spring security四种实现方式
</div>
<div style="clear:both"></div><div style="border:solid 1px #ccc; background:#eee; float:left; min-width:200px;padding:4px 10px;"><p style="text-align:right;margin:0;"><span style="float:left;">目录<a href="http://blog.csdn.net/bao19901210/article/details/52574340" title="系统根据文章中H1到H6标签自动生成文章目录">(?)</a></span><a href="#" onclick="javascript:return openct(this);" title="展开">[+]</a></p><ol style="display:none;margin-left:14px;padding-left:14px;line-height:160%;"><li><a href="http://blog.csdn.net/bao19901210/article/details/52574340#t0">最简单配置spring-securityxml实现1</a></li><li><a href="http://blog.csdn.net/bao19901210/article/details/52574340#t1">实现UserDetailsService</a></li><li><a href="http://blog.csdn.net/bao19901210/article/details/52574340#t2">实现动态过滤用户权限</a></li><li><a href="http://blog.csdn.net/bao19901210/article/details/52574340#t3">实现AuthenticationProvider自定义参数验证</a></li></ol></div><div style="clear:both"></div><div id="article_content" class="article_content csdn-tracking-statistics" data-pid="blog" data-mod="popu_307" data-dsm="post" style="overflow: hidden;">
<link rel="stylesheet" href="http://csdnimg.cn/release/phoenix/production/htmledit_views-b569b0e3ef.css">
<div class="htmledit_views">
spring security实现方式大致可以分为这几种:
1.配置文件实现,只需要在配置文件中指定拦截的url所需要权限、配置userDetailsService指定用户名、密码、对应权限,就可以实现。
2.实现UserDetailsService,loadUserByUsername(String userName)方法,根据userName来实现自己的业务逻辑返回UserDetails的实现类,需要自定义User类实现UserDetails,比较重要的方法是getAuthorities(),用来返回该用户所拥有的权限。
3.通过自定义filter重写spring security拦截器,实现动态过滤用户权限。
4.通过自定义filter重写spring security拦截器,实现自定义参数来检验用户,并且过滤权限。
1.最简单配置spring-security.xml,实现1
- <beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:security="http://www.springframework.org/schema/security"
- xmlns:p="http://www.springframework.org/schema/p" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security-4.0.xsd">
- <!-- use-expressions:Spring 表达式语言配置访问控制 -->
- <security:http auto-config="true" use-expressions="false">
- <!-- 配置权限拦截,访问所有url,都需要用户登录,且拥有ROLE_USER权限 -->
- <security:intercept-url pattern="/**" access="ROLE_USER" />
- </security:http>
- <security:authentication-manager alias="authenticationManager">
- <security:authentication-provider>
- <!-- 配置默认用户,用户名:admin 密码:123456 拥有权限:ROLE_USER -->
- <security:user-service>
- <security:user name="admin" password="123456"
- authorities="ROLE_USER" />
- </security:user-service>
- </security:authentication-provider>
- </security:authentication-manager>
- </beans>
2.实现UserDetailsService
先整理下spring secruity验证流程:
springSecurity的登录验证是由org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter这个过滤器来完成的,在该类的父类AbstractAuthenticationProcessingFilter中有一个AuthenticationManager接口属性,验证工作主要是通过这个AuthenticationManager接口的实例来完成的。在默认情况下,springSecurity框架会把org.springframework.security.authentication.ProviderManager类的实例注入到该属性
UsernamePasswordAuthenticationFilter的验证过程如下:
1. 首先过滤器会调用自身的attemptAuthentication方法,从request中取出authentication, authentication是在org.springframework.security.web.context.SecurityContextPersistenceFilter过滤器中通过捕获用户提交的登录表单中的内容生成的一个org.springframework.security.core.Authentication接口实例.
