Acegi配置实例
1、在web.xml中
<!-- ******应用范围内参数初始化,安全认证将放在applicationContext-acegi-security.xml****** -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/context/applicationContext-*.xml
</param-value>
</context-param>
<!--Acegi Filter Chain Proxy -->
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetBeanName</param-name>
<param-value>filterChainProxy</param-value>
</init-param>
</filter>
<!--Acegi Filter Chain Proxy -->
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/j_oa_security_check</url-pattern>
</filter-mapping>
<!-- LogOut -->
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/j_spring_security_logout</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.ao</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.servlet</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.editDoc</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>*.openAccessory</url-pattern>
</filter-mapping>
2、applicationContext-acegi-security.xml中
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<!-- ======================== FILTER CHAIN ======================= -->
<!--
FilterChainProxy会按顺序来调用这些filter,使这些filter能享用Spring ioc的功能,
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON定义了url比较前先转为小写
PATTERN_TYPE_APACHE_ANT定义了使用Apache ant的匹配模式
rememberMeProcessingFilter,,anonymousProcessingFilter
channelProcessingFilter,filterInvocationInterceptor
-->
<!-- CAS 单点登陆 用casProcessingFilter代替authenticationProcessingFilter实现单点登陆 -->
<bean id="filterChainProxy" /-->
<security:filter-chain pattern="/**"
filters="httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor" />
</security:filter-chain-map>
</bean>
<!-- ======================== AUTHENTICATION ======================= -->
<!--
通过Providers提供认证者列表,如果一个认证提供者失败可以尝试另外一个认证提供者,以保证获取不同来源的身份认证,如
DaoAuthenticationProvider 从数据库中读取用户信息验证身份
AnonymousAuthenticationProvider 匿名用户身份认证
RememberMeAuthenticationProvider 已存cookie中的用户信息身份认证
其它的还有
AuthByAdapterProvider 使用容器的适配器验证身份
CasAuthenticationProvider 根据Yale中心认证服务验证身份, 用于实现单点登录
JaasAuthenticationProvider 从JASS登录配置中获取用户信息验证身份
RemoteAuthenticationProvider 根据远程服务验证用户身份
RunAsImplAuthenticationProvider 对身份已被管理器替换的用户进行验证
X509AuthenticationProvider 从X509认证中获取用户信息验证身份
TestingAuthenticationProvider 单元测试时使用
每个认证者会对自己指定的证明信息进行认证,如DaoAuthenticationProvider仅对UsernamePasswordAuthenticationToken这个证明信息进行认证。
-->
<bean id="authenticationManager" value="blhOaWebKey2"/>
</bean>
<bean id="passwordEncoder" value="/sof_login.jsp"/>
<!-- 不需要登陆就可以访问的资源 -->
<property name="noAuthenticationUrl">
<list>
<value>/j_oa_security_check</value>
<value>/sof_login.jsp</value>
<value>/sysmanage/ug/useradd.ao</value>
</list>
</property>
</bean>
<!--
利用cookie自動登入
-->
<bean id="rememberMeServices" ref="userManagerService"/>
<property name="key" value="blhOaWebKey"/>
<property name="tokenValiditySeconds" value="864000"/>
</bean>
<bean id="rememberMeAuthenticationProvider" value="blhOaWebKey"/>
</bean>
<!--
登出處理
-->
<bean id="logoutFilter" ref="authenticationManager"/>
<property name="authenticationFailureUrl" value="/sof_login.jsp?login_error=1"/>
<property name="defaultTargetUrl" value="/jsp/desktop/main.jsp"/>
<!--
<property name="defaultTargetUrl" value="/jsp/mainFrame.jsp?showFirstMessage=1"/>
-->
<!-- CAS单点登陆 用/j_spring_cas_security_check代替 /j_oa_security_check实现单点登陆-->
<!-- property name="filterProcessesUrl" value="/j_spring_cas_security_check"/-->
<property name="filterProcessesUrl" value="/j_oa_security_check"/>
</bean>
<!--
filterInvocationInterceptor在执行转向url前检查objectDefinitionSource中设定的用户权限信息
过程:
首先,objectDefinitionSource中定义了访问URL需要的属性信息(这里的属性信息仅仅是标志,告诉accessDecisionManager要用哪些voter来投票)
然后,authenticationManager掉用自己的provider来对用户的认证信息进行校验。
最后,有投票者根据用户持有认证和访问url需要的属性,调用自己的voter来投票,决定是否允许访问。-->
<bean id="filterInvocationInterceptor" /></property>
<property name="observeOncePerRequest" value="false"></property>
<property name="alwaysReauthenticate" value="true"></property>
</bean>
<bean id="rdbmsFilterInvocationDefinitionSource" />
<property name="webresdbCache" ref="webresCacheBackend" />
<property name="rdbmsInvocationDefinition">
<bean value="url"/>
<property name="rolesField" value="role"/>
</bean>
</property>
</bean>
<bean id="antUrlPathMatcher" />
<bean id="webresCacheBackend" value="/jsp/common/403.jsp"/>
</bean>
</property>
</bean>
<!--
用户尚未通过身份验证时,会将控制转交到一个认证入口点,提供三种实现
BasicProcessingFilterEnteyPoint :HTTP基本认证处理
AuthenticationProcessingFilterEntryPoint :将用户重新定向到一个基于HTML表单的登入界面
CasProssingFilterEntryPoint :将用户重新定向到一个基于Yale CAS登入界面
-->
<bean id="authenticationProcessingFilterEntryPoint" value="/sof_login.jsp"/>
<property name="forceHttps" value="false"/>
<property name="serverSideRedirect" value="false"></property>
</bean>
</beans>
