spring security 三中使用自定义数据库来设置权限

spring security 3 中使用自定义数据库来设置权限

分类： spring security2010-07-05 15:29 28199人阅读评论(42) 收藏举报

securityspring数据库authenticationobjectfilter

参考文档： http://wenku.baidu.com/view/4ec7e324ccbff121dd368364.html

在spring security3中使用自己定义的数据结构来实现权限设置。

数据库
- 用户表
- 角色表
- action表，即资源表
- 角色-用户关联表
- actiion-角色关联表
配置过程
- web.xml中加入过滤器
  [xhtml] view plaincopy
  1. 
  2. <filter>
  3. <filter-name>springSecurityFilterChain</filter-name>
  4. <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  5. </filter>
  6. <filter-mapping>
  7. <filter-name>springSecurityFilterChain</filter-name>
  8. <url-pattern>/*</url-pattern>
  9. </filter-mapping>
  10. 
- 在applicationContext.xml中import spring security部分的配置
  [c-sharp] view plaincopy
  1. <import resource="security3.0_JPA.xml"/>
- 配置import resource="security3.0_JPA.xml
  [c-sharp] view plaincopy
  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans
  3. http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
  4. http://www.springframework.org/schema/security
  5. http://www.springframework.org/schema/security/spring-security-3.0.xsd">
  6. <http auto-config="true" access-denied-page="/jsp/accessDenied.jsp">
  7. <intercept-url pattern="/css/**" filters="none" />
  8. <intercept-url pattern="/images/**" filters="none" />
  9. <intercept-url pattern="/js/**" filters="none" />
  10. 
  12. <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" />
  13. </http>
  14. 
  16. <beans:bean id="myFilter" class="com.softvan.spring.security.FilterSecurityInterceptor">
  17. <beans:property name="authenticationManager" ref="MyAuthenticationManager" />
  18. 
  19. <beans:property name="accessDecisionManager" ref="AccessDecisionManager" />
  20. <beans:property name="securityMetadataSource" ref="MySecurityMetadataSource" />
  21. </beans:bean>
  22. 
  23. <beans:bean id="MySecurityMetadataSource" init-method="loadResourceDefine" class="com.softvan.spring.security.InvocationSecurityMetadataSourceService">
  24. <beans:property name="roleService" ref="RoleService" />
  25. <beans:property name="actionService" ref="ActionService" />
  26. </beans:bean>
  28. 
  29. <authentication-manager alias="MyAuthenticationManager">
  30. <authentication-provider user-service-ref="UserDetailService">
  31. 
  34. </authentication-provider>
  35. </authentication-manager>
  36. </beans:beans>
相关java代码
- AccessDecisionManager.java
  [java] view plaincopy
  1. /**
  2. *
  3. */
  4. package com.softvan.spring.security;
  5. import org.apache.log4j.Logger;
  6. /**
  7. * @author 徐泽宇(roamer)
  8. *
  9. * 2010-7-4
  10. */
  11. import java.util.Collection;
  12. import java.util.Iterator;
  13. import org.springframework.security.access.AccessDeniedException;
  14. import org.springframework.security.access.ConfigAttribute;
  15. import org.springframework.security.access.SecurityConfig;
  16. import org.springframework.security.authentication.InsufficientAuthenticationException;
  17. import org.springframework.security.core.Authentication;
  18. import org.springframework.security.core.GrantedAuthority;
  19. import org.springframework.stereotype.Service;
  20. @Service("AccessDecisionManager")
  21. public class AccessDecisionManager implements org.springframework.security.access.AccessDecisionManager {
  22. /**
  23. * Logger for this class
  24. */
  25. private static final Logger logger = Logger.getLogger(AccessDecisionManager.class);
  26. // In this method, need to compare authentication with configAttributes.
  27. // 1, A object is a URL, a filter was find permission configuration by this
  28. // URL, and pass to here.
  29. // 2, Check authentication has attribute in permission configuration
