spring security 登录、权限管理配置
2024-09-29 05:16:34
登录流程
1)容器启动(MySecurityMetadataSource:loadResourceDefine加载系统资源与权限列表)
2)用户发出请求
3)过滤器拦截(MySecurityFilter:doFilter)
4)取得请求资源所需权限(MySecurityMetadataSource:getAttributes)
5)匹配用户拥有权限和请求权限(MyAccessDecisionManager:decide),如果用户没有相应的权限,
执行第6步,否则执行第7步。
6)登录
7)验证并授权(MyUserDetailServiceImpl:loadUserByUsername)
1、web.xml中加入过滤器
- <!-- SpringSecurity 核心过滤器配置 -->
- <filter>
- <filter-name>springSecurityFilterChain</filter-name>
- <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
- </filter>
- <filter-mapping>
- <filter-name>springSecurityFilterChain</filter-name>
- <url-pattern>/*</url-pattern>
- </filter-mapping>
<!-- SpringSecurity 核心过滤器配置 -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
2、新建spring-security.xml文件
- <?xml version="1.0" encoding="UTF-8"?>
- <beans:beans xmlns="http://www.springframework.org/schema/security"
- xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans.xsd
- http://www.springframework.org/schema/security
- http://www.springframework.org/schema/security/spring-security.xsd">
- <!-- entry-point-ref 配置自定义登录 -->
- <http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint">
- <!-- 登出配置 -->
- <logout logout-url="/j_spring_security_logout" logout-success-url="/login" />
- <access-denied-handler error-page="/noPower" />
- <!-- 过滤不被拦截的请求 -->
- <intercept-url pattern="/login*" access="permitAll" />
- <intercept-url pattern="/resources/**" access="permitAll" />
- <!-- 只有权限才能访问的请求 -->
- <intercept-url pattern="/admin/**" access="isAuthenticated()" />
- <custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
- <custom-filter ref="securityFilter" before="FILTER_SECURITY_INTERCEPTOR" />
- </http>
- <beans:bean id="loginFilter"
- class="cn.com.abel.test.service.security.MyUsernamePasswordAuthenticationFilter">
- <!-- 登录提交处理 -->
- <beans:property name="filterProcessesUrl" value="/j_spring_security_check"></beans:property>
- <!-- 登录成功跳转 -->
- <beans:property name="authenticationSuccessHandler"
- ref="loginLogAuthenticationSuccessHandler"></beans:property>
- <!-- 设置登录失败的网址 -->
- <beans:property name="authenticationFailureHandler"
- ref="simpleUrlAuthenticationFailureHandler"></beans:property>
- <!-- 用户拥有权限 -->
- <beans:property name="authenticationManager" ref="myAuthenticationManager"></beans:property>
- </beans:bean>
- <beans:bean id="loginLogAuthenticationSuccessHandler"
- class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
- <beans:property name="defaultTargetUrl" value="/admin/index"></beans:property>
- </beans:bean>
- <beans:bean id="simpleUrlAuthenticationFailureHandler"
- class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
- <beans:property name="defaultFailureUrl" value="/login"></beans:property>
- </beans:bean>
- <authentication-manager alias="myAuthenticationManager">
- <authentication-provider user-service-ref="myUserDetailServiceImpl">
- <password-encoder ref="encoder" />
- </authentication-provider>
- </authentication-manager>
- <beans:bean id="myUserDetailServiceImpl"
- class="cn.com.abel.test.service.security.AdminUserDetailServiceImpl">
- </beans:bean>
- <beans:bean id="authenticationProcessingFilterEntryPoint"
- class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
- <beans:property name="loginFormUrl" value="/login"></beans:property>
- </beans:bean>
- <!-- 认证过滤器 -->
- <beans:bean id="securityFilter"
- class="cn.com.abel.test.service.security.MySecurityFilter">
- <!-- 用户拥有的角色 -->
- <beans:property name="authenticationManager" ref="myAuthenticationManager" />
- <!-- 用户是否拥有所请求资源的权限 -->
- <beans:property name="accessDecisionManager" ref="myAccessDecisionManager" />
- <!-- 资源与角色的对应关系 -->
- <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" />
- <!-- <beans:property name="rejectPublicInvocations" value="true"/> -->
- </beans:bean>
- <beans:bean id="myAccessDecisionManager" class="myAccessDecisionManager"></beans:bean>
- <beans:bean id="mySecurityMetadataSource"
- class="cn.com.abel.test.service.security.MySecurityMetadataSource">
- <beans:constructor-arg>
- <beans:ref bean="resourceService" />
- </beans:constructor-arg>
- </beans:bean>
- <beans:bean id="encoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"></beans:bean>
