最近闲来没事,看了看spring Acegi ,其中一些心得也顺便写下了。
Acegi是基于spring开发的安全框架,其中技术特点就是spring的依赖注入,AOP拦截,针对接口编程。
设计上是基于角色的权限控制系统,实现安全框架的可配置。
关于Acegi的配置,说白了就三大块。认证管理器,决策管理器,过滤器链。
访问任何受保护的资源,其过程是:认证管理器=》决策管理器=》过滤器链。
1.在web.xml里面配置相应的Listener和Filter。
先加入security.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/security.xml,
</param-value>
</context-param>
配置filter
/**其中targetClass参数指定,则在web应用程序初始化的时候,acegiFilterChain将从spring容器中查找类型为org.acegisecurity.util.FilterChainProxy的bean,然后将自身的任务委托给bean**/
<filter>
<filter-name>acegiFilterChain</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>acegiFilterChain</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
2.配置AuthenticationManager
AuthenticationManager绝顶用户是否有通过身份验证,其验证委托给一个或者多个AuthenticationProvider。
Acegi提供多个AuthenticationProvider来验证:AutheByAdapterProvider(通过web容器来验证用户身份),CasAuthenticationProvider(通过CAS来验证),DaoAuthenTicatinProvider(通过数据库用户名和密码来验证,最常用)JaasAuthenticationProvider(通过jaas来验证),PasswordDaoAuthenticationPrivider(通过数据库),RememberMeAuthenticationProvider(通过cookie来验证),RemoteAuthenticationProvider(通过远程服务器)。
这里配置了两个AuthenticationProvider:
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="daoAuthenticationProvider" />
<ref bean="rememberMeAuthenticationProvider" />
</list>
</property>
</bean>
<!-- 基于DAO验证的AuthenticationProvider -->
<bean id="daoAuthenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<!-- userDetailsService是Acegi配置唯有需要手动配置的组件-->
<bean id="userDetailsService"
class="com.gzpost,lantou.security.JdbcUserDetailsService">
<property name="dataSource" ref="dataSource" />
</bean>
<!-- 基于RememberMe验证的AuthenticationProvider -->
<bean id="rememberMeAuthenticationProvider"
class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="RememberMeAtLiveBookstore" />
</bean>
<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userDetailsService" />
<property name="parameter" value="j_remember_me" />
<property name="key" value="RememberMeAtLiveBookstore" />
</bean>
3.配置AccessDecisionManager
AccessDecisionManager决定用户是否允许访问末一受保护的资源。
它是基于投票的方式。
<bean id="accessDecisionManager"
class="org.acegisecurity.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.acegisecurity.vote.RoleVoter" />
</list>
</property>
<property name="allowIfAllAbstainDecisions" value="false" />
</bean>
4.配置FilterChain
FilterChain最终完成认证和授权。
Acegi已经提供了一系列非常游泳的Filter供我们使用,这里不一一列出来了。
注意,logoutFileter和AuthenticationProcessiongfilter用于实现用户的注销和登入功能,他们仅过滤特定的URL
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=sessionIntegrationFilter,logoutFilter,authenticationFilter,rememberMeFilter,exceptionFilter,securityInterceptor
</value>
</property>
</bean>
<bean id="sessionIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter" />
<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
<!-- URL redirected to after logout -->
<constructor-arg value="/" />
<constructor-arg>
<list>
<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
<ref bean="rememberMeServices" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout.action" />
</bean>
<bean id="authenticationFilter"
class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureUrl" value="/login.jsp?login_error=Login%20failed." />
<property name="defaultTargetUrl" value="/main.jsp" />
<property name="filterProcessesUrl" value="/login.action" />
<property name="rememberMeServices" ref="rememberMeServices" />
</bean>
<bean id="rememberMeFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="rememberMeServices" ref="rememberMeServices" />
</bean>
<!-- 处理登录异常或权限异常的Filter -->
<bean id="exceptionFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<!-- 出现AuthenticationException时的登录入口 -->
<property name="authenticationEntryPoint">
<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/login.action" />
<property name="forceHttps" value="false" />
</bean>
</property>
<!-- 出现AccessDeniedException时的Handler -->
<property name="accessDeniedHandler">
<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl" />
</property>
</bean>
<!-- 基于URL的安全拦截器 -->
<bean id="securityInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/admin*=ROLE_ADMIN
/user*=ROLE_USER
</value>
</property>
</bean>
此外,针对业务逻辑组件的保护,关键是声明一个MethodSecurityInterceptor,使其有拦截组件的方法调用,然后根据用户角色来绝顶是否允许调用该方法。
<bean id="serviceSecurityInterceptor"
class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="validateConfigAttributes" value="true" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<bean class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
<property name="attributes">
<bean class="org.acegisecurity.annotation.SecurityAnnotationAttributes" />
</property>
</bean>
</property>
</bean>
<!-- 利用Spring的自动代理功能实现AOP代理 -->
<bean id="autoProxyCreator"
class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>serviceSecurityInterceptor</value>
</list>
</property>
<property name="beanNames">
<list>
<value>businessService</value>
</list>
</property>
</bean>
再在相应的service用注释的方式实现方法级别的保护,如:@Secured({"ROLE_USER"})
Acegi是基于spring开发的安全框架,其中技术特点就是spring的依赖注入,AOP拦截,针对接口编程。
