SpringSecurity3.X--一个简单实现(转载)
作者对springsecurity研究不深,算是个初学者吧,最近很不完整的看了一下翻译的很是生硬的《Spring3Security-3.0.1中文官方文档.pdf》,为了便于学习和记忆,所以将所学知识在此记录下来。
这里给出一个简单的安全验证的实现例子,先说一下需求:
1.通过登录页面进行登录
2.用户登录前访问被保护的地址时自动跳转到登录页面
3.用户信息存储在数据表中
4.用户权限信息存在在数据表中
5.用户登录成功后访问没有权限访问的地址时跳转到登录页面
?
ok,以上就是一个基本的需求了,大部分的系统都是基于该需求实现登录模块的。
?
给出实现之前,先简单说明一下springsecurity的原理,
1.AccessDecisionManager
和我们一般实现登录验证采用filter的方式一样,springsecurity也是一个过滤器,当请求被springsecurity拦截后,会先对用户请求的资源进行安全认证,如果用户有权访问该资源,则放行,否则将阻断用户请求或提供用户登录,
在springsecurity中,负责对用户的请求资源进行安全认证的是AccessDecisionManager,它就是一组投票器的集合,默认的策略是使用一个public?class?DynamicRoleVoter??implements??????????AccessDecisionVoter?{????????@Autowired??????private?ISystemUserService?userService;????????private?PathMatcher?pathMatcher?=?new?AntPathMatcher();??????/*??????*?(non-Javadoc)??????*???????*?@see??????*?org.springframework.security.vote.AccessDecisionVoter#supports(java.lang??????*?.Class)??????*/??????@SuppressWarnings("unchecked")??????public?boolean?supports(Class?clazz)?{??????????return?true;??????}????????/*??????*?(non-Javadoc)??????*???????*?@seeorg.springframework.security.vote.AccessDecisionVoter#supports(org.??????*?springframework.security.ConfigAttribute)??????*/??????public?boolean?supports(ConfigAttribute?attribute)?{??????????return?true;??????}????????/*??????*?(non-Javadoc)??????*???????*?@seeorg.springframework.security.vote.AccessDecisionVoter#vote(org.??????*?springframework.security.Authentication,?java.lang.Object,??????*?org.springframework.security.ConfigAttributeDefinition)??????*/??????public?int?vote(Authentication?authentication,?Object?object,??????????????java.util.Collection?arg2)?{??????????int?result?=?ACCESS_ABSTAIN;??????????if?(!(object?instanceof?FilterInvocation))??????????????return?result;??????????FilterInvocation?invo?=?(FilterInvocation)?object;??????????String?url?=?invo.getRequestUrl();//当前请求的URL??????????Set<GrantedAuthority>?authorities?=?null;??????????String?userId?=?authentication.getName();??????????//获得当前用户的可访问资源,自定义的查询方法,之后和当前请求资源进行匹配,成功则放行,否则拦截??????????????authorities?=?loadUserAuthorities(userService.findById(userId));??????????Map<String,?Set<String>>?urlAuths?=?authService.getUrlAuthorities();??????????Set<String>?keySet?=?urlAuths.keySet();??????????for?(String?key?:?keySet)?{??????????????boolean?matched?=?pathMatcher.match(key,?url);??????????????if?(!matched)??????????????????continue;??????????????Set<String>?mappedAuths?=?urlAuths.get(key);??????????????if?(contain(authorities,?mappedAuths))?{??????????????????result?=?ACCESS_GRANTED;??????????????????break;??????????????}??????????}??????????return?result;??????}??????????????????protected?boolean?contain(Set<GrantedAuthority>?authorities,??????????????Set<String>?mappedAuths)?{??????????if?(CollectionUtils.isEmpty(mappedAuths)??????????????????||?CollectionUtils.isEmpty(authorities))??????????????return?false;??????????for?(GrantedAuthority?item?:?authorities)?{??????????????if?(mappedAuths.contains(item.getAuthority()))??????????????????return?true;??????????}??????????return?false;??????}??}??