- </beans:beans>
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd"><!-- entry-point-ref 配置自定义登录 -->
<http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint"> <!-- 登出配置 -->
<logout logout-url="/j_spring_security_logout" logout-success-url="/login" /> <access-denied-handler error-page="/noPower" /> <!-- 过滤不被拦截的请求 -->
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/resources/**" access="permitAll" /> <!-- 只有权限才能访问的请求 -->
<intercept-url pattern="/admin/**" access="isAuthenticated()" /> <custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
<custom-filter ref="securityFilter" before="FILTER_SECURITY_INTERCEPTOR" /> </http> <beans:bean id="loginFilter"
class="cn.com.abel.test.service.security.MyUsernamePasswordAuthenticationFilter"> <!-- 登录提交处理 -->
<beans:property name="filterProcessesUrl" value="/j_spring_security_check"></beans:property> <!-- 登录成功跳转 -->
<beans:property name="authenticationSuccessHandler"
ref="loginLogAuthenticationSuccessHandler"></beans:property> <!-- 设置登录失败的网址 -->
<beans:property name="authenticationFailureHandler"
ref="simpleUrlAuthenticationFailureHandler"></beans:property> <!-- 用户拥有权限 -->
<beans:property name="authenticationManager" ref="myAuthenticationManager"></beans:property>
</beans:bean> <beans:bean id="loginLogAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/admin/index"></beans:property>
</beans:bean>
<beans:bean id="simpleUrlAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login"></beans:property>
</beans:bean> <authentication-manager alias="myAuthenticationManager">
<authentication-provider user-service-ref="myUserDetailServiceImpl">
<password-encoder ref="encoder" />
</authentication-provider>
</authentication-manager> <beans:bean id="myUserDetailServiceImpl"
class="cn.com.abel.test.service.security.AdminUserDetailServiceImpl">
</beans:bean> <beans:bean id="authenticationProcessingFilterEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/login"></beans:property>
</beans:bean> <!-- 认证过滤器 -->
<beans:bean id="securityFilter"
class="cn.com.abel.test.service.security.MySecurityFilter">
<!-- 用户拥有的角色 -->
<beans:property name="authenticationManager" ref="myAuthenticationManager" />
<!-- 用户是否拥有所请求资源的权限 -->
<beans:property name="accessDecisionManager" ref="myAccessDecisionManager" />
<!-- 资源与角色的对应关系 -->
<beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" />
<!-- <beans:property name="rejectPublicInvocations" value="true"/> --> </beans:bean> <beans:bean id="myAccessDecisionManager" class="myAccessDecisionManager"></beans:bean> <beans:bean id="mySecurityMetadataSource"
class="cn.com.abel.test.service.security.MySecurityMetadataSource">
<beans:constructor-arg>
<beans:ref bean="resourceService" />
</beans:constructor-arg>
</beans:bean> <beans:bean id="encoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder"></beans:bean>
</beans:beans>
3、MyUsernamePasswordAuthenticationFilter.java
- package cn.com.abel.test.service.security;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import org.springframework.security.authentication.AuthenticationServiceException;
- import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.AuthenticationException;
- import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
- public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{
- @Override
- public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
- if (!request.getMethod().equals("POST")) {
- throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
- }
- String username = obtainUsername(request);
- String password = obtainPassword(request);
- if (username == null) {
- username = "";
- }
- if (password == null) {
- password = "";
- }
- username = username.trim();
- UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
- // Allow subclasses to set the "details" property
- setDetails(request, authRequest);
- // //登录验证码,如需要开启把下面注释去掉则可
- // String authCode = StringUtils.defaultString(request.getParameter("authCode"));
- // if(!AdwImageCaptchaServlet.validateResponse(request, authCode)){
- // throw new AuthenticationServiceException("validCode.auth.fail");
- // }
- return this.getAuthenticationManager().authenticate(authRequest);
