没事就来了解下spring security.网上找了很多资料。有过时的,也有不是很全面的。各种问题也算是让我碰了个遍。这样吧。我先把整个流程写下来,之后在各个易混点分析吧。

1.建立几个必要的页面。

login.jsp   index.jsp    user.jsp     admin.jsp    error.jsp 后面几个只是用来做跳转的,里面没什么要注意的,就贴出login里面的吧

<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

<title>login</title>

</head>

<body>

    <form action="/mavenTest/j_spring_security_check" method="post">

        账户:<input type="text" name="j_username" id="username"/>

        密码:<input type="text" name="j_password" id="password"/>

        <input type="submit" value="登陆"/>

    </form>

</body>

</html>

2.配置web.xml  没有用的就没有粘贴了

<filter>

        <filter-name>springSecurityFilterChain</filter-name>

        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

    </filter>

    <filter-mapping>

        <filter-name>springSecurityFilterChain</filter-name>

        <url-pattern>/*</url-pattern>

    </filter-mapping>

3.忘记吧pom.xml文件给出来了  版本为<org.springframework-version>3.2.3.RELEASE</org.springframework-version>

<!-- spring security -->

          <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-core</artifactId>

            <version>${org.springframework-version}</version>

          </dependency>

          <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-web</artifactId>

            <version>${org.springframework-version}</version>

          </dependency>

          <dependency>

            <groupId>org.springframework.security</groupId>

            <artifactId>spring-security-config</artifactId>

            <version>${org.springframework-version}</version>

          </dependency>

4.配置spring security .xml文件

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"

    xmlns:beans="http://www.springframework.org/schema/beans"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://www.springframework.org/schema/beans

           http://www.springframework.org/schema/beans/spring-beans-3.2.xsd

           http://www.springframework.org/schema/security

           http://www.springframework.org/schema/security/spring-security.xsd">

     <!-- 不需要进行安全认证的资源 -->

    <http pattern="/resources/**" security="none" />

    <http pattern="/login.jsp" security="none"/>

    <!-- 资源所需要的权限 -->

    <http auto-config='true'>

        <form-login login-page="/login.jsp"

            default-target-url="/index.jsp"

            authentication-failure-url="/login.jsp?error=true" />

        <logout logout-success-url="/index.jsp"/>

        <!-- 尝试访问没有权限的页面时跳转的页面 -->

        <access-denied-handler error-page="/error-noauth.jsp"/>

        <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/>

    </http>

    <!-- 自定义一个filter,必须包含authenticationManager,accessDecisionManager,

    securityMetadataSource三个属性 所有的功能都在这三个类中实现-->

    <beans:bean id="myFilter" class="com.demo.im.model.security.MyFilterSecurotyInterceptor">

        <beans:property name="authenticationManager"

        ref="authenticationManager" />

        <beans:property name="accessDecisionManager"

        ref ="myAccessDecisionManagerBean"/>

        <beans:property name="securityMetadataSource"

        ref="securityMetadaSource"/>

    </beans:bean>

    <!-- 认证管理器,实现用户认证的入口,主要实现userdetailsservice -->

    <authentication-manager alias="authenticationManager">

        <authentication-provider

            user-service-ref="myUserDetailService">

        </authentication-provider>

    </authentication-manager>

    <beans:bean id="myUserDetailService"

        class="com.demo.im.model.security.DefaultUserDetailsService">

    </beans:bean>

    <!-- 访问决策,决定某个用户具有的角色,是否有足够的权限去访问某个资源 -->

    <beans:bean id="myAccessDecisionManagerBean"

        class="com.demo.im.model.security.MyAccessDecisionManager" />

    <beans:bean id="securityMetadaSource"

        class="com.demo.im.model.security.MyInvocationSecurityMetadaSource"/>

</beans:beans>

5.MyFilterSecurotyInterceptor   自定义filter的代码如下。

其中最核心的代码是  invoke() 方法中的

InterceptorStatusToken token = super.beforeInvocation(fi);
这一句在dofilter之前进行权限验证,而具体的实现交给了accessDecisionManager,下面将继续讨论

