SpringSecurity3.X权限原理(转)

 

这里给出一个简单的安全验证的实现例子，先说一下需求：

1.通过登录页面进行登录

2.用户登录前访问被保护的地址时自动跳转到登录页面

3.用户信息存储在数据表中

4.用户权限信息存在在数据表中

5.用户登录成功后访问没有权限访问的地址时跳转到登录页面

ok，以上就是一个基本的需求了，大部分的系统都是基于该需求实现登录模块的。

给出实现之前，先简单说明一下springsecurity的原理，

1.AccessDecisionManager

和我们一般实现登录验证采用filter的方式一样，springsecurity也是一个过滤器，当请求被springsecurity拦截后，会先对用户请求的资源进行安全认证，如果用户有权访问该资源，则放行，否则将阻断用户请求或提供用户登录，

在springsecurity中，负责对用户的请求资源进行安全认证的是AccessDecisionManager，它就是一组投票器的集合，默认的策略是使用一个AffirmativeBased，既只要有一个投票器通过验证就允许用户访问，

所以如果希望实现自己的权限验证策略，实现自己的投票器是一个很好的选择。

2.UserDetailsService

如果用户没有登录就访问某一个受保护的资源，则springsecurity会提示用户登录，用户登录后，由UserDetailsService来验证用户是否合法，既验证用户名和密码是否正确，同时验证用户是否具备相应的资源权限，

即对应的access的value。

如果用户验证通过，则由AccessDecisionManager来决定是否用户可以访问该资源。

下面给出具体实现：

web.xml

基本上都是这样配置，就不废话了。

Xml代码 

1. <</span> filter >
2. <</span> filter-name > springSecurityFilterChain </</span> filter-name >
3. <</span> filter-class > org.springframework.web.filter.DelegatingFilterProxy </</span> filter-class>
4. </</span> filter >
5. <</span> filter-mapping >
6. <</span> filter-name > springSecurityFilterChain </</span> filter-name >
7. <</span> url-pattern > *.do*" access = "HODLE" />
8. <</span> logout logout-url = "/logout.do" invalidate-session = "true"
9. logout-success-url = "/logout.jsp" />
10. <</span> form-login login-page = "/index.do" default-target-url = "/frame.do"
11. always-use-default-target = "true" authentication-failure-url = "/index.do?login_error=1" />
12. <</span> session-management >
13. <</span> concurrency-control max-sessions = "1" />
14. </</span> session-management >
15. </</span> http >
16. <</span> beans:bean id = "loggerListener"
17. class = "org.springframework.security.authentication.event.LoggerListener" />
18. <</span> authentication-manager >
19. <</span> authentication-provider user-service-ref = "userService" >
20. <</span> password-encoder hash = "md5" />
21. </</span> authentication-provider >
22. </</span> authentication-manager >
23. <</span> beans:bean id = "userService" class = "com.piaoyi.common.security.UserService" />
24. <</span> beans:bean id = "accessDecisionManager"
25. class = "org.springframework.security.access.vote.AffirmativeBased" >
26. <</span> beans:property name = "decisionVoters" >
27. <</span> beans:list >
28. <</span> beans:bean class = "org.springframework.security.access.vote.RoleVoter" />
29. <</span> beans:bean
30. class = "org.springframework.security.access.vote.AuthenticatedVoter" />
31. <</span> beans:bean class = "com.piaoyi.common.security.DynamicRoleVoter" />
32. </</span> beans:list >
33. </</span> beans:property >
34. </</span> beans:bean >
35. </</span> beans:beans >

UserService.java

Java代码 

1. public class UserService  implements UserDetailsService{
2. @Autowired
3. private ISystemUserService userService;
4. @Override
5. public UserDetails loadUserByUsername(String username)
6. throws UsernameNotFoundException {
7. // TODO Auto-generated method stub
8. SystemUser user = userService.findById(username);
9. if (user ==  null )
10. throw new UsernameNotFoundException( "The user name " + username
11. + " can not be found!" );
12. List resultAuths = new ArrayList();
13. //增加access中配置的权限，实际上这里就是让所有登陆用户都具备该权限，
14. //而真正的资源权限验证留给AccessDecisionManager来决定
15. resultAuths.add(new GrantedAuthorityImpl( "HODLE" ));
16. //验证用户名和密码是否正确，以及是否权限正确
17. return new User(username, user.getPassword().toLowerCase(), user.isStatus(),  true ,
18. true ,  true , resultAuths);
19. }
20. }

DynamicRoleVoter.java

Java代码 

1. public class DynamicRoleVoter  implements
2. AccessDecisionVoter {
3. @Autowired
4. private ISystemUserService userService;
5. private PathMatcher pathMatcher =  new AntPathMatcher();
6. @SuppressWarnings ( "unchecked" )
7. public boolean supports(Class clazz) {
8. return true ;
9. }
10. public boolean supports(ConfigAttribute attribute) {
11. return true ;
12. }
13. public int vote(Authentication authentication, Object object,
14. java.util.Collection arg2) {
15. int result = ACCESS_ABSTAIN;
16. if (!(object  instanceof FilterInvocation))
17. return result;
18. FilterInvocation invo = (FilterInvocation) object;
19. String url = invo.getRequestUrl();//当前请求的URL
20. Set authorities = null ;
21. String userId = authentication.getName();
22. //获得当前用户的可访问资源，自定义的查询方法，之后和当前请求资源进行匹配，成功则放行，否则拦截
23. authorities = loadUserAuthorities(userService.findById(userId));
24. Map> urlAuths = authService.getUrlAuthorities();
25. Set keySet = urlAuths.keySet();
26. for (String key : keySet) {
27. boolean matched = pathMatcher.match(key, url);
28. if (!matched)
29. continue ;
30. Set mappedAuths = urlAuths.get(key);
31. if (contain(authorities, mappedAuths)) {
32. result = ACCESS_GRANTED;
33. break ;
34. }
35. }
36. return result;
37. }
38. protected boolean contain(Set authorities,
39. Set mappedAuths) {
40. if (CollectionUtils.isEmpty(mappedAuths)
41. || CollectionUtils.isEmpty(authorities))
42. return false ;
43. for (GrantedAuthority item : authorities) {
44. if (mappedAuths.contains(item.getAuthority()))
45. return true ;
46. }
47. return false ;
48. }
49. }