2. 拿到authentication对象后,过滤器会调用ProviderManager类的authenticate方法,并传入该对象
3.ProviderManager类的authenticate方法中会调用类中的List<AuthenticationProvider> providers集合中的各个AuthenticationProvider接口实现类中的authenticate(Authentication authentication)方法进行验证,由此可见,真正的验证逻辑是由各个AuthenticationProvider接口实现类来完成的。DaoAuthenticationProvider类是默认情况下注入的一个AuthenticationProvider接口实现类
4.provider的实现类在验证用户时,会调用userDetailsService的实现类的loadUserByUsername方法来获取用户信息,
首先spring-security配置文件
- <?xml version="1.0" encoding="UTF-8"?>
- <beans:beans xmlns="http://www.springframework.org/schema/security"
- xmlns:beans="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-4.3.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security.xsd">
- <!-- use-expressions=”true” 需要使用表达式方式来写权限-->
- <http auto-config="true" use-expressions="false">
- <!--这是spring 提供的http/https信道安全的这个是重要的!你的请求信道是安全的!-->
- <!--
- 释放用户登陆page 允许任何人访问该页面 ,IS_AUTHENTICATED_ANONYMOUSLY表示不拦截
- 另一种不拦截资源的配置:<http pattern="/login.jsp" security="none">
- -->
- <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
- <!-- 配置用户正常访问page-->
- <intercept-url pattern="/**" access="ROLE_USER"/>
- <!-- 自定义用户登陆page default-target-url登陆成功跳转的page ,authentication-failure-url="/login.jsp?error=true"这里是登陆失败跳转的page-->
- <form-login login-page="/login.jsp" default-target-url="/jsp/index/main.jsp" authentication-failure-url="/login.jsp?error=true"/>
- <!-- 记住密码 -->
- <!-- <remember-me key="elim" user-service-ref="securityManager"/> -->
- </http>
- <authentication-manager alias="authenticationManager">
- <!--
- authentication-provider 引用UserDetailsService实现类时使用user-service-ref属性,引用authentication实现类时,使用ref属性
- 这两个属性的区别在于
- ref:直接将ref依赖的bean注入到AuthenticationProvider的providers集合中
- user-service-ref:定义DaoAuthenticationProvider的bean注入到AuthenticationProvider的providers集合中,
- 并且DaoAuthenticationProvider的变量userDetailsService由user-service-ref依赖的bean注入。
- -->
- <authentication-provider user-service-ref="msecurityManager">
- <!-- 密码加密 -->
- <password-encoder ref="myPasswordEncoder"/>
- </authentication-provider>
- </authentication-manager>
- <!-- 实现UserDetailsService -->
- <beans:bean id="msecurityManager" class="com.ultrapower.me.util.security.support.SecurityManagerSupport"></beans:bean>
- <!-- 密码加密 -->
- <beans:bean id="myPasswordEncoder" class="com.ultrapower.me.util.security.MyPasswordEncoder"/>
- </beans:beans>
userDetailsService实现:
- /**
- *
- */
- package com.ultrapower.me.util.security.support;
- import java.util.ArrayList;
- import java.util.HashMap;
- import java.util.HashSet;
- import java.util.List;
- import java.util.Map;
- import java.util.Set;
- import org.apache.commons.logging.Log;
- import org.apache.commons.logging.LogFactory;
- import org.springframework.dao.DataAccessException;
- import org.springframework.jdbc.core.JdbcTemplate;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.core.userdetails.UserDetailsService;
- import org.springframework.security.core.userdetails.UsernameNotFoundException;
- import com.ultrapower.me.util.Constants;
- import com.ultrapower.me.util.dbDao.SpringBeanUtil;
- import com.ultrapower.me.util.security.SecurityManager;
- import com.ultrapower.me.util.security.entity.Resource;
- import com.ultrapower.me.util.security.entity.Role;
- import com.ultrapower.me.util.security.entity.User;
- import com.ultrapower.me.util.task.PasswordUtils;
- public class SecurityManagerSupport implements UserDetailsService{
- private Log log = LogFactory.getLog(this.getClass().getName());
- public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException, DataAccessException {
- // List<User> users = getHibernateTemplate().find("FROM User user WHERE user.name = ? AND user.disabled = false", userName);
- log.info("SecurityManagerSupport.loadUserByUsername.userName:"+userName);
- User user =null;
- if("admin".equals(userName)){
- Set<Role> roles = new HashSet<Role>() ;
- Role role = new Role();
- role.setRoleid("ROLE_USER");
- role.setRoleName("ROLE_USER");
- Set<Resource> resources=new HashSet<Resource>() ;
- Resource res = new Resource();
- res.setResid("ME001");
- res.setResName("首页");
- res.setResUrl("/jsp/index/main.jsp");
- res.setType("ROLE_USER");
- res.setRoles(roles);
- resources.add(res);
- role.setResources(resources);
- roles.add(role);
- user = new User();
- user.setAccount("admin");
- user.setDisabled(false);
- user.setPassword(PasswordUtils.entryptPassword(Constants.securityKey));
- log.info(user.getPassword());
- user.setRoles(roles);
- }
- return user;//返回UserDetails的实现user不为空,则验证通过
- }
- }
UserDetails实现:
- /**
- *
- */
- package com.ultrapower.me.util.security.entity;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.HashMap;
- import java.util.List;
- import java.util.Map;
- import java.util.Set;
- import org.apache.commons.lang.StringUtils;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.authority.SimpleGrantedAuthority;
- import org.springframework.security.core.userdetails.UserDetails;
- public class User implements UserDetails {
- private static final long serialVersionUID = 8026813053768023527L;
- private String account;
- private String name;
- private String password;
- private boolean disabled;
- private Set<Role> roles;
- private Map<String, List<Resource>> roleResources;
- /**
- * The default constructor
- */
- public User() {
- }
- /**
- * Returns the authorites string
- *
- * eg.