  30. // (configAttributes)
  31. // 3, If not match corresponding authentication, throw a
  32. // AccessDeniedException.
  33. public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
  34. if (logger.isDebugEnabled()) {
  35. logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - start"); //$NON-NLS-1$
  36. }
  37. if (configAttributes == null) {
  38. if (logger.isDebugEnabled()) {
  39. logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - end"); //$NON-NLS-1$
  40. }
  41. return;
  42. }
  43. if (logger.isDebugEnabled()){
  44. logger.debug("正在访问的url是："+object.toString());
  45. }
  46. Iterator<ConfigAttribute> ite = configAttributes.iterator();
  47. while (ite.hasNext()) {
  48. ConfigAttribute ca = ite.next();
  49. logger.debug("needRole is："+ca.getAttribute());
  50. String needRole = ((SecurityConfig) ca).getAttribute();
  51. for (GrantedAuthority ga : authentication.getAuthorities()) {
  52. logger.debug("/t授权信息是："+ga.getAuthority());
  53. if (needRole.equals(ga.getAuthority())) { // ga is user's role.
  54. if (logger.isDebugEnabled()) {
  55. logger.debug("判断到，needRole 是"+needRole+",用户的角色是:"+ga.getAuthority()+"，授权数据相匹配");
  56. logger.debug("decide(Authentication, Object, Collection<ConfigAttribute>) - end"); //$NON-NLS-1$
  57. }
  58. return;
  59. }
  60. }
  61. }
  62. throw new AccessDeniedException("没有权限");
  63. }
  64. public boolean supports(ConfigAttribute attribute) {
  65. // TODO Auto-generated method stub
  66. return true;
  67. }
  68. public boolean supports(Class<?> clazz) {
  69. return true;
  70. }
  71. }
- FilterSecurityInterceptor.java
  [java] view plaincopy
  1. /**
  2. *
  3. */
  4. package com.softvan.spring.security;
  5. import org.apache.log4j.Logger;
  6. /**
  7. * @author 徐泽宇(roamer)
  8. *
  9. * 2010-7-4
  10. */
  11. import java.io.IOException;
  12. import javax.servlet.Filter;
  13. import javax.servlet.FilterChain;
  14. import javax.servlet.FilterConfig;
  15. import javax.servlet.ServletException;
  16. import javax.servlet.ServletRequest;
  17. import javax.servlet.ServletResponse;
  18. import org.springframework.security.access.SecurityMetadataSource;
  19. import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
  20. import org.springframework.security.access.intercept.InterceptorStatusToken;
  21. import org.springframework.security.web.FilterInvocation;
  22. import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
  23. public class FilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
  24. /**
  25. * Logger for this class
  26. */
  27. private static final Logger logger = Logger.getLogger(FilterSecurityInterceptor.class);
  28. private FilterInvocationSecurityMetadataSource securityMetadataSource;
  29. public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
  30. if (logger.isDebugEnabled()) {
  31. logger.debug("doFilter(ServletRequest, ServletResponse, FilterChain) - start"); //$NON-NLS-1$
  32. }
  33. FilterInvocation fi = new FilterInvocation(request, response, chain);
  34. invoke(fi);
  35. if (logger.isDebugEnabled()) {
  36. logger.debug("doFilter(ServletRequest, ServletResponse, FilterChain) - end"); //$NON-NLS-1$
  37. }
  38. }
  39. public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
  40. return this.securityMetadataSource;
  41. }
  42. public Class<? extends Object> getSecureObjectClass() {
  43. return FilterInvocation.class;
  44. }
  45. public void invoke(FilterInvocation fi) throws IOException, ServletException {
  46. InterceptorStatusToken token = super.beforeInvocation(fi);
  47. try {
  48. fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
  49. } finally {
  50. super.afterInvocation(token, null);
