说到权限系统,几乎每个系统都要用到,只要涉及到人操作和管理的的系统。而权限系统的核心那就是:授权和认证。
大道至简,根据这个核心所有的第三方还是适合自己的权限系统都围绕此进行。
Spring Security 也是如此,在系统中怎样接入Spring Security呢?主要有以下几步:
1、配置文件
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.spr ingframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http>
<intercept-url pattern="/login.htm" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<form-login login-page="/login.htm" login-processing-url="/login_process.htm"
authentication-failure-url="/login.htm?error=true" default-target-url="/index.htm"
password-parameter="password" username-parameter="username" />
<http-basic />
<logout logout-success-url="/login.htm" logout-url="/logout.htm"/>
<remember-me token-validity-seconds="604800" /> <!-- 1 week -->
<custom-filter ref="resourceSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR"/>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="securityManager">
<password-encoder hash="md5"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="securityManager" class="com.apache.platform.service.authorization.SecurityManagerSupport"></beans:bean>
<beans:bean id="resourceSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<!-- 认证管理 -->
<beans:property name="authenticationManager" ref="authenticationManager"/>
<!-- 访问决策 -->
<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
<!-- 资源定义 -->
<beans:property name="securityMetadataSource" ref="secureResourceFilterInvocationDefinitionSource" />
</beans:bean>
<!-- 访问决策器 -->
<beans:bean id="accessDecisionManager"
class="com.apache.platform.service.authorization.AccessDecisionManager">
</beans:bean>
<beans:bean id="secureResourceFilterInvocationDefinitionSource" class="com.apache.platform.service.authorization.SecureResourceFilterInvocationDefinitionSource" />
</beans:beans>
整个权限系统的接入围绕这个配置文件展开。
1》 认证管理
主要提供用户登录访问认证操作
2》 访问决策
对资源访问定义规则和策略
3》 资源定义
根据认证用户加载访问资源
SecurityManagerSupport.java
/**
*
*/
package com.apache.platform.service.authorization;
import java.util.ArrayList;
import java.util.Collection;
import javax.servlet.ServletContext;
import org.apache.commons.lang.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.web.context.ServletContextAware;
import com.apache.platform.common.CommConstant;
import com.apache.platform.service.IUserManager;
/**
* @author tangss
* @2013年9月28日 @上午9:19:25
*/
public class SecurityManagerSupport implements UserDetailsService, ServletContextAware {
@Autowired
private IUserManager userManager;
ServletContext servletContext;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserDetails user = null;
if (StringUtils.isNotEmpty(username) && username.equals("test")) {
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("admin_role"));
user = new UserInfo(username, "e10adc3949ba59abbe56e057f20f883e", true, true, true, true, authorities);
} else {
user = userManager.getUserByUserName(username);
}
this.servletContext.setAttribute(CommConstant.USER_INFO, user);
return user;
}
/*
* (non-Javadoc)
* @see org.springframework.web.context.ServletContextAware#setServletContext(javax.servlet.ServletContext)
*/
@Override
public void setServletContext(ServletContext servletContext) {
this.servletContext = servletContext;
}
}
AccessDecisionManager.java
package com.apache.platform.service.authorization;
import java.util.Collection;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
/**
*
*
*/
public class AccessDecisionManager implements org.springframework.security.access.AccessDecisionManager {
@Override
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes)
throws AccessDeniedException,
InsufficientAuthenticationException {
if (configAttributes == null) {
return;
}
for (ConfigAttribute ca : configAttributes) {
String needRole = ((SecurityConfig) ca).getAttribute();
for (GrantedAuthority ga : authentication.getAuthorities()) {
if (needRole.equals(ga.getAuthority())) {
return;
}
}
}
throw new AccessDeniedException("没有权限");
}
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public boolean supports(Class<?> clazz) {
return true;
}
}
SecureResourceFilterInvocationDefinitionSource.java
/**
*
*/
package com.apache.platform.service.authorization;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import javax.servlet.ServletContext;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.util.AntPathRequestMatcher;