- * downpour --- ROLE_ADMIN,ROLE_USER
- * robbin --- ROLE_ADMIN
- *
- * @return
- */
- public String getAuthoritiesString() {
- List<String> authorities = new ArrayList<String>();
- for(GrantedAuthority authority : this.getAuthorities()) {
- authorities.add(authority.getAuthority());
- }
- return StringUtils.join(authorities, ",");
- }
- @Override
- public Collection<? extends GrantedAuthority> getAuthorities() {
- // 根据自定义逻辑来返回用户权限,如果用户权限返回空或者和拦截路径对应权限不同,验证不通过
- if(!roles.isEmpty()){
- List<GrantedAuthority> list = new ArrayList<GrantedAuthority>();
- GrantedAuthority au = new SimpleGrantedAuthority("ROLE_USER");
- list.add(au);
- return list;
- }
- return null;
- }
- /*
- * 密码
- */
- public String getPassword() {
- return password;
- }
- /*
- * 用户名
- */
- public String getUsername() {
- return name;
- }
- /*
- *帐号是否不过期,false则验证不通过
- */
- public boolean isAccountNonExpired() {
- return true;
- }
- /*
- * 帐号是否不锁定,false则验证不通过
- */
- public boolean isAccountNonLocked() {
- return true;
- }
- /*
- * 凭证是否不过期,false则验证不通过
- */
- public boolean isCredentialsNonExpired() {
- return true;
- }
- /*
- * 该帐号是否启用,false则验证不通过
- */
- public boolean isEnabled() {
- return !disabled;
- }
- /**
- * @return the name
- */
- public String getName() {
- return name;
- }
- /**
- * @return the disabled
- */
- public boolean isDisabled() {
- return disabled;
- }
- /**
- * @return the roles
- */
- public Set<Role> getRoles() {
- return roles;
- }
- /**
- * @return the roleResources
- */
- public Map<String, List<Resource>> getRoleResources() {
- // init roleResources for the first time
- System.out.println("---------------------------------------------------");
- if(this.roleResources == null) {
- this.roleResources = new HashMap<String, List<Resource>>();
- for(Role role : this.roles) {
- String roleName = role.getRoleName();
- Set<Resource> resources = role.getResources();
- for(Resource resource : resources) {
- String key = roleName + "_" + resource.getType();
- if(!this.roleResources.containsKey(key)) {
- this.roleResources.put(key, new ArrayList<Resource>());
- }
- this.roleResources.get(key).add(resource);
- }
- }
- }
- return this.roleResources;
- }
- /**
- * @param name the name to set
- */
- public void setName(String name) {
- this.name = name;
- }
- /**
- * @param password the password to set
- */
- public void setPassword(String password) {
- this.password = password;
- }
- /**
- * @param disabled the disabled to set
- */
- public void setDisabled(boolean disabled) {
- this.disabled = disabled;
- }
- /**
- * @param roles the roles to set
- */
- public void setRoles(Set<Role> roles) {
- this.roles = roles;
- }
- public String getAccount() {
- return account;
- }
- public void setAccount(String account) {
- this.account = account;
- }
- public void setRoleResources(Map<String, List<Resource>> roleResources) {
- this.roleResources = roleResources;
- }
- }
3.实现动态过滤用户权限
- <custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="securityInterceptor"/>
- <!-- 自定义拦截器 -->
- <beans:bean id="securityInterceptor" class="com.ultrapower.me.util.security.interceptor.SecurityInterceptor">
- <beans:property name="authenticationManager" ref="authenticationManager"/>
- <beans:property name="accessDecisionManager" ref="mesecurityAccessDecisionManager"/>
- <beans:property name="securityMetadataSource" ref="secureResourceFilterInvocationDefinitionSource" />
- </beans:bean>
- <!-- 获取访问url对应的所有权限 -->
- <beans:bean id="secureResourceFilterInvocationDefinitionSource" class="com.ultrapower.me.util.security.interceptor.SecureResourceFilterInvocationDefinitionSource" />
- <!-- 校验用户的权限是否足够 -->
