spring secutity 2.05的配置
参考:http://blog.csdn.net/superboo/article/details/5025435
xml配置中多次出现“/”,如login-page="/userLoginAction_init",是为了区分是一个引用的名字还是跳转到一个方法中
1.导入jar
2.在web.xml中引入spring secutity3.0
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
3.在classpath下建一个applicationContext-security.xml
3.1.导入
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
3.2哪些资源需要过滤
<http auto-config="true" access-denied-page="/jsp/accessDenied.jsp">
<intercept-url pattern="/css/**" filters="none" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/js/**" filters="none" />
<!-- 增加一个filter,这点与Acegi是不一样的,不能修改默认的filter了。这个filter位于FILTER_SECURITY_INTERCEPTOR之前 -->
<custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" />
配置需要特定角色访问的资源
<security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<security:intercept-url pattern="/space/**" access="ROLE_USER" />
3.2.1登录(注销)页面设置
<form-login login-page="/login.jsp" authentication-failure-url="/common/403.jsp" default-target-url="/admin.jsp" />
<logout logout-success-url="/login.jsp"/>
</http>
3.3认证管理方面(如何自定义一个filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,然后写三个类分别实现相应的接口)
<bean id="myFilter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<!-- 认证管理器,实现用户认证的入口 -->
<property name="authenticationManager" ref="authenticationManager" />
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 -->
<property name="accessDecisionManager" ref="accessDecisionManager" />
<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 -->
<property name="securityMetadataSource" ref="secureResourceFilterInvocationDefinitionSource" />
</bean>
3.3.1认证管理器
<security:authentication-manager alias="authenticationManager">
<!-- 认证管理器提供者[user-service-ref]引用的服务组件,通过securityManager进行对用户信息的认证-->
<security:authentication-provider ref="authenticationProvider">
</security:authentication-provider>
</security:authentication-manager>
3.3.1.1认证管理器提供者
<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService"/>
<!-- value设置为false,为了能在myAuthenticationfailureHandler(认证失败)中接受到该异常,通过异常响应不同的页面 -->
<property name="hideUserNotFoundExceptions" value="false"/>
<!-- 自定义密码加密校验机制 -->
<property name="passwordEncoder" ref="md5ShaPasswordEncoder"/>
</bean>
3.3.2访问决策器
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter" />
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</property>
</bean>
3.3.3资源源数据定义(将所有的资源和权限对应关系建立起来,即定义某一资源可以被哪些角色访问)
<beans:bean id="MySecurityMetadataSource" init-method="loadResourceDefine" class="com.softvan.spring.security.InvocationSecurityMetadataSourceService">
<beans:property name="roleService" ref="RoleService" />
<beans:property name="actionService" ref="ActionService" />
</beans:bean>
高级//
3.2的另外一种配置
建立一个资源表和一个资源角色中间表用于存放角色所能访问的url。
然后再写一个自定义过滤器,用于读取表中角色所能访问的url。
这样需要先导入这个自定义过滤器,
<beans:bean id="filterSecurityInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor" autowire="byType">
<custom-filter before="FILTER_SECURITY_INTERCEPTOR"/>
<beans:property name="objectDefinitionSource" ref="filterInvocationDefinitionSource" />
</beans:bean>
<beans:bean id="filterInvocationDefinitionSource" class="com.lovo.JdbcFilterInvocationDefinitionSourceFactoryBean">
<beans:property name="dataSource" ref="dataSource"/>
<beans:property name="resourceQuery" value="select m.address,r.descn from t_module_role mr join t_module m on mr.m_id=m.id join t_role r on mr.r_id=r.id; "/>
</beans:bean>
再写对应的com.lovo.JdbcFilterInvocationDefinitionSourceFactoryBean类
3.2.1的高级配置
<security:form-login login-page="/userLoginAction_init" authentication-failure-handler-ref="myAuthenticationfailureHandler" authentication-success-handler-ref="myAuthenticationSuccessHandler" always-use-default-target="true" />
<security:access-denied-handler error-page="/accessDenied.jsp" />
<security:remember-me user-service-ref="userDetailsService" token-validity-seconds="123456789" />
<security:logout invalidate-session="true" logout-success-url="/" logout-url="/j_spring_security_logout" />
然后再配置两个filter
<!--自定义认证成功-->
<bean id="myAuthenticationSuccessHandler" class="com.miaopu.core.security.MyAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/userLoginAction_entry" />
<property name="alwaysUseDefaultTargetUrl" value="false" />
<property name="userLoginService" ref="userLoginService"/>
</bean>
<!-- 认证失败 -->
<bean id="myAuthenticationfailureHandler" class="com.miaopu.core.security.MyAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/userLoginAction_loginFailure" />
<property name="allowSessionCreation" value="false"/>
</bean>