package com.demo.im.model.security;

import java.io.IOException;

import javax.servlet.Filter;

import javax.servlet.FilterChain;

import javax.servlet.FilterConfig;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import org.springframework.security.access.SecurityMetadataSource;

import org.springframework.security.access.intercept.AbstractSecurityInterceptor;

import org.springframework.security.access.intercept.InterceptorStatusToken;

import org.springframework.security.web.FilterInvocation;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

public class MyFilterSecurotyInterceptor extends AbstractSecurityInterceptor implements Filter {

    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    @Override

    public void init(FilterConfig filterConfig) throws ServletException {

        // TODO Auto-generated method stub

    }

    @Override

    public void doFilter(ServletRequest request, ServletResponse response,

            FilterChain chain) throws IOException, ServletException {

        FilterInvocation fi = new FilterInvocation(request, response,chain);

        invoke(fi);

    }

    @Override

    public void destroy() {

        // TODO Auto-generated method stub

    }

    @Override

    public Class<?> getSecureObjectClass() {

        // TODO Auto-generated method stub

        return FilterInvocation.class;

    }

    @Override

    public SecurityMetadataSource obtainSecurityMetadataSource() {

        // TODO Auto-generated method stub

        return this.securityMetadataSource;

    }

    public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {

        return securityMetadataSource;

    }

    public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {

        this.securityMetadataSource = securityMetadataSource;

    }

    public void invoke(FilterInvocation fi) throws IOException

        ,ServletException{

        InterceptorStatusToken token = super.beforeInvocation(fi);

        try {

            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());

        } catch (Exception e) {

            // TODO: handle exception

        }finally{

            super.afterInvocation(token, null);

        }

    }

}

6.DefaultUserDetailsService的实现

在这个类中你可以通过读取数据库来进行权限赋值,下面的代码未注解的是我写的静态的

package com.demo.im.model.security;

import java.util.ArrayList;

import java.util.Collection;

import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.security.core.GrantedAuthority;

import org.springframework.security.core.authority.GrantedAuthorityImpl;

import org.springframework.security.core.userdetails.User;

import org.springframework.security.core.userdetails.UserDetails;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.core.userdetails.UsernameNotFoundException;

import org.springframework.stereotype.Service;

import com.demo.im.entity.Role;

import com.demo.im.entity.TUser;

import com.demo.im.model.dao.TUserMapper;

@Service

public class DefaultUserDetailsService implements UserDetailsService {

    @Autowired

    TUserMapper userDao;

    @Override

    public UserDetails loadUserByUsername(String username)

            throws UsernameNotFoundException {

        // TODO Auto-generated method stub

        System.out.println("userDetail********");

        Collection <GrantedAuthority> auths = new ArrayList<GrantedAuthority>();

        GrantedAuthority auth2 = new GrantedAuthorityImpl("ROLE_ADMIN");

        auths.add(auth2);

        User user = new User(username,"1111",true,true,true,true,auths);

        return user;

//        TUser paramU = new TUser();

//        paramU.setUsername(username);

//        List<TUser> userList = userDao.selectByUserParam(paramU);

//        TUser user = new TUser();

//        if(userList==null || userList.size()<=0){

//            throw new UsernameNotFoundException("username");

//        }

//        //得到用户权限

//        if(user.getRoles()!=null && user.getRoles().size()>0){

//

//            for(Role role : user.getRoles()){

//                GrantedAuthority grantedAuthority = new GrantedAuthorityImpl(

//                        role.getRolecode().toUpperCase());

//                auths.add(grantedAuthority);

//            }

//

//        }

//        user.setAuthorities(auths);

//        return user;

