简介
Spring Security 是为了基于Spring的应用程序提供的声明式安全保护的安全性框架。Spring Security 提供了完整的安全性解决方案,它能够在Web请求级别和方法调用级别处理身份认证和授权。因为基于Spring框架,所以SPring Security充分使用了一览注入和面向切面技术。
Spring Security 本质上是借助一系列的 Servlet Filter来提供各种安全性功能,但这并不需要我们手动去添加或者创建多个Filter。实际上,我们仅需要配置一个Filter即可。
DelegatingFilterProxy 是一个特殊的Filter,他本身并没有做太多工作,而是将工作委托给了一个注入到Spring应用上下文的Filter实现类。
在本例中,主要讲解spring-security的配置与使用,实现方式为:
1.将用户、权限、资源(url)采用数据库存储
2.自定义过滤器,代替原有的 FilterSecurityInterceptor
3.自定义实现 UserDetailsService、Filter、AccessDecisionManager和FilterInvocationSecurityMetadataSource并在配置文件进行相应的配置
4.Spring-seculity在自定义用户验证的类加载必须早于Controller层创建
1.配置Spring-seculity.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd">
<security:http security="none" pattern="/login.jsp"/>
<security:http security="none" pattern="/plugins
@Autowired
private LoginDao loginDao;
private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
private AntPathMatcher urlMatcher = new AntPathMatcher();
public MySecurityMetadataSource() {
//loadResourcesDefine();
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
private void loadResourcesDefine(){
resourceMap = new HashMap<String,Collection<ConfigAttribute>>();
System.out.println("MySecurityMetadataSource.loadResourcesDefine()--------------开始加载资源列表数据--------");
List<Role> roles;
try {
roles = loginDao.findByROleList();
for(Role role : roles){
List<Premission> permissions = role.getPremission();
for(Premission permission : permissions){
Collection<ConfigAttribute> configAttributes = null;
ConfigAttribute configAttribute = new SecurityConfig(role.getRolename());
if(resourceMap.containsKey(permission.getUrl())){
configAttributes = resourceMap.get(permission.getUrl());
configAttributes.add(configAttribute);
}else{
configAttributes = new ArrayList<ConfigAttribute>() ;
configAttributes.add(configAttribute);
resourceMap.put(permission.getUrl(), configAttributes);
}
}
}
System.out.println("11");
Set<String> set = resourceMap.keySet();
Iterator<String> it = set.iterator();
int i=0;
while(it.hasNext()){
String s = it.next();
System.out.println(++i+"key:"+s+"|value:"+resourceMap.get(s));
}
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
@Override
public Collection<ConfigAttribute> getAttributes(Object obj)
throws IllegalArgumentException {
if(null==resourceMap||resourceMap.size() == 0) {
loadResourcesDefine();
}
//获取请求的url地址
String url = ((FilterInvocation)obj).getRequestUrl();
System.out.println("MySecurityMetadataSource:getAttributes()---------------请求地址为:"+url);
Iterator<String> it = resourceMap.keySet().iterator();
while(it.hasNext()){
String _url = it.next();
if(url.indexOf("?")!=-1){
url = url.substring(0, url.indexOf("?"));
}
if(urlMatcher.match(_url,url)){
System.out.println("MySecurityMetadataSource:getAttributes()---------------需要的权限是:"+resourceMap.get(_url));
return resourceMap.get(_url);
}
}
Collection<ConfigAttribute> nouse = new ArrayList<ConfigAttribute>();
nouse.add(new SecurityConfig("无相应权限"));
return nouse;
}
@Override
public boolean supports(Class<?> arg0) {
System.out.println("MySecurityMetadataSource.supports()---------------------");
return true;
}
}到此这篇关于Spring-seculity权限使用的文章就介绍到这了,更多相关Spring-seculity权限使用内容请搜索编程网以前的文章或继续浏览下面的相关文章希望大家以后多多支持编程网!