- <beans:bean id="mesecurityAccessDecisionManager" class="com.ultrapower.me.util.security.interceptor.SecurityAccessDecisionManager" />
- package com.ultrapower.me.util.security.interceptor;
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import org.springframework.security.access.SecurityMetadataSource;
- import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
- import org.springframework.security.access.intercept.InterceptorStatusToken;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- public class SecurityInterceptor extends AbstractSecurityInterceptor implements Filter{
- //配置文件注入
- private FilterInvocationSecurityMetadataSource securityMetadataSource;
- public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
- return securityMetadataSource;
- }
- public void setSecurityMetadataSource(
- FilterInvocationSecurityMetadataSource securityMetadataSource) {
- this.securityMetadataSource = securityMetadataSource;
- }
- @Override
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- // TODO Auto-generated method stub\
- FilterInvocation fi = new FilterInvocation(request, response, chain);
- //fi里面有一个被拦截的url
- //里面调用MyInvocationSecurityMetadataSource的getAttributes(Object object)这个方法获取fi对应的所有权限
- //再调用MyAccessDecisionManager的decide方法来校验用户的权限是否足够
- InterceptorStatusToken token = super.beforeInvocation(fi);
- try {
- //执行下一个拦截器
- fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
- } finally {
- super.afterInvocation(token, null);
- }
- }
- @Override
- public void init(FilterConfig arg0) throws ServletException {
- // TODO Auto-generated method stub
- }
- @Override
- public Class<?> getSecureObjectClass() {
- // TODO Auto-generated method stub
- return FilterInvocation.class;
- }
- @Override
- public SecurityMetadataSource obtainSecurityMetadataSource() {
- // TODO Auto-generated method stub
- return this.securityMetadataSource;
- }
- @Override
- public void destroy() {
- // TODO Auto-generated method stub
- }
- }
登陆后,每次访问资源都会被这个拦截器拦截,会执行doFilter这个方法,这个方法调用了invoke方法,其中fi断点显示是一个url(可能重写了toString方法吧,但是里面还有一些方法的),最重要的是beforeInvocation这个方法,它首先会调用MyInvocationSecurityMetadataSource类的getAttributes方法获取被拦截url所需的权限,在调用MyAccessDecisionManager类decide方法判断用户是否够权限。弄完这一切就会执行下一个拦截器。
- /**
- *
- */
- package com.ultrapower.me.util.security.interceptor;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.HashMap;
- import java.util.Iterator;
- import java.util.Map;
- import javax.servlet.ServletContext;
- import org.springframework.beans.factory.InitializingBean;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- import org.springframework.util.AntPathMatcher;
- import org.springframework.util.PathMatcher;
- public class SecureResourceFilterInvocationDefinitionSource implements FilterInvocationSecurityMetadataSource, InitializingBean {
- private PathMatcher matcher;
- private static Map<String, Collection<ConfigAttribute>> map = new HashMap<String, Collection<ConfigAttribute>>();
- /*
- * 初始化用户权限,为了简便操作没有从数据库获取
- * 实际操作可以从数据库中获取所有资源路径url所对应的权限
- */
- public void afterPropertiesSet() throws Exception {
- this.matcher = new AntPathMatcher();//用来匹配访问资源路径
- Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
- ConfigAttribute ca = new SecurityConfig("ROLE_USER");
- atts.add(ca);
- map.put("/jsp/index/main.jsp", atts);
- Collection<ConfigAttribute> attsno =new ArrayList<ConfigAttribute>();
- ConfigAttribute cano = new SecurityConfig("ROLE_NO");
- attsno.add(cano);
- map.put("/http://blog.csdn.net/u012367513/article/details/other.jsp", attsno);
- }
- @Override
- public Collection<ConfigAttribute> getAttributes(Object object)
- throws IllegalArgumentException {