    }

}

7.MyInvocationSecurityMetadaSource类的内容

这个类说白了就是从数据库中取出资源对应的权限,我这里也是写的静态的,修改为动态的方法也很简单,执行一个查询就行了

package com.demo.im.model.security;

import java.util.ArrayList;

import java.util.Collection;

import java.util.HashMap;

import java.util.Iterator;

import java.util.Map;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.access.SecurityConfig;

import org.springframework.security.web.FilterInvocation;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

public class MyInvocationSecurityMetadaSource

    implements FilterInvocationSecurityMetadataSource{

//    private UrlMatcher urlMatcher = new AntUrlPathMatcher();

    private static Map<String,Collection<ConfigAttribute>> resourceMap = null;

    public MyInvocationSecurityMetadaSource(){

        loadResourceDefine();

    }

    private void loadResourceDefine(){

        resourceMap = new HashMap<String, Collection<ConfigAttribute>>();

        Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();

        ConfigAttribute ca = new SecurityConfig("ROLE_ADMIN");

        atts.add(ca);

        resourceMap.put("/user.jsp", atts);

        resourceMap.put("/admin.jsp", atts);

        resourceMap.put("/index.jsp",atts);

    }

    @Override

    public Collection<ConfigAttribute> getAttributes(Object object)

            throws IllegalArgumentException {

        // TODO Auto-generated method stub

        String url = ((FilterInvocation)object).getRequestUrl();

        Iterator<String> ite = resourceMap.keySet().iterator();

        while(ite.hasNext()){

            String resURL = ite.next();

            if(url.equalsIgnoreCase(resURL)){

                return resourceMap.get(resURL);

            }

        }

        return null;

    }

    @Override

    public Collection<ConfigAttribute> getAllConfigAttributes() {

        // TODO Auto-generated method stub

        return null;

    }

    @Override

    public boolean supports(Class<?> clazz) {

        // TODO Auto-generated method stub

        return true;

    }

}

8.最后就是决策类了MyAccessDecisionManager

这个类就更好理解了,我们知道了用户的角色,我们也知道资源的角色,对比一下,也就是decide()一致就返回,不行就抛异常

package com.demo.im.model.security;

import java.util.Collection;

import java.util.Iterator;

import org.springframework.security.access.AccessDecisionManager;

import org.springframework.security.access.AccessDeniedException;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.access.SecurityConfig;

import org.springframework.security.authentication.InsufficientAuthenticationException;

import org.springframework.security.core.Authentication;

import org.springframework.security.core.GrantedAuthority;

public class MyAccessDecisionManager implements AccessDecisionManager{

    @Override

    public void decide(Authentication authentication, Object object,

            Collection<ConfigAttribute> configAttributes) throws AccessDeniedException,

            InsufficientAuthenticationException {

        if(configAttributes  == null){

            return ;

        }

        System.out.println(object.toString());

        Iterator<ConfigAttribute> ite = configAttributes.iterator();

        while(ite.hasNext()){

            ConfigAttribute ca = ite.next();

            String needRole = ((SecurityConfig)ca).getAttribute();

            for(GrantedAuthority ga : authentication.getAuthorities()){

                if(needRole.equals(ga.getAuthority())){

                    return ;

                }

            }

        }

        throw new AccessDeniedException("no right");

    }

    @Override

    public boolean supports(ConfigAttribute arg0) {

        // TODO Auto-generated method stub

        return true;

    }

    @Override

    public boolean supports(Class<?> arg0) {

        // TODO Auto-generated method stub

        return true;

    }

}

9总结:

到这里一个基本的spring  security算是搭建完了。过会在来说说我遇到的坑。方便以后大家找自己的坑。

spring security 3.2 配置详解(结合数据库)的更多相关文章

  1. Spring 入门 web.xml配置详解

    Spring 入门 web.xml配置详解 https://www.cnblogs.com/cczz_11/p/4363314.html https://blog.csdn.net/hellolove ...

  2. Spring学习 6- Spring MVC (Spring MVC原理及配置详解)

    百度的面试官问:Web容器,Servlet容器,SpringMVC容器的区别: 我还写了个文章,说明web容器与servlet容器的联系,参考:servlet单实例多线程模式 这个文章有web容器与s ...