  51. }
  52. }
  53. @Override
  54. public SecurityMetadataSource obtainSecurityMetadataSource() {
  55. return this.securityMetadataSource;
  56. }
  57. public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
  58. this.securityMetadataSource = securityMetadataSource;
  59. }
  60. public void destroy() {
  61. // TODO Auto-generated method stub
  62. }
  63. public void init(FilterConfig filterconfig) throws ServletException {
  64. // TODO Auto-generated method stub
  65. }
  66. }
- InvocationSecurityMetadataSourceService.java
  [java] view plaincopy
  1. /**
  2. *
  3. */
  4. package com.softvan.spring.security;
  5. import java.util.ArrayList;
  6. import java.util.Collection;
  7. import java.util.HashMap;
  8. import java.util.Iterator;
  9. import java.util.List;
  10. import java.util.Map;
  11. import org.apache.log4j.Logger;
  12. import org.springframework.security.access.ConfigAttribute;
  13. import org.springframework.security.access.SecurityConfig;
  14. import org.springframework.security.web.FilterInvocation;
  15. import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
  16. import org.springframework.security.web.util.AntUrlPathMatcher;
  17. import org.springframework.security.web.util.UrlMatcher;
  18. import org.springframework.stereotype.Service;
  19. import com.alcor.acl.domain.TAction;
  20. import com.alcor.acl.domain.TRole;
  21. import com.alcor.acl.service.ActionService;
  22. import com.alcor.acl.service.RoleService;
  23. /*
  24. *
  25. * 最核心的地方，就是提供某个资源对应的权限定义，即getAttributes方法返回的结果。
  26. * 注意，我例子中使用的是AntUrlPathMatcher这个path matcher来检查URL是否与资源定义匹配，
  27. * 事实上你还要用正则的方式来匹配，或者自己实现一个matcher。
  28. *
  29. * 此类在初始化时，应该取到所有资源及其对应角色的定义
  30. *
  31. * 说明：对于方法的spring注入，只能在方法和成员变量里注入，
  32. * 如果一个类要进行实例化的时候，不能注入对象和操作对象，
  33. * 所以在构造函数里不能进行操作注入的数据。
  34. */
  35. @Service("InvocationSecurityMetadataSourceService")
  36. public class InvocationSecurityMetadataSourceService implements FilterInvocationSecurityMetadataSource {
  37. /**
  38. * Logger for this class
  39. */
  40. private static final Logger logger = Logger.getLogger(InvocationSecurityMetadataSourceService.class);
  42. private RoleService roleService ;
  43. private ActionService actionService;
  45. private UrlMatcher urlMatcher = new AntUrlPathMatcher();
  46. private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
  47. public void loadResourceDefine()throws Exception {
  48. this.resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
  50. //通过数据库中的信息设置，resouce和role
  51. for (TRole item:this.roleService.getAllRoles()){
  52. Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
  53. ConfigAttribute ca = new SecurityConfig(item.getRoleName());
  54. atts.add(ca);
  55. List<TAction> tActionList = actionService.findByRoleID(item.getRoleId());
  56. //把资源放入到spring security的resouceMap中
  57. for(TAction tAction:tActionList){
  58. logger.debug("获得角色：["+item.getRoleName()+"]拥有的acton有："+tAction.getActionUrl());
  59. this.resourceMap.put(tAction.getActionUrl(), atts);
  60. }
  61. }
  63. /*//通过硬编码设置，resouce和role
  64. resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
  65. Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
  66. ConfigAttribute ca = new SecurityConfig("admin");
  67. atts.add(ca);
  68. resourceMap.put("/jsp/admin.jsp", atts);
  69. resourceMap.put("/swf/zara.html", atts);*/
  71. }
  72. // According to a URL, Find out permission configuration of this URL.
  73. public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
  74. if (logger.isDebugEnabled()) {
  75. logger.debug("getAttributes(Object) - start"); //$NON-NLS-1$
  76. }
  77. // guess object is a URL.