import org.springframework.security.web.util.RequestMatcher;
import org.springframework.web.context.ServletContextAware;
import com.apache.platform.common.CommConstant;
/**
* @author tangss
* @2013年9月28日 @上午9:44:38
*/
public class SecureResourceFilterInvocationDefinitionSource implements FilterInvocationSecurityMetadataSource, ServletContextAware {
private Map<String, String> linkMap;
private Map<String, Collection<ConfigAttribute>> resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
// 获得请求资源所需的权限
@Override
public Collection<ConfigAttribute> getAttributes(Object filter) throws IllegalArgumentException {
if (linkMap == null || linkMap.isEmpty()) {
return null;
}
RequestMatcher matcher = null;
Set<Entry<String, String>> linkSet = linkMap.entrySet();
for (Entry<String, String> entry : linkSet) {
String url = entry.getKey();
matcher = new AntPathRequestMatcher(url);
if (matcher.matches(((FilterInvocation) filter).getRequest())) {
Collection<ConfigAttribute> configAttributes = resourceMap.get(url);
if (configAttributes != null) {
return configAttributes;
}
// 解析 role
String value = entry.getValue(); // split by comma
String values[] = value.split(",");
configAttributes = new ArrayList<ConfigAttribute>();
for (String attribute : values) {
ConfigAttribute configAttribute = new SecurityConfig(attribute);
configAttributes.add(configAttribute);
}
resourceMap.put(url, configAttributes);
return configAttributes;
}
}
return null;
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> clazz) {
return true;
}
@SuppressWarnings("unchecked")
@Override
public void setServletContext(ServletContext servletContext) {
linkMap = (Map<String, String>) servletContext.getAttribute(CommConstant.LINK_MAP);
}
}
2、登录页面
#set($layout = "/layout/blankLayout.vm")
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<title>登录</title>
<script type="text/javascript" src="$!{scriptsPath}scripts/common/jquery-1.10.2.js"></script>
<link rel="stylesheet" type="text/css" href="$!{stylesPath}styles/login.css" />
</head>
<body>
<form method="post" action="login_process.htm">
<div class="login">
<p>
用户名:<input type="text" name="username" />
<p>
密 码:<input type="password" name="password" />
</p>
</p>
<p>
<input type="checkbox" name="_spring_security_remember_me" /> 记住我
</p>
<p>
<input type="submit" value="登 录" class="btn" />
</p>
</div>
</form>
</body>
</html>
3 、web.mxl 配置
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>*.htm</url-pattern>
</filter-mapping>
4、maven pom.xml
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-web</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
<version>3.1.4.RELEASE</version>
</dependency>
分享到:
相关推荐
spring-security 案例 权限管理 登陆权限
一个比较好的spring security实例
SpringBoot+SpringSecurity案例Demo
spring security 源码案例, 我原来找这样的相关案例,不是没有 就是不能运行。这个只做朋友们参考, 我的这个案例是可以运行的
spring security4登陆
SpringBoot+SpringSecurity整合示例代码,实现了从数据库中获取信息进行登录认证和权限认证。 本项目为idea工程,请用idea2019导入(老版应该也可以)。 本项目用户信息所需sql文件,在工程的resources文件夹下,...
SpringBoot 实现SpringSecurity 对接数据库登录,基础案例
1.SpringSecurity 3.2实例,继承SpringMVC 3.2; 2.默认账户 admin,admin; 3.模拟后台数据加载,未集成数据库;
学习spring security3.0.3的案例,上传文件太大,已将架包删除。本案例试用最小配置,实现了不依赖配置文件对角色、资源进行分配管理
基于用户,角色,权限的spring security完整项目,包括登陆,免登陆,session配置,角色,权限验证等功能
完成的Spring Security实例,其中包括自定义数据库表结构、自定义登陆页面、使用数据库管理资源、自定义的密码编码器、自定义访问拒绝页面、动态管理资源结合自定义登录页面等方面的例子
SPRINGSECURITY 3.2 在WEB应用中的案例源码, 1.如何改造登陆验证 2.如何使用数据库中配置的资源权限信息进行访问控制 3.如何控制对SPRINGBEAN中的类方法的控制
Spring boot+Spring Security Oauth2.0,Sprint cloud+Spring Security Oauth2集成。四种认证方式。附带有代码,和案例,案例,还有视频链接。我保证看完就回,如果视频链接失效,评论回复我,我单独再给你一份。
spingsecurity学习和分析,下载解压后导入到ECLIPSE后可直接运行.含JAR包
SpringBoot+SpringSecurity+JWT+MybatisPlus实现基于注解的权限验证,可根据注解的格式不同,做到角色权限控制,角色加资源权限控制等,粒度比较细化。 @PreAuthorize("hasAnyRole('ADMIN','USER')"):具有admin或...
权限认证springsecurity案例
Spring-Security结合JWT 实现前后端分离完成权限验证功能案例,案例中,主要完成用户登录获取Token,通过Token访问Rest接口,没有权限或授权失败时返回JSON,前端根据状态码进行重新登录;案例中的用户名称: jake_j...
成功案例和证明:分享一些成功应用Spring Security的案例或者行业领先公司对其重视程度,让学习者看到学习Spring Security的潜在机会和前景。 社区和支持:强调Spring Security社区的活跃程度以及得到的支持,包括...
我基于参考网上一个案例,通过spring security3源代码的修改,使该项目完成了了前台+后台的登录方式。而且可以还可以继续扩展多用户登陆。 (4)项目除了security3的配置使用XML以外,其他基本使用注解配置完成 (5...
按照教程https://blog.csdn.net/ryo1060732496/article/details/78848205 编写的demo程序