  3. Spring Security之Remember me详解

    Remember me功能就是勾选"记住我"后,一次登录,后面在有效期内免登录. 先看具体配置: pom文件: <dependency> <groupId> ...

  4. spring boot application properties配置详解

    # =================================================================== # COMMON SPRING BOOT PROPERTIE ...

  5. 笔记:Spring Cloud Ribbon 客户端配置详解

    自动化配置 由于 Ribbon 中定义的每一个接口都有多种不同的策略实现,同时这些接口之间又有一定的依赖关系,Spring Cloud Ribbon 中的自动化配置能够很方便的自动化构建接口的具体实现 ...

  6. 电商网站开发记录(三) Spring的引入,以及配置详解

    1.web.xml配置注解<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi=& ...

  7. Spring Cloud Eureka 常用配置详解,建议收藏!

    前几天,栈长分享了 <Spring Cloud Eureka 注册中心集群搭建,Greenwich 最新版!>,今天来分享下 Spring Cloud Eureka 常用的一些参数配置及说 ...

  8. Spring声明式事务配置详解

    Spring支持编程式事务管理和声明式的事务管理. 编程式事务管理 将事务管理代码嵌到业务方法中来控制事务的提交和回滚 缺点:必须在每个事务操作业务逻辑中包含额外的事务管理代码 声明式事务管理 一般情 ...

  9. Spring MVC原理及配置详解

    Spring MVC概述: Spring MVC是Spring提供的一个强大而灵活的web框架.借助于注解,Spring MVC提供了几乎是POJO的开发模式,使得控制器的开发和测试更加简单.这些控制 ...

随机推荐

  1. Android Touch事件传递机制详解

    Android开发的朋友经常处理各种触摸事件,然而在触摸事件的传递过程中主要用到三个方法:dispatchTouchEvent().onInterceptTouchEvent()和onTouchEve ...

  2. 【入门】 jpa--实体管理器的基本应用

    1.新建Jpa项目 2.引入所需的jar 包 3.创建实体类 package com.watchfree.entity; import javax.persistence.Entity; import ...

  3. [转载]Difference between <context:annotation-config> vs <context:component-scan>

    在国外看到详细的说明一篇,非常浅显透彻.转给国内的筒子们:-) 原文标题: Spring中的<context:annotation-config>与<context:componen ...

  4. JQuery导航选择特效

    一.实现效果 1.初始化效果:未添加样式和特效 2.添加CSS样式 3.最终效果 二.JQuery代码 <!--编写JQuery代码--> <script type="te ...

  5. 7. ensemble learning & AdaBoost

    1. ensemble learning 集成学习 集成学习是通过构建并结合多个学习器来完成学习任务,如下图: 集成学习通过将多个学习学习器进行结合,常可以获得比单一学习器更优秀的泛化性能 从理论上来 ...

  6. 带阈值的平滑l0范数加速稀疏恢复——同名英文论文翻译

    原文链接:Thresholded Smoothed l0 Norm for Accelerated Sparse Recovery http://ieeexplore.ieee.org/documen ...

  7. iOS10配置说明

    1:如果你的App想要访问用户的相机.相册.麦克风.通讯录等等权限,都需要进行相关的配置,不然会直接crash掉. 要想解决这个问题,只需要在info.plist添加NSContactsUsageDe ...

  8. JAVASE02-Unit09: 多线程基础

    Unit09: 多线程基础 * 线程 * 线程用于并发执行多个任务.感官上像是"同时"执行 *  * 创建线程有两种方式. * 方式一: * 继承线程并重写run方法来定义线程要执 ...

  9. Ubuntu 16.04 LTS发布

    [Ubuntu 16.04 LTS发布]Ubuntu 16.04 LTS 发布日期已正式确定为 2016 年 4 月 21 日,代号为 Xenial Xerus.Ubuntu16.04 将是非常受欢迎 ...

  10. buildroot--uboot&kernel&rootfs全编译工具

    参考: http://www.crifan.com/files/doc/docbook/buildroot_intro/release/html/buildroot_intro.html https: ...