  78. String url = ((FilterInvocation) object).getRequestUrl();
  79. Iterator<String> ite = resourceMap.keySet().iterator();
  80. while (ite.hasNext()) {
  81. String resURL = ite.next();
  82. if (urlMatcher.pathMatchesUrl(url, resURL)) {
  83. Collection<ConfigAttribute> returnCollection = resourceMap.get(resURL);
  84. if (logger.isDebugEnabled()) {
  85. logger.debug("getAttributes(Object) - end"); //$NON-NLS-1$
  86. }
  87. return returnCollection;
  88. }
  89. }
  90. if (logger.isDebugEnabled()) {
  91. logger.debug("getAttributes(Object) - end"); //$NON-NLS-1$
  92. }
  93. return null;
  94. }
  95. public boolean supports(Class<?> clazz) {
  96. return true;
  97. }
  98. public Collection<ConfigAttribute> getAllConfigAttributes() {
  99. return null;
  100. }
  101. public RoleService getRoleService() {
  102. return roleService;
  103. }
  104. public void setRoleService(RoleService roleService) {
  105. this.roleService = roleService;
  106. }
  107. public ActionService getActionService() {
  108. return actionService;
  109. }
  110. public void setActionService(ActionService actionService) {
  111. this.actionService = actionService;
  112. }
  113. }
- UserDetailService.java
  [java] view plaincopy
  1. /**
  2. *
  3. */
  4. package com.softvan.spring.security;
  5. import java.util.ArrayList;
  6. import java.util.Collection;
  7. import java.util.Set;
  8. import javax.inject.Inject;
  9. import org.apache.log4j.Logger;
  10. import org.springframework.dao.DataAccessException;
  11. import org.springframework.security.core.GrantedAuthority;
  12. import org.springframework.security.core.authority.GrantedAuthorityImpl;
  13. import org.springframework.security.core.userdetails.User;
  14. import org.springframework.security.core.userdetails.UserDetails;
  15. import org.springframework.security.core.userdetails.UserDetailsService;
  16. import org.springframework.security.core.userdetails.UsernameNotFoundException;
  17. import org.springframework.stereotype.Service;
  18. import com.alcor.acl.domain.TRole;
  19. import com.alcor.acl.domain.TUser;
  20. @Service("UserDetailService")
  21. public class UserDetailService implements UserDetailsService {
  22. /**
  23. * Logger for this class
  24. */
  25. private static final Logger logger = Logger.getLogger(UserDetailService.class);
  26. @Inject
  27. com.alcor.acl.component.User user ;
  29. public UserDetails loadUserByUsername(String username)throws UsernameNotFoundException, DataAccessException {
  30. if (logger.isDebugEnabled()) {
  31. logger.debug("loadUserByUsername(String) - start"); //$NON-NLS-1$
  32. }
  34. Collection<GrantedAuthority> auths=new ArrayList<GrantedAuthority>();
  36. String password=null;
  37. //取得用户的密码
  38. TUser tUser = user.getUserByName(username);
  39. if (tUser ==null){
  40. String message = "用户"+username+"不存在";
  41. logger.error(message);
  42. throw new UsernameNotFoundException(message);
  43. }
  44. password=user.getUserByName(username).getPassword();
  46. //获得用户的角色
  47. Set<TRole> tRoles =tUser.getTRoles();
  48. for(TRole item : tRoles){
  49. GrantedAuthorityImpl grantedAuthorityImpl = new GrantedAuthorityImpl(item.getRoleName());
  50. if (logger.isDebugEnabled()){
  51. logger.debug("用户：["+tUser.getName()+"]拥有角色：["+item.getRoleName()+"],即spring security中的access");
  52. }
  53. auths.add(grantedAuthorityImpl);
  54. }
  56. User user = new User(username,password, true, true, true, true, auths);
  58. if (logger.isDebugEnabled()) {
  59. logger.debug("loadUserByUsername(String) - end"); //$NON-NLS-1$
  60. }
  61. return user;
  62. }
  63. }

spring security 三 中使用自定义数据库来设置权限

spring security 3 中使用自定义数据库来设置权限

相关推荐

spring security 三中使用自定义数据库来设置权限