beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener" />

 <authentication-provider >

  <jdbc-user-service data-source-ref="dataSource" 

   users-by-username-query="SELECT U.user_account as username, U.user_password as password, 'true' AS enabled FROM qxgl_user U where U.user_issysuser=1 and  U.user_account=?"

   authorities-by-username-query="select a.user_account as username,c.role_name as authority from qxgl_user a ,qxgl_user_role b,qxgl_role c where a.user_id=b.user_id and b.role_id=c.role_id and a.user_account=?" />

   <!-- 还支持 group-authorities-by-username-query  -->

 </authentication-provider>

</beans:beans>


java程序MySecureResourceFilter

package com.work.qxgl.springsecurity;



import java.util.Collection;

import java.util.List;



import org.apache.commons.logging.Log;

import org.apache.commons.logging.LogFactory;

import org.springframework.security.ConfigAttributeDefinition;

import org.springframework.security.ConfigAttributeEditor;

import org.springframework.security.intercept.web.FilterInvocation;

import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;



import com.work.core.spring.MyBeanUtil;

import com.work.qxgl.model.QxglRole;

import com.work.qxgl.usermodel.UserModelServiceDao;



/**

 * TODO 虽然配置上没有出错！但是也没有起作用。不爽！！！

 * @author wangmingjie

 *

 */

public class MySecureResourceFilter implements FilterInvocationDefinitionSource {

	private static Log log = LogFactory.getLog(MySecureResourceFilter.class);

	

	public ConfigAttributeDefinition getAttributes(Object filter)

			throws IllegalArgumentException {



		FilterInvocation filterInvocation = (FilterInvocation) filter;



		String url = filterInvocation.getRequestUrl();

		if(log.isDebugEnabled()){

			log.debug("UR为:"+url);

		}

		UserModelServiceDao userModelServiceDao = (UserModelServiceDao) MyBeanUtil

				.getBean("userModelServiceDao");

		List<QxglRole> urlRoles = userModelServiceDao.getRolesByUrl(url);



		ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();

		// get the Roles that can access this Url

		// 获取到能够访问这些资源的resource，用户根据这些资源动态的到数据库中去查找；

		// 这里可以增加权限的动态控制，例如将权限存放到数据库中，将这些资源查询出来放到缓存中。

		// 增加对缓存的管理，一旦数据库中的内容变更了，那么就手工去更新缓存。当然也可以增加监听器，不过效率上有问题。



		StringBuffer rolesList = new StringBuffer();

		

		if (urlRoles == null || urlRoles.size() < 1) {

			//如果此URL没有赋给任何用户，那么就给他增加form认证的基本角色。

			if(log.isDebugEnabled()){

				log.debug("URL没有赋给任何用户，给他增加form认证的基本角色ROLE_USER。");

			}

			rolesList.append("ROLE_USER,");

		} else {

			for (QxglRole role : urlRoles) {

				rolesList.append(role.getRoleName());

				rolesList.append(",");

			}

			// don't want to end with a "," so remove the last ","

			if (rolesList.length() > 0)

				rolesList.replace(rolesList.length() - 1,

						rolesList.length() + 1, "");

		}

		if(log.isDebugEnabled()){

			log.debug("URL"+url+"拥有的角色为："+rolesList.toString());

		}

		configAttrEditor.setAsText(rolesList.toString());

		return (ConfigAttributeDefinition) configAttrEditor.getValue();



	}



	public Collection getConfigAttributeDefinitions() {

		return null;

	}



	public boolean supports(Class arg0) {

		return true;

	}



}

wmj2003

关注

0
点赞
踩
3

收藏

觉得还不错? 一键收藏
7
评论
spring-security2.0.2初步配置

使用了spring security之后，网页的显示速度明显变慢，看来spring security的使用还是需要优化配置的。在web.xml中配置 <!-- 配置spring acegi 使用的和com.work.core.QxglConstants.USE_ACEGI=true 配合使用 springSecurityFilterChai
复制链接

扫一扫