[转]Spring Security 可动态授权RBAC权限模块实践

RBAC:基于角色的访问控制(Role-Based Access Control)

先在web.xml 中配置一个过滤器(必须在Struts的过滤器之前)

  1. <filter>
  2. <filter-name>springSecurityFilterChain</filter-name>
  3. <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
  4. </filter>
  5. <filter-mapping>
  6. <filter-name>springSecurityFilterChain</filter-name>
  7. <url-pattern>/*</url-pattern>
  8. </filter-mapping>

然后就是编写Spring安全的配置文件applicationContext-security.xml并配置到Spring解析的路径下

Spring Security主要做两件事,一件是认证,一件是授权。

认证

当用户访问受保护的信息却没有登录获得认证时,框架会自动将请求跳转到登录页面

在http标签中的

  1. <form-login login-page="/page/login.jsp" />

配置。且该登录页面必须是不被拦截的。故要配置上

  1. <intercept-url pattern="/page/login.jsp" filters="none" />

Web项目的认证如果在HTTP标签中配置了auto-config="true",框架就会自动的配置多8?个拦截器。
默认表单登录认证的是FORM_LOGIN_FILTER拦截器,我们可以直接写自定义的UserDetailsService,在这个类中实现方法
UserDetails loadUserByUsername(String username),从数据库获取用户信息,以及其拥有的角色。

  1. @Service("myUserDetailsService")
  2. public class MyUserDetailsServiceImpl extends BaseService implements UserDetailsService {
  3. @Resource
  4. private UserDao userDao;
  5. public UserDetails loadUserByUsername(String username)
  6. throws UsernameNotFoundException, DataAccessException {
  7. User user = userDao.getUserByUsername(username);
  8. List<Role> roles = user.getRoles();
  9. Collection<GrantedAuthority> authorities = new LinkedList<GrantedAuthority>();
  10. for (Role role : roles) {
  11. authorities.add(new GrantedAuthorityImpl(role.getCode()));
  12. }
  13. UserDetails userDetails = new org.springframework.security.core.userdetails.User(username,user.getPassword(),Constants.STATE_VALID.equals(user.getState()),true,true,true,authorities);
  14. return userDetails;
  15. }
  16. }

配置在

  1. <authentication-manager alias="myAuthenticationManager">
  2. <authentication-provider user-service-ref="myUserDetailsService">
  3. <password-encoder hash="md5" />
  4. </authentication-provider>
  5. </authentication-manager>

如果需要在登录的时候,在HTTP SESSION中配置做些操作的。就得配置自定义的FORM_LOGIN_FILTER了

在HTTP标签中加入

  1. <custom-filter ref="loginFilter" before="FORM_LOGIN_FILTER" />

并配置

  1. <!-- 访问控制验证器Authority -->
  2. <beans:bean id="securityFilter"
  3. class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
  4. <beans:property name="authenticationManager" ref="myAuthenticationManager" />
  5. <beans:property name="accessDecisionManager"
  6. ref="affirmativeBasedAccessDecisionManager" />
  7. <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource"/>
  8. </beans:bean>

MyUsernamePasswordAuthenticationFilter 类是这么写的

  1. public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{
  2. public static final String USERNAME = "username";
  3. public static final String PASSWORD = "password";
  4. @Resource
  5. private LoginService loginService;
  6. private UserLoginFormBean userLoginFormBean = new UserLoginFormBean();
  7. @Resource
  8. private LogService logService;
  9. @Override
  10. public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
  11. String username = obtainUsername(request);
  12. String password = obtainPassword(request);
  13. HttpSession session = request.getSession();
  14. userLoginFormBean.setUsername(obtainUsername(request));
  15. userLoginFormBean.setPassword(obtainPassword(request));
  16. User user = loginService.login(userLoginFormBean);
  17. session.setAttribute(Constants.SESSION_USER, user);
  18. Log log = new Log(user,getIpAddr(request),"用户登录", null);
  19. logService.add(log);
  20. //UsernamePasswordAuthenticationToken实现 Authentication
  21. UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
  22. // Place the last username attempted into HttpSession for views
  23. // 允许子类设置详细属性
  24. setDetails(request, authRequest);
  25. // 运行UserDetailsService的loadUserByUsername 再次封装Authentication
  26. return this.getAuthenticationManager().authenticate(authRequest);
  27. }
  28. }

getAuthenticationManager().authenticate(authRequest)是为了让UserDetailService提供Detailed的信息并认证