- }
- }
package cn.com.abel.test.service.security; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { if (!request.getMethod().equals("POST")) {
throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
} String username = obtainUsername(request);
String password = obtainPassword(request); if (username == null) {
username = "";
} if (password == null) {
password = "";
} username = username.trim(); UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password); // Allow subclasses to set the "details" property
setDetails(request, authRequest);
// //登录验证码,如需要开启把下面注释去掉则可
// String authCode = StringUtils.defaultString(request.getParameter("authCode"));
// if(!AdwImageCaptchaServlet.validateResponse(request, authCode)){
// throw new AuthenticationServiceException("validCode.auth.fail");
// }return this.getAuthenticationManager().authenticate(authRequest);
}
}
4、MySecurityFilter.java
- package cn.com.abel.test.service.security;
- import java.io.IOException;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import org.springframework.security.access.SecurityMetadataSource;
- import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
- import org.springframework.security.access.intercept.InterceptorStatusToken;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- public class MySecurityFilter extends AbstractSecurityInterceptor implements Filter {
- //与applicationContext-security.xml里的myFilter的属性securityMetadataSource对应,
- //其他的两个组件,已经在AbstractSecurityInterceptor定义
- private FilterInvocationSecurityMetadataSource securityMetadataSource;
- @Override
- public SecurityMetadataSource obtainSecurityMetadataSource() {
- return this.securityMetadataSource;
- }
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain chain) throws IOException, ServletException {
- FilterInvocation fi = new FilterInvocation(request, response, chain);
- invoke(fi);
- }
- private void invoke(FilterInvocation fi) throws IOException, ServletException {
- // object为FilterInvocation对象
- //1.获取请求资源的权限
- //执行Collection<ConfigAttribute> attributes = SecurityMetadataSource.getAttributes(object);
- //2.是否拥有权限
- //获取安全主体,可以强制转换为UserDetails的实例
- //1) UserDetails
- // Authentication authenticated = authenticateIfRequired();
- //this.accessDecisionManager.decide(authenticated, object, attributes);
- //用户拥有的权限
- //2) GrantedAuthority
- //Collection<GrantedAuthority> authenticated.getAuthorities()
- //System.out.println("用户发送请求! ");
- InterceptorStatusToken token = null;
- token = super.beforeInvocation(fi);
- try {
- fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
- } finally {
- super.afterInvocation(token, null);
- }
- }
- public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
- return securityMetadataSource;
- }
- public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
- this.securityMetadataSource = securityMetadataSource;
- }
- public void init(FilterConfig arg0) throws ServletException {
- // TODO Auto-generated method stub
- }
- public void destroy() {
- // TODO Auto-generated method stub
- }
- @Override
- public Class<? extends Object> getSecureObjectClass() {
- //下面的MyAccessDecisionManager的supports方面必须放回true,否则会提醒类型错误
- return FilterInvocation.class;
- }
- }
package cn.com.abel.test.service.security; import java.io.IOException; import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse; import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource; public class MySecurityFilter extends AbstractSecurityInterceptor implements Filter {
//与applicationContext-security.xml里的myFilter的属性securityMetadataSource对应,
//其他的两个组件,已经在AbstractSecurityInterceptor定义
private FilterInvocationSecurityMetadataSource securityMetadataSource;@Override
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this.securityMetadataSource;
} public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
invoke(fi);
} private void invoke(FilterInvocation fi) throws IOException, ServletException {
// object为FilterInvocation对象
//1.获取请求资源的权限
//执行Collection<ConfigAttribute> attributes = SecurityMetadataSource.getAttributes(object);
//2.是否拥有权限
//获取安全主体,可以强制转换为UserDetails的实例
//1) UserDetails
// Authentication authenticated = authenticateIfRequired();