- // TODO Auto-generated method stub
- FilterInvocation filterInvocation = (FilterInvocation) object;
- String requestURI = filterInvocation.getRequestUrl();
- //循环资源路径,当访问的Url和资源路径url匹配时,返回该Url所需要的权限
- for(Iterator<Map.Entry<String, Collection<ConfigAttribute>>> iter = map.entrySet().iterator(); iter.hasNext();) {
- Map.Entry<String, Collection<ConfigAttribute>> entry = iter.next();
- String url = entry.getKey();
- if(matcher.match(url, requestURI)) {
- return map.get(requestURI);
- }
- }
- return null;
- }
- @Override
- public Collection<ConfigAttribute> getAllConfigAttributes() {
- // TODO Auto-generated method stub
- return null;
- }
- /* (non-Javadoc)
- * @see org.springframework.security.intercept.ObjectDefinitionSource#getConfigAttributeDefinitions()
- */
- @SuppressWarnings("rawtypes")
- public Collection getConfigAttributeDefinitions() {
- return null;
- }
- /* (non-Javadoc)
- * @see org.springframework.security.intercept.ObjectDefinitionSource#supports(java.lang.Class)
- */
- public boolean supports(@SuppressWarnings("rawtypes") Class clazz) {
- return true;
- }
- /**
- *
- * @param filterInvocation
- * @return
- */
- @SuppressWarnings("unchecked")
- private Map<String, String> getUrlAuthorities(org.springframework.security.web.FilterInvocation filterInvocation) {
- ServletContext servletContext = filterInvocation.getHttpRequest().getSession().getServletContext();
- return (Map<String, String>)servletContext.getAttribute("urlAuthorities");
- }
- }
mesecurityAccessDecisionManager实现
- package com.ultrapower.me.util.security.interceptor;
- import java.util.Collection;
- import java.util.Iterator;
- import org.springframework.security.access.AccessDecisionManager;
- import org.springframework.security.access.AccessDeniedException;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.authentication.InsufficientAuthenticationException;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.GrantedAuthority;
- public class SecurityAccessDecisionManager implements AccessDecisionManager {
- /**
- * 检查用户是否够权限访问资源
- * authentication 是从spring的全局缓存SecurityContextHolder中拿到的,里面是用户的权限信息
- * object 是url
- * configAttributes 所需的权限
- * @see org.springframework.security.access.AccessDecisionManager#decide(org.springframework.security.core.Authentication, java.lang.Object, java.util.Collection)
- */
- @Override
- public void decide(Authentication authentication, Object object,
- Collection<ConfigAttribute> configAttributes)
- throws AccessDeniedException, InsufficientAuthenticationException {
- // 对应url没有权限时,直接跳出方法
- if(configAttributes == null){
- return;
- }
- Iterator<ConfigAttribute> ite=configAttributes.iterator();
- //判断用户所拥有的权限,是否符合对应的Url权限,如果实现了UserDetailsService,则用户权限是loadUserByUsername返回用户所对应的权限
- while(ite.hasNext()){
- ConfigAttribute ca=ite.next();
- String needRole=((SecurityConfig)ca).getAttribute();
- for(GrantedAuthority ga : authentication.getAuthorities()){
- System.out.println(":::::::::::::"+ga.getAuthority());
- if(needRole.equals(ga.getAuthority())){
- return;
- }
- }
- }
- //注意:执行这里,后台是会抛异常的,但是界面会跳转到所配的access-denied-page页面
- throw new AccessDeniedException("no right");
- }
- @Override
- public boolean supports(ConfigAttribute attribute) {
- return true;
- }
- @Override
- public boolean supports(Class<?> clazz) {
- return true;
- }
- }
4.实现AuthenticationProvider,自定义参数验证
- /**
- * 凭证,用户密码
- */
- @Override
- public Object getCredentials() {
- return password;
- }
- /**
- * 当事人,登录名 用户Id
- */
- @Override
- public Object getPrincipal() {
- return userID;
- }
-
</ul> <div style="clear:both; height:10px;"></div> </div>
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步