授权

在授权时,系统默认通过FILTER_SECURITY_INTERCEPTOR认证。

如需自定义授权拦截器,我们在HTTP中在默认授权拦截器前配置了自定义的拦截器

  1. <custom-filter ref="securityFilter" before="FILTER_SECURITY_INTERCEPTOR" />

本平台采用基于请求URL地址的验证方式

securityFilter的配置如下

  1. <!-- 访问控制验证器Authority -->
  2. <beans:bean id="securityFilter"
  3. class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
  4. <beans:property name="authenticationManager" ref="myAuthenticationManager" />
  5. <beans:property name="accessDecisionManager"
  6. ref="affirmativeBasedAccessDecisionManager" />
  7. <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource"/>
  8. </beans:bean>

采用默认的自定义的也是采用Spring默认的FilterSecurityInterceptor拦截器,accessDecisionManager也采用的是框架提供的affirmativeBasedAccessDecisionManager
采用投票者来判断是否授权。

  1. <beans:bean id="affirmativeBasedAccessDecisionManager"
  2. class="org.springframework.security.access.vote.AffirmativeBased">
  3. <beans:property name="decisionVoters" ref="roleDecisionVoter" />
  4. </beans:bean>
  5. <beans:bean name="roleDecisionVoter"
  6. class="org.springframework.security.access.vote.RoleVoter" />
  7. <beans:bean id="mySecurityMetadataSource"
  8. class="org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource">
  9. <beans:constructor-arg
  10. type="org.springframework.security.web.util.UrlMatcher" ref="antUrlPathMatcher" />
  11. <beans:constructor-arg type="java.util.LinkedHashMap"
  12. ref="securityRequestMapFactoryBean" />
  13. </beans:bean>

SecurityMetadataSource也是ss
web框架提供的DefaultFilterInvocationSecurityMetadataSource,只是初始化参数中,一个选择
antUrl匹配,还是正则匹配,另一个是提供自定义的通过securityRequestMapFactoryBean。在后者是一个
LinkedHashMap<RequestKey,
Collection<ConfigAttribute>>类型,就是每一个URL匹配模式,所需要角色的集合。

  1. @Service("securityRequestMapFactoryBean")
  2. public class SecurityRequestMapFactoryBean extends
  3. LinkedHashMap<RequestKey, Collection<ConfigAttribute>> {
  4. @Resource
  5. private ModuleDao moduleDao;
  6. @PostConstruct
  7. public void loadSecurityInfos(){
  8. List<Module> modules = moduleDao.getAll(new Module());
  9. //      List<Role> roles = roleDao.getAll(new Role());
  10. for (Module module : modules) {
  11. RequestKey requestKey = new RequestKey(module.getPageUrl());
  12. Collection<ConfigAttribute> configAttributes = new LinkedList<ConfigAttribute>();
  13. for (final Role role : module.getRoles()) {
  14. configAttributes.add(new ConfigAttribute() {
  15. public String getAttribute() {
  16. return role.getCode();
  17. }
  18. });
  19. }
  20. this.put(requestKey, configAttributes);
  21. }
  22. }
  23. }