//this.accessDecisionManager.decide(authenticated, object, attributes);
//用户拥有的权限
//2) GrantedAuthority
//Collection<GrantedAuthority> authenticated.getAuthorities()
//System.out.println("用户发送请求! ");
InterceptorStatusToken token = null; token = super.beforeInvocation(fi); try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
} public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
return securityMetadataSource;
} public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
this.securityMetadataSource = securityMetadataSource;
} public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
} public void destroy() {
// TODO Auto-generated method stub } @Override
public Class<? extends Object> getSecureObjectClass() {
//下面的MyAccessDecisionManager的supports方面必须放回true,否则会提醒类型错误
return FilterInvocation.class;
}
}
5、AdminUserDetailServiceImpl.java
- package cn.com.abel.test.service.security;
- import java.util.HashSet;
- import java.util.List;
- import java.util.Set;
- import org.springframework.beans.factory.annotation.Autowired;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.authority.SimpleGrantedAuthority;
- import org.springframework.security.core.userdetails.UserDetails;
- import org.springframework.security.core.userdetails.UserDetailsService;
- import org.springframework.security.core.userdetails.UsernameNotFoundException;
- import cn.com.abel.test.model.RoleModel;
- import cn.com.abel.test.model.MemberModel;
- import cn.com.abel.test.service.RoleService;
- import cn.com.abel.test.service.MemberService;
- public class AdminUserDetailServiceImpl implements UserDetailsService {
- @Autowired
- private MemberService memberService;
- @Autowired
- RoleService roleService;
- //登录验证
- public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
- MemberModel member = memberService.getUserDetailsByUserName(username);
- if(member==null){
- throw new UsernameNotFoundException("member "+username +" not found.");
- }
- Set<GrantedAuthority> grantedAuths = obtionGrantedAuthorities(member);
- //封装成spring security的user
- User userdetail = new User(user.getUserName(), user.getPassword(),
- true, // 账号状态 0 表示停用 1表示启用
- true, true, true, grantedAuths // 用户的权限
- );
- return userdetail;
- }
- //取得用户的权限
- private Set<GrantedAuthority> obtionGrantedAuthorities(MemberModel member) {
- Set<GrantedAuthority> authSet = new HashSet<GrantedAuthority>();
- List<RoleModel> roles = roleService.getRoleByUser(member)<span style="font-family:Arial, Helvetica, sans-serif;">;</span>
- if(roles!=null){
- for(RoleModel role : roles) {
- authSet.add(new SimpleGrantedAuthority(role.getRoleCode().trim()));
- }
- }
- return authSet;
- }
- }
package cn.com.abel.test.service.security; import java.util.HashSet;
import java.util.List;
import java.util.Set; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException; import cn.com.abel.test.model.RoleModel;
import cn.com.abel.test.model.MemberModel;
import cn.com.abel.test.service.RoleService;
import cn.com.abel.test.service.MemberService; public class AdminUserDetailServiceImpl implements UserDetailsService {
@Autowired
private MemberService memberService;
@Autowired
RoleService roleService;//登录验证
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { MemberModel member = memberService.getUserDetailsByUserName(username); if(member==null){
throw new UsernameNotFoundException("member "+username +" not found.");
}
Set<GrantedAuthority> grantedAuths = obtionGrantedAuthorities(member); //封装成spring security的user
User userdetail = new User(user.getUserName(), user.getPassword(),
true, // 账号状态 0 表示停用 1表示启用
true, true, true, grantedAuths // 用户的权限
);
return userdetail;
} //取得用户的权限
private Set<GrantedAuthority> obtionGrantedAuthorities(MemberModel member) { Set<GrantedAuthority> authSet = new HashSet<GrantedAuthority>(); List<RoleModel> roles = roleService.getRoleByUser(member)<span style="font-family:Arial, Helvetica, sans-serif;">;</span>
if(roles!=null){
for(RoleModel role : roles) {
authSet.add(new SimpleGrantedAuthority(role.getRoleCode().trim()));
}
} return authSet;
}
}
6、MyAccessDecisionManager.java
- package cn.com.abel.test.service.security;
- import java.util.Collection;