设计上是基于角色的权限控制系统,实现安全框架的可配置。
关于Acegi的配置,说白了就三大块。认证管理器,决策管理器,过滤器链。
访问任何受保护的资源,其过程是:认证管理器=》决策管理器=》过滤器链。
1.在web.xml里面配置相应的Listener和Filter。
先加入security.xml
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/security.xml,
</param-value>
</context-param>
配置filter
/**其中targetClass参数指定,则在web应用程序初始化的时候,acegiFilterChain将从spring容器中查找类型为org.acegisecurity.util.FilterChainProxy的bean,然后将自身的任务委托给bean**/
<filter>
<filter-name>acegiFilterChain</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>acegiFilterChain</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
2.配置AuthenticationManager
AuthenticationManager绝顶用户是否有通过身份验证,其验证委托给一个或者多个AuthenticationProvider。
Acegi提供多个AuthenticationProvider来验证:AutheByAdapterProvider(通过web容器来验证用户身份),CasAuthenticationProvider(通过CAS来验证),DaoAuthenTicatinProvider(通过数据库用户名和密码来验证,最常用)JaasAuthenticationProvider(通过jaas来验证),PasswordDaoAuthenticationPrivider(通过数据库),RememberMeAuthenticationProvider(通过cookie来验证),RemoteAuthenticationProvider(通过远程服务器)。
这里配置了两个AuthenticationProvider:
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="daoAuthenticationProvider" />
<ref bean="rememberMeAuthenticationProvider" />
</list>
</property>
</bean>
<!-- 基于DAO验证的AuthenticationProvider -->
<bean id="daoAuthenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<!-- userDetailsService是Acegi配置唯有需要手动配置的组件-->
<bean id="userDetailsService"
class="com.gzpost,lantou.security.JdbcUserDetailsService">
<property name="dataSource" ref="dataSource" />
</bean>
<!-- 基于RememberMe验证的AuthenticationProvider -->
<bean id="rememberMeAuthenticationProvider"
class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="RememberMeAtLiveBookstore" />
</bean>
<bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userDetailsService" />
<property name="parameter" value="j_remember_me" />
<property name="key" value="RememberMeAtLiveBookstore" />
</bean>
3.配置AccessDecisionManager
AccessDecisionManager决定用户是否允许访问末一受保护的资源。
它是基于投票的方式。
<bean id="accessDecisionManager"
class="org.acegisecurity.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.acegisecurity.vote.RoleVoter" />
</list>
</property>
<property name="allowIfAllAbstainDecisions" value="false" />
</bean>
4.配置FilterChain
FilterChain最终完成认证和授权。
Acegi已经提供了一系列非常游泳的Filter供我们使用,这里不一一列出来了。
注意,logoutFileter和AuthenticationProcessiongfilter用于实现用户的注销和登入功能,他们仅过滤特定的URL
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=sessionIntegrationFilter,logoutFilter,authenticationFilter,rememberMeFilter,exceptionFilter,securityInterceptor
</value>
</property>
</bean>
<bean id="sessionIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter" />
<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter">
<!-- URL redirected to after logout -->
<constructor-arg value="/" />
<constructor-arg>
<list>
<bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
<ref bean="rememberMeServices" />
</list>
</constructor-arg>
<property name="filterProcessesUrl" value="/logout.action" />
</bean>
<bean id="authenticationFilter"
class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureUrl" value="/login.jsp?login_error=Login%20failed." />
<property name="defaultTargetUrl" value="/main.jsp" />
<property name="filterProcessesUrl" value="/login.action" />
<property name="rememberMeServices" ref="rememberMeServices" />
</bean>
<bean id="rememberMeFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="rememberMeServices" ref="rememberMeServices" />
</bean>
<!-- 处理登录异常或权限异常的Filter -->
<bean id="exceptionFilter" class="org.acegisecurity.ui.ExceptionTranslationFilter">
<!-- 出现AuthenticationException时的登录入口 -->
<property name="authenticationEntryPoint">
<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/login.action" />
<property name="forceHttps" value="false" />
</bean>
</property>
<!-- 出现AccessDeniedException时的Handler -->
<property name="accessDeniedHandler">
<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl" />
</property>
</bean>
<!-- 基于URL的安全拦截器 -->
<bean id="securityInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/admin*=ROLE_ADMIN
/user*=ROLE_USER
</value>
</property>
</bean>
此外,针对业务逻辑组件的保护,关键是声明一个MethodSecurityInterceptor,使其有拦截组件的方法调用,然后根据用户角色来绝顶是否允许调用该方法。
<bean id="serviceSecurityInterceptor"
class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
<property name="validateConfigAttributes" value="true" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource">
<bean class="org.acegisecurity.intercept.method.MethodDefinitionAttributes">
<property name="attributes">
<bean class="org.acegisecurity.annotation.SecurityAnnotationAttributes" />
</property>
</bean>
</property>
</bean>
<!-- 利用Spring的自动代理功能实现AOP代理 -->
<bean id="autoProxyCreator"
class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">
<property name="interceptorNames">
<list>
<value>serviceSecurityInterceptor</value>
</list>
</property>
<property name="beanNames">
<list>
<value>businessService</value>
</list>
</property>
</bean>
再在相应的service用注释的方式实现方法级别的保护,如:@Secured({"ROLE_USER"})