Spring Security 三.x simple guide

Spring Security 3.x simple guide

1.建一个web project，并导入所有需要的lib，这步就不多讲了。

2.配置web.xml，使用Spring的机制装载：

?

?这个文件中的内容我相信大家都很熟悉了，不再多说了。
?
3.来看看applicationContext-security.xml这个配置文件，关于Spring Security的配置均在其中：
?
?
4.来看看自定义filter的实现：
?
package com.robin.erp.fwk.security;import java.util.Collection;import java.util.Iterator;import org.springframework.security.access.AccessDecisionManager;import org.springframework.security.access.AccessDeniedException;import org.springframework.security.access.ConfigAttribute;import org.springframework.security.access.SecurityConfig;import org.springframework.security.authentication.InsufficientAuthenticationException;import org.springframework.security.core.Authentication;import org.springframework.security.core.GrantedAuthority;public class MyAccessDecisionManager implements AccessDecisionManager {    //In this method, need to compare authentication with configAttributes.    // 1, A object is a URL, a filter was find permission configuration by this URL, and pass to here.    // 2, Check authentication has attribute in permission configuration (configAttributes)    // 3, If not match corresponding authentication, throw a AccessDeniedException.    public void decide(Authentication authentication, Object object,            Collection<ConfigAttribute> configAttributes)            throws AccessDeniedException, InsufficientAuthenticationException {        if(configAttributes == null){            return ;        }        System.out.println(object.toString());  //object is a URL.        Iterator<ConfigAttribute> ite=configAttributes.iterator();        while(ite.hasNext()){            ConfigAttribute ca=ite.next();            String needRole=((SecurityConfig)ca).getAttribute();            for(GrantedAuthority ga:authentication.getAuthorities()){                if(needRole.equals(ga.getAuthority())){  //ga is user's role.                    return;                }            }        }        throw new AccessDeniedException("no right");    }    @Override    public boolean supports(ConfigAttribute attribute) {        // TODO Auto-generated method stub        return true;    }    @Override    public boolean supports(Class<?> clazz) {        return true;    }}
?在这个类中，最重要的是decide方法，如果不存在对该资源的定义，直接放行；否则，如果找到正确的角色，即认为拥有权限，并放行，否则throw new AccessDeniedException("no right");这样，就会进入上面提到的403.jsp页面。