- import java.util.Iterator;
- import org.springframework.security.access.AccessDecisionManager;
- import org.springframework.security.access.AccessDeniedException;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.authentication.InsufficientAuthenticationException;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.GrantedAuthority;
- public class MyAccessDecisionManager implements AccessDecisionManager {
- public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
- if(configAttributes == null) {
- return;
- }
- //所请求的资源拥有的权限(一个资源对多个权限)
- Iterator<ConfigAttribute> iterator = configAttributes.iterator();
- while(iterator.hasNext()) {
- ConfigAttribute configAttribute = iterator.next();
- //访问所请求资源所需要的权限
- String needPermission = configAttribute.getAttribute();
- System.out.println("needPermission is " + needPermission);
- //用户所拥有的权限authentication
- for(GrantedAuthority ga : authentication.getAuthorities()) {
- if(needPermission.equals(ga.getAuthority())) {
- return;
- }
- }
- }
- //没有权限让我们去捕捉
- throw new AccessDeniedException(" 没有权限访问!");
- }
- public boolean supports(ConfigAttribute attribute) {
- // TODO Auto-generated method stub
- return true;
- }
- public boolean supports(Class<?> clazz) {
- // TODO Auto-generated method stub
- return true;
- }
- }
package cn.com.abel.test.service.security; import java.util.Collection;
import java.util.Iterator; import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority; public class MyAccessDecisionManager implements AccessDecisionManager {public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
if(configAttributes == null) {
return;
}
//所请求的资源拥有的权限(一个资源对多个权限)
Iterator<ConfigAttribute> iterator = configAttributes.iterator();
while(iterator.hasNext()) {
ConfigAttribute configAttribute = iterator.next();
//访问所请求资源所需要的权限
String needPermission = configAttribute.getAttribute();
System.out.println("needPermission is " + needPermission);
//用户所拥有的权限authentication
for(GrantedAuthority ga : authentication.getAuthorities()) {
if(needPermission.equals(ga.getAuthority())) {
return;
}
}
}
//没有权限让我们去捕捉
throw new AccessDeniedException(" 没有权限访问!");
} public boolean supports(ConfigAttribute attribute) {
// TODO Auto-generated method stub
return true;
} public boolean supports(Class<?> clazz) {
// TODO Auto-generated method stub
return true;
}
}
7、MySecurityMetadataSource.java
- package cn.com.abel.test.service.security;
- import java.util.ArrayList;
- import java.util.Collection;
- import java.util.HashSet;
- import java.util.Iterator;
- import java.util.List;
- import java.util.Map;
- import java.util.Map.Entry;
- import java.util.TreeMap;
- import java.util.concurrent.ConcurrentHashMap;
- import javax.servlet.http.HttpServletRequest;
- import org.apache.commons.lang.StringUtils;
- import org.springframework.beans.factory.InitializingBean;
- import org.springframework.security.access.ConfigAttribute;
- import org.springframework.security.access.SecurityConfig;
- import org.springframework.security.web.FilterInvocation;
- import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
- import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
- import org.springframework.security.web.util.matcher.RequestMatcher;
- import cn.com.abel.test.model.RoleModel;
- import cn.com.abel.test.service.ResourceService;
- public class MySecurityMetadataSource implements FilterInvocationSecurityMetadataSource,InitializingBean {
- private static final String AUTH_NO_ROLE =" __AUTH_NO_ROLE__";
- private ResourceService resourceService;
- public MySecurityMetadataSource(ResourceService resourceService) {
- this.resourceService = resourceService;
- }
- private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
- public Collection<ConfigAttribute> getAllConfigAttributes() {
- return null;
- }
- public boolean supports(Class<?> clazz) {
- return true;
- }
- private void loadResourceDefine() {
- if(resourceMap == null) {
- resourceMap = new ConcurrentHashMap<String, Collection<ConfigAttribute>>();
- }else{
- resourceMap.clear();
- }
- Map<String,List<RoleModel>> resourceRoleMap = resourceService.getAllResourceRole();
- for (Entry<String,List<RoleModel>> entry : resourceRoleMap.entrySet()) {