PS: 最终的件applicationContext-security.xml配置文件

    1. <pre name="code" class="html"><?xml version="1.0" encoding="UTF-8"?>
    2. <beans:beans xmlns="http://www.springframework.org/schema/security"
    3. xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    4. xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    5. http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
    6. <http auto-config="true">
    7. <intercept-url pattern="/page/login.jsp" filters="none" />
    8. <intercept-url pattern="/LoginAction*" filters="none" />
    9. <intercept-url pattern="/common/**" filters="none" />
    10. <intercept-url pattern="/css/**" filters="none" />
    11. <intercept-url pattern="/common/**" filters="none" />
    12. <intercept-url pattern="/images/**" filters="none" />
    13. <intercept-url pattern="/js/**" filters="none" />
    14. <form-login login-page="/page/login.jsp" />
    15. <custom-filter ref="loginFilter" before="FORM_LOGIN_FILTER" />
    16. <custom-filter ref="securityFilter" before="FILTER_SECURITY_INTERCEPTOR" />
    17. </http>
    18. <!-- 访问控制验证器Authority -->
    19. <beans:bean id="securityFilter"
    20. class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
    21. <beans:property name="authenticationManager" ref="myAuthenticationManager" />
    22. <beans:property name="accessDecisionManager"
    23. ref="affirmativeBasedAccessDecisionManager" />
    24. <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource"/>
    25. </beans:bean>
    26. <!-- 登录验证器Authentication -->
    27. <beans:bean id="loginFilter"
    28. class="com.epro.crm.util.security.MyUsernamePasswordAuthenticationFilter">
    29. <!-- 处理登录的action -->
    30. <beans:property name="filterProcessesUrl" value="/SecurityCheck" />
    31. <!-- 验证成功后的处理-->
    32. <beans:property name="authenticationSuccessHandler"
    33. ref="loginLogAuthenticationSuccessHandler" />
    34. <!-- 验证失败后的处理-->
    35. <beans:property name="authenticationFailureHandler"
    36. ref="simpleUrlAuthenticationFailureHandler" />
    37. <beans:property name="authenticationManager" ref="myAuthenticationManager" />
    38. <!-- 注入DAO为了查询相应的用户 -->
    39. <beans:property name="loginService" ref="loginService" />
    40. <beans:property name="logService" ref="logService" />
    41. </beans:bean>
    42. <authentication-manager alias="myAuthenticationManager">
    43. <authentication-provider user-service-ref="myUserDetailsService">
    44. <password-encoder hash="md5" />
    45. </authentication-provider>
    46. </authentication-manager>
    47. <beans:bean id="mySecurityMetadataSource"
    48. class="org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource">
    49. <beans:constructor-arg
    50. type="org.springframework.security.web.util.UrlMatcher" ref="antUrlPathMatcher" />
    51. <beans:constructor-arg type="java.util.LinkedHashMap"
    52. ref="securityRequestMapFactoryBean" />
    53. </beans:bean>
    54. <beans:bean id="antUrlPathMatcher"
    55. class="org.springframework.security.web.util.AntUrlPathMatcher" />
    56. <beans:bean id="affirmativeBasedAccessDecisionManager"
    57. class="org.springframework.security.access.vote.AffirmativeBased">
    58. <beans:property name="decisionVoters" ref="roleDecisionVoter" />
    59. </beans:bean>
    60. <beans:bean name="roleDecisionVoter"
    61. class="org.springframework.security.access.vote.RoleVoter" />
    62. <beans:bean id="loginLogAuthenticationSuccessHandler"
    63. class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    64. <beans:property name="defaultTargetUrl" value="/page/main.jsp"></beans:property>
    65. </beans:bean>
    66. <beans:bean id="simpleUrlAuthenticationFailureHandler"
    67. class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    68. <!--
    69. 可以配置相应的跳转方式。属性forwardToDestination为true采用forward false为sendRedirect
    70. -->
    71. <beans:property name="defaultFailureUrl" value="/page/login.jsp"></beans:property>
    72. </beans:bean>
    73. <!-- 未登录的切入点 -->
    74. <beans:bean id="authenticationProcessingFilterEntryPoint"
    75. class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    76. <beans:property name="loginFormUrl" value="/page/login.jsp"></beans:property>
    77. </beans:bean>
    78. </beans:beans></pre><br>
    79. ------------------------------------------------------ 分割线 -----------------------------------------------------------------<br>
    80. <br>
    81. 后记:
    82. <pre></pre>
    83. 由于权限配置信息,是由初始化mySecurityMetadataSource时,就由mySecurityMetadataSource读取提供的权限信息,并缓存与该类的私有成员变量中,所以重新加载时就需要重新新建一个对象
    84. <pre></pre>
    85. <pre name="code" class="java">public void loadSecurityInfos(){
    86. this.clear();
    87. List<Module> modules = moduleDao.getAll(new Module());
    88. Collections.sort(modules);
    89. for (Module module : modules) {
    90. RequestKey requestKey = new RequestKey(module.getPageUrl());
    91. Collection<ConfigAttribute> configAttributes = new LinkedList<ConfigAttribute>();
    92. moduleDao.refresh(module);
    93. List<Role> roles = module.getRoles();
    94. if(roles != null){
    95. for (final Role role : roles) {
    96. configAttributes.add(new ConfigAttribute() {
    97. public String getAttribute() {
    98. return role.getCode();
    99. }
    100. });
    101. }
    102. }
    103. this.put(requestKey, configAttributes);
    104. log.info(module.getName()+ "模块 URL模式:" + requestKey + " 授权角色:"+ roles);
    105. }
    106. }</pre><br>
    107. <br>
    108. <pre></pre>
    109. <pre></pre>
    110. <pre></pre>
    111. <pre></pre>
    112. <pre></pre>
    113. <pre></pre>
    114. <pre></pre>
    115. <pre></pre>
    116. <pre></pre>
    117. <pre></pre>
    118. <pre></pre>
    119. <div style="padding-top:20px">
    120. <p style="font-size:12px;">版权声明:本文为博主原创文章,未经博主允许不得转载。</p>
    121. </div>
上一篇:巨蟒django之权限7:动态生成一级&&二级菜单


下一篇:Java里this的作用和用法