[收藏]Spring Security中的ACL
<bean id="aclCache" class="org.springframework.security.acls.jdbc.EhCacheBasedAclCache"> <constructor-arg ref="aclEhCache"/> </bean> <bean id="aclEhCache" class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <property name="cacheManager" ref="cacheManager"/> <property name="cacheName" value="aclCache"/> </bean>
<cache name="aclCache" maxElementsInMemory="1000" eternal="false" timeToIdleSeconds="600" timeToLiveSeconds="3600" overflowToDisk="true" /> <!--Default Cache configuration. These will applied to caches programmatically created through
the CacheManager.
The following attributes are required:
maxElementsInMemory - Sets the maximum number of objects that will be created in memory
eternal - Sets whether elements are eternal. If eternal, timeouts are ignored and the
element is never expired.
overflowToDisk - Sets whether elements can overflow to disk when the in-memory cache
has reached the maxInMemory limit.
The following attributes are optional:
timeToIdleSeconds - Sets the time to idle for an element before it expires.
i.e. The maximum amount of time between accesses before an element expires
Is only used if the element is not eternal.
Optional attribute. A value of 0 means that an Element can idle for infinity.
The default value is 0.
timeToLiveSeconds - Sets the time to live for an element before it expires.
i.e. The maximum time between creation time and when an element expires.
Is only used if the element is not eternal.
Optional attribute. A value of 0 means that and Element can live for infinity.
The default value is 0.
diskPersistent - Whether the disk store persists between restarts of the Virtual Machine.
The default value is false.
diskExpiryThreadIntervalSeconds- The number of seconds between runs of the disk expiry thread. The default value
is 120 seconds.
-->
<bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy"> <constructor-arg ref="dataSource"/> <constructor-arg ref="aclCache"/> <constructor-arg> <bean class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl"> <constructor-arg> <list> <ref local="adminRole"/> <ref local="adminRole"/> <ref local="adminRole"/> </list> </constructor-arg> </bean> </constructor-arg> <constructor-arg> <bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/> </constructor-arg> </bean> <bean id="adminRole" class="org.springframework.security.GrantedAuthorityImpl"> <constructor-arg value="ROLE_ADMIN"/> </bean>
<bean id="aclService" class="org.springframework.security.acls.jdbc.JdbcMutableAclService"> <constructor-arg ref="dataSource"/> <constructor-arg ref="lookupStrategy"/> <constructor-arg ref="aclCache"/> </bean>
ObjectIdentity oid = new ObjectIdentityImpl(Message.class, message.getId()); MutableAcl acl = mutableAclService.createAcl(oid); acl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(owner), true); acl.insertAce(1, BasePermission.DELETE, new GrantedAuthoritySid("ROLE_ADMIN"), true); acl.insertAce(2, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER"), true); mutableAclService.updateAcl(acl);
ObjectIdentity oid = new ObjectIdentityImpl(Message.class, id); mutableAclService.deleteAcl(oid, false);
<bean id="aclMessageDeleteVoter" class="org.springframework.security.vote.AclEntryVoter"> <constructor-arg ref="aclService"/> <constructor-arg value="ACL_MESSAGE_DELETE"/> <constructor-arg> <list> <util:constant static-field="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/> <util:constant static-field="org.springframework.security.acls.domain.BasePermission.DELETE"/> </list> </constructor-arg> <property name="processDomainObjectClass" value="com.family168.springsecuritybook.ch12.Message"/> </bean>
<bean id="aclAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"> <property name="decisionVoters"> <list> <bean class="org.springframework.security.vote.RoleVoter"/> <ref local="aclMessageDeleteVoter"/> </list> </property> </bean>
<global-method-security secured-annotations="enabled" access-decision-manager-ref="aclAccessDecisionManager"/>
@Transactional
@Secured("ACL_MESSAGE_DELETE")
public void remove(Long id) {
Message message = this.get(id);
list.remove(message);
ObjectIdentity oid = new ObjectIdentityImpl(Message.class, id);
mutableAclService.deleteAcl(oid, false);
}
<sec:accesscontrollist domainObject="${item}" hasPermission="8,16"> | <a href="message.do?action=remove&id=${item.id}">Remove</a> </sec:accesscontrollist>
<bean id="afterAclRead" class="org.springframework.security.afterinvocation.AclEntryAfterInvocationProvider"> <sec:custom-after-invocation-provider/> <constructor-arg ref="aclService"/> <constructor-arg> <list> <util:constant static-field="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/> <util:constant static-field="org.springframework.security.acls.domain.BasePermission.READ"/> </list> </constructor-arg> </bean> <bean id="afterAclCollectionRead" class="org.springframework.security.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider"> <sec:custom-after-invocation-provider/> <constructor-arg ref="aclService"/> <constructor-arg> <list> <util:constant static-field="org.springframework.security.acls.domain.BasePermission.ADMINISTRATION"/> <util:constant static-field="org.springframework.security.acls.domain.BasePermission.READ"/> </list> </constructor-arg> </bean>
@Secured({"ROLE_USER", "AFTER_ACL_READ"}) public Message get(Long id) { for (Message message : list) { if (message.getId().equals(id)) { return message; } } return null; } @Secured({"ROLE_USER", "AFTER_ACL_COLLECTION_READ"}) public List getAll() { return list; }
以上就是