- String url = entry.getKey();
- List<RoleModel> values = entry.getValue();
- Collection<ConfigAttribute> configAttributes = new ArrayList<ConfigAttribute>();
- for(RoleModel secRoleModel : values){
- ConfigAttribute configAttribute = new SecurityConfig(StringUtils.defaultString(secRoleModel.getRoleCode(),AUTH_NO_ROLE));
- configAttributes.add(configAttribute);
- }
- resourceMap.put(url, configAttributes);
- }
- }
- public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
- HttpServletRequest request = ((FilterInvocation) object).getHttpRequest();
- TreeMap<String, Collection<ConfigAttribute>> attrMap = new TreeMap<String, Collection<ConfigAttribute>>(resourceMap);
- Iterator<String> ite = attrMap.keySet().iterator();
- RequestMatcher urlMatcher = null;
- Collection<ConfigAttribute> attrSet = new HashSet<ConfigAttribute>();
- //match all of /admin/** a/b/**
- while (ite.hasNext()) {
- String resURL = ite.next();
- urlMatcher = new AntPathRequestMatcher(resURL);
- if (urlMatcher.matches(request)||StringUtils.equals(request.getRequestURI(),resURL)) {
- attrSet.addAll(attrMap.get(resURL));
- }
- }
- if(!attrSet.isEmpty()){
- return attrSet;
- }
- return null;
- }
- @Override
- public void afterPropertiesSet() throws Exception {
- loadResourceDefine() ;
- }
- }
package cn.com.abel.test.service.security; import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.TreeMap;
import java.util.concurrent.ConcurrentHashMap; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import cn.com.abel.test.model.RoleModel;
import cn.com.abel.test.service.ResourceService; public class MySecurityMetadataSource implements FilterInvocationSecurityMetadataSource,InitializingBean {private static final String AUTH_NO_ROLE =" __AUTH_NO_ROLE__"; private ResourceService resourceService; public MySecurityMetadataSource(ResourceService resourceService) {
this.resourceService = resourceService;
} private static Map<String, Collection<ConfigAttribute>> resourceMap = null; public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
} public boolean supports(Class<?> clazz) {
return true;
}
private void loadResourceDefine() {
if(resourceMap == null) {
resourceMap = new ConcurrentHashMap<String, Collection<ConfigAttribute>>();
}else{
resourceMap.clear();
} Map<String,List<RoleModel>> resourceRoleMap = resourceService.getAllResourceRole(); for (Entry<String,List<RoleModel>> entry : resourceRoleMap.entrySet()) {
String url = entry.getKey();
List<RoleModel> values = entry.getValue(); Collection<ConfigAttribute> configAttributes = new ArrayList<ConfigAttribute>();
for(RoleModel secRoleModel : values){
ConfigAttribute configAttribute = new SecurityConfig(StringUtils.defaultString(secRoleModel.getRoleCode(),AUTH_NO_ROLE));
configAttributes.add(configAttribute);
}
resourceMap.put(url, configAttributes);
}
}
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { HttpServletRequest request = ((FilterInvocation) object).getHttpRequest(); TreeMap<String, Collection<ConfigAttribute>> attrMap = new TreeMap<String, Collection<ConfigAttribute>>(resourceMap); Iterator<String> ite = attrMap.keySet().iterator(); RequestMatcher urlMatcher = null; Collection<ConfigAttribute> attrSet = new HashSet<ConfigAttribute>();
//match all of /admin/** a/b/**
while (ite.hasNext()) { String resURL = ite.next();
urlMatcher = new AntPathRequestMatcher(resURL); if (urlMatcher.matches(request)||StringUtils.equals(request.getRequestURI(),resURL)) {
attrSet.addAll(attrMap.get(resURL));
}
} if(!attrSet.isEmpty()){
return attrSet;
}
return null;
} @Override
public void afterPropertiesSet() throws Exception {
loadResourceDefine() ;
}
}
8、ResourceService.java
此类是为从数据库获取系统中的资源所属的角色,根据自己的数据表自行编写。
- package cn.com.abel.test.service;
- import java.util.ArrayList;
- import java.util.HashMap;
- import java.util.HashSet;
- import java.util.List;
- import java.util.Map;
- import org.apache.commons.collections.CollectionUtils;
- import org.springframework.beans.factory.annotation.Autowired;
- import org.springframework.stereotype.Service;
- import cn.com.abel.test.mapper.ResourceModelMapper;
- import cn.com.abel.test.mapper.RoleModelMapper;
- import cn.com.abel.test.mapper.RoleResourcetModelMapper;
- import cn.com.abel.test.model.ResourceModel;
- import cn.com.abel.test.model.ResourceModelCriteria;
- import cn.com.abel.test.model.RoleModel;
- import cn.com.abel.test.model.RoleModelCriteria;
- import cn.com.abel.test.model.RoleResourcetModel;
- import cn.com.abel.test.model.RoleResourcetModelCriteria;
- @Service
- public class ResourceService {
- @Autowired
- ResourceModelMapper resourceModelMapper;
- @Autowired
- RoleModelMapper roleMapper;
- @Autowired
- RoleResourcetModelMapper roleResMapper;
- /**
- * 获取各个资源(url)对应的角色
- * @return
- */
- public Map<String,List<RoleModel>> getAllResourceRole(){
- Map<String,List<RoleModel>> resultMap = new HashMap<String,List<RoleModel>>();
- ResourceModelCriteria secResourceModelExample = new ResourceModelCriteria();
- List<ResourceModel> resourceList = resourceModelMapper.selectByExample(secResourceModelExample);
- if(CollectionUtils.isNotEmpty(resourceList)){
- for(ResourceModel secResourceModel : resourceList){
- RoleModelCriteria roleCriteria = new RoleModelCriteria();
- roleCriteria.createCriteria().andIdIn(getRoleIdsByResourceId(secResourceModel.getId()));
- List<RoleModel> roleList = roleMapper.selectByExample(roleCriteria);
- resultMap.put(secResourceModel.getValue(), roleList);
- }
- }
- return resultMap;
- }
- public List<Integer> getRoleIdsByResourceId(Integer resourceId){
- List<Integer> roleIds = new ArrayList<Integer>();
- RoleResourcetModelCriteria criteria = new RoleResourcetModelCriteria();
- criteria.createCriteria().andResourceIdEqualTo(resourceId);
- List<RoleResourcetModel> list = roleResMapper.selectByExample(criteria);
- if(CollectionUtils.isNotEmpty(list)){
- for(RoleResourcetModel model : list){
- roleIds.add(model.getRoleId());
- }
- }
- HashSet<Integer> h = new HashSet<Integer>(roleIds);
- roleIds.clear();
- roleIds.addAll(h);
- return roleIds;
- }
- }
package cn.com.abel.test.service; import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map; import org.apache.commons.collections.CollectionUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service; import cn.com.abel.test.mapper.ResourceModelMapper;
import cn.com.abel.test.mapper.RoleModelMapper;
import cn.com.abel.test.mapper.RoleResourcetModelMapper;
import cn.com.abel.test.model.ResourceModel;
import cn.com.abel.test.model.ResourceModelCriteria;
import cn.com.abel.test.model.RoleModel;
import cn.com.abel.test.model.RoleModelCriteria;
import cn.com.abel.test.model.RoleResourcetModel;
import cn.com.abel.test.model.RoleResourcetModelCriteria; @Service
public class ResourceService {@Autowired
ResourceModelMapper resourceModelMapper; @Autowired
RoleModelMapper roleMapper; @Autowired
RoleResourcetModelMapper roleResMapper; /**
* 获取各个资源(url)对应的角色
* @return
*/
public Map<String,List<RoleModel>> getAllResourceRole(){ Map<String,List<RoleModel>> resultMap = new HashMap<String,List<RoleModel>>(); ResourceModelCriteria secResourceModelExample = new ResourceModelCriteria();
List<ResourceModel> resourceList = resourceModelMapper.selectByExample(secResourceModelExample); if(CollectionUtils.isNotEmpty(resourceList)){
for(ResourceModel secResourceModel : resourceList){
RoleModelCriteria roleCriteria = new RoleModelCriteria();
roleCriteria.createCriteria().andIdIn(getRoleIdsByResourceId(secResourceModel.getId()));
List<RoleModel> roleList = roleMapper.selectByExample(roleCriteria);
resultMap.put(secResourceModel.getValue(), roleList); }
} return resultMap;
} public List<Integer> getRoleIdsByResourceId(Integer resourceId){
List<Integer> roleIds = new ArrayList<Integer>(); RoleResourcetModelCriteria criteria = new RoleResourcetModelCriteria();
criteria.createCriteria().andResourceIdEqualTo(resourceId);
List<RoleResourcetModel> list = roleResMapper.selectByExample(criteria);
if(CollectionUtils.isNotEmpty(list)){
for(RoleResourcetModel model : list){
roleIds.add(model.getRoleId());
}
} HashSet<Integer> h = new HashSet<Integer>(roleIds);
roleIds.clear();
roleIds.addAll(h);
return roleIds;
}
}
最后附上数据表的SQL:
- CREATE TABLE `auth_resource` (
- `id` INT(11) NOT NULL AUTO_INCREMENT,
- `name` VARCHAR(100) NULL DEFAULT NULL COMMENT '资源名称',
- `value` VARCHAR(100) NULL DEFAULT NULL COMMENT '资源值',
- `summary` VARCHAR(1000) NULL DEFAULT NULL COMMENT '资源描述',
- `updated_time` DATETIME NULL DEFAULT NULL,
- `updated_user` VARCHAR(100) NULL DEFAULT NULL,
- PRIMARY KEY (`id`)
- )
- COMMENT='资源访问表'
- COLLATE='utf8_general_ci'
- ENGINE=InnoDB;
- CREATE TABLE `auth_role` (
- `id` INT(11) NOT NULL AUTO_INCREMENT,
- `role_name` VARCHAR(100) NULL DEFAULT NULL COMMENT '角色名称',
- `role_code` VARCHAR(100) NULL DEFAULT NULL COMMENT '角色代码',
- `updated_time` DATETIME NULL DEFAULT NULL,
- `updated_user` VARCHAR(100) NULL DEFAULT NULL,
- PRIMARY KEY (`id`)
- )
- COMMENT='角色表'
- COLLATE='utf8_general_ci'
- ENGINE=InnoDB;
- CREATE TABLE `role_resource` (
- `id` INT(11) NOT NULL AUTO_INCREMENT,
- `role_id` INT(11) NOT NULL,
- `resource_id` INT(11) NOT NULL,
- PRIMARY KEY (`id`),
- UNIQUE INDEX `role_id_resource_id` (`role_id`, `resource_id`)
- )
- COMMENT='资源角色关联表'
- COLLATE='utf8_general_ci'
- ENGINE=InnoDB;
- CREATE TABLE `member` (
- `id` INT(11) NOT NULL AUTO_INCREMENT,
- `user_name` VARCHAR(100) NULL DEFAULT NULL,
- `nick` VARCHAR(100) NULL DEFAULT NULL,
- `password` VARCHAR(100) NULL DEFAULT NULL,
- `sex` INT(11) NULL DEFAULT NULL,
- `birthday` DATE NULL DEFAULT NULL,
- `mobile` VARCHAR(50) NULL DEFAULT NULL,
- `email` VARCHAR(50) NULL DEFAULT NULL,
- `address` VARCHAR(512) NULL DEFAULT NULL,
- `regip` VARCHAR(100) NULL DEFAULT NULL,
- `created_time` DATETIME NULL DEFAULT NULL,
- PRIMARY KEY (`id`)
- )
- COMMENT='用户表'
- COLLATE='utf8_general_ci'
- ENGINE=InnoDB
- AUTO_INCREMENT=2;
- CREATE TABLE `member_role` (
- `id` INT(11) NOT NULL AUTO_INCREMENT,
- `member_id` INT(11) NOT NULL,
- `role_id` INT(11) NOT NULL,
- PRIMARY KEY (`id`),
- UNIQUE INDEX `member_id_role_id` (`member_id`, `role_id`)
- )
- COMMENT='用户角色关联表'
- COLLATE='utf8_general_ci'
- ENGINE=InnoDB;
CREATE TABLE `auth_resource` (
`id` INT(11) NOT NULL AUTO_INCREMENT,
`name` VARCHAR(100) NULL DEFAULT NULL COMMENT '资源名称',
`value` VARCHAR(100) NULL DEFAULT NULL COMMENT '资源值',
`summary` VARCHAR(1000) NULL DEFAULT NULL COMMENT '资源描述',
`updated_time` DATETIME NULL DEFAULT NULL,
`updated_user` VARCHAR(100) NULL DEFAULT NULL,
PRIMARY KEY (`id`)
)
COMMENT='资源访问表'
COLLATE='utf8_general_ci'
ENGINE=InnoDB; CREATE TABLEauth_role(
idINT(11) NOT NULL AUTO_INCREMENT,
role_nameVARCHAR(100) NULL DEFAULT NULL COMMENT '角色名称',
role_codeVARCHAR(100) NULL DEFAULT NULL COMMENT '角色代码',
updated_timeDATETIME NULL DEFAULT NULL,
updated_userVARCHAR(100) NULL DEFAULT NULL,
PRIMARY KEY (id)
)
COMMENT='角色表'
COLLATE='utf8_general_ci'
ENGINE=InnoDB; CREATE TABLErole_resource(
idINT(11) NOT NULL AUTO_INCREMENT,
role_idINT(11) NOT NULL,
resource_idINT(11) NOT NULL,
PRIMARY KEY (id),
UNIQUE INDEXrole_id_resource_id(role_id,resource_id)
)
COMMENT='资源角色关联表'
COLLATE='utf8_general_ci'
ENGINE=InnoDB; CREATE TABLEmember(
idINT(11) NOT NULL AUTO_INCREMENT,
user_nameVARCHAR(100) NULL DEFAULT NULL,
nickVARCHAR(100) NULL DEFAULT NULL,
passwordVARCHAR(100) NULL DEFAULT NULL,
sexINT(11) NULL DEFAULT NULL,
birthdayDATE NULL DEFAULT NULL,
mobileVARCHAR(50) NULL DEFAULT NULL,
addressVARCHAR(512) NULL DEFAULT NULL,
regipVARCHAR(100) NULL DEFAULT NULL,
created_timeDATETIME NULL DEFAULT NULL,
PRIMARY KEY (id)
)
COMMENT='用户表'
COLLATE='utf8_general_ci'
ENGINE=InnoDB
AUTO_INCREMENT=2; CREATE TABLEmember_role(
idINT(11) NOT NULL AUTO_INCREMENT,
member_idINT(11) NOT NULL,
role_idINT(11) NOT NULL,
PRIMARY KEY (id),
UNIQUE INDEXmember_id_role_id(member_id,role_id)
)
COMMENT='用户角色关联表'
COLLATE='utf8_general_ci'
ENGINE=InnoDB;
完整代码下载(包含数据库):http://download.csdn.net/download/rongku/9931455
最新文章
- openvpn 启动
- android UI 仿 win 8 模块化 标题,并实现 可长按拖动交换图片位置、可点击,且伴随动画特效
- SpringMVC学习--数据回显
- MyBatis入门案例 增删改查
- IPTables系列:如何配置Ubuntu 14.04中的IPTables防火墙
- SPAdes
- JAVA字符串格式化String.format()的使用
- 第二篇Activity:2、任务和返回堆栈(Tasks and Back Stack)之基本介绍
- Java多线程与并发之面试常问题
- 一篇文章说清楚mysql索引
- P3203 [HNOI2010]弹飞绵羊 —— 懒标记?分块?LCT?...FAQ orz
- html的header结构和实例
- 今天的任务--git练习
- linux根目录下的文件夹及文件
- TensorFlow笔记-02-Windows下搭建TensorFlow环境(win版非虚拟机)
- 傅里叶变换--MP3、JPEG和Siri背后的数学
- phpstorm之自定义代码碎片(tab键自动填充代码)
- wpf中如何在xaml中绑定cs中类的属性
- Arcgis Javascript API 开发笔记
- springboot整合mybatis,redis,代码(三)