hanyexiaoxiao
hanyexiaoxiao
2009-06-01 16:53

spring security 基于数据库的配置 控制不了url

已采纳

spring security 配置文件
<?xml version="1.0" encoding="UTF-8"?>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"
>

<description>使用SpringSecurity的安全配置文件</description>

<s:global-method-security secured-annotations="enabled">
</s:global-method-security>

<!-- http安全配置 -->
<s:http auto-config="true" access-denied-page="/403.jsp" access-decision-manager-ref="accessDecisionManager">
    <s:intercept-url pattern="/login.jsp" filters="none"/>
    <s:intercept-url pattern="/jsp/security/**" access="A_MODIFY_USER"/>
    <s:intercept-url pattern="/**" access="A_VIEW_USER"/>
    <s:form-login login-page="/login.jsp" default-target-url="/portal/login.jspx"
        authentication-failure-url="/login.jsp?error=true" />
    <s:logout logout-success-url="/portal/logout.jspx" />
</s:http>

<s:authentication-provider user-service-ref="userDetailsService">
</s:authentication-provider>

<s:authentication-manager alias="authenticationManager"/>

    <!-- 项目实现的用户查询服务 -->
<bean id="userDetailsService" class="com.zldigital.security.service.security.UserDetailServiceImpl">
    <property name="userDAO">
        <ref bean="userDAO"/>
    </property>
</bean>

<!-- 项目实现的URL-授权查询服务 -->
<bean id="resourceDetailService" class="com.zldigital.security.service.security.ResourceDetailServiceImpl">
    <property name="resourceDAO">
        <ref bean="resourceDAO"/>
    </property>
</bean>

<!-- DefinitionSource工厂,使用resourceDetailService提供的URL-授权关系. -->
<bean id="databaseDefinitionSource" class="com.zldigital.security.service.security.DefinitionSourceFactoryBean">
    <property name="resourceDetailService" ref="resourceDetailService" />
</bean>

<!-- 重新定义的FilterSecurityInterceptor,使用databaseDefinitionSource提供的url-授权关系定义 -->
<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <property name="accessDecisionManager" ref="accessDecisionManager" />
    <property name="objectDefinitionSource" ref="databaseDefinitionSource" />
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="observeOncePerRequest" value="false"></property>
    <s:custom-filter before="FILTER_SECURITY_INTERCEPTOR"/>
</bean>


<!-- 授权判断配置, 将授权名称的默认前缀由ROLE_改为A_. -->
<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <bean class="org.springframework.security.vote.RoleVoter">
                <property name="rolePrefix" value="A_" />
            </bean>
            <bean class="org.springframework.security.vote.AuthenticatedVoter" />
        </list>
    </property>
</bean>

userDetailServiceImpl类
public class UserDetailServiceImpl implements UserDetailsService{

private IUserDAO userDAO;

public IUserDAO getUserDAO() {
    return userDAO;
}

public void setUserDAO(IUserDAO userDAO) {
    this.userDAO = userDAO;
}

public UserDetails loadUserByUsername(String username)
        throws UsernameNotFoundException, DataAccessException {
    Users user = this.getUserDAO().findByLoginName(username);
    if(null == user)
    {
        throw new UsernameNotFoundException(username);
    }
    GrantedAuthority[] grantedAuths = obtainGrantedAuthorities(user);
    boolean enabled = true;
    boolean accountNonExpired = true;
    boolean credentialsNonExpired = true;
    boolean accountNonLocked = true;
    User userdetail = new org.springframework.security.userdetails.User(
            user.getLoginName(), user.getPassword(), enabled, accountNonExpired, credentialsNonExpired,
            accountNonLocked, grantedAuths);
    return userdetail;
}


private GrantedAuthority[] obtainGrantedAuthorities(Users user) {
    Set<GrantedAuthority> authSet = new HashSet<GrantedAuthority>();
    for (Roles role : user.getUsersRoleses()) {
        for (Authorities authorities : role.getRolesAuthoritieses()) {
            authSet.add(new GrantedAuthorityImpl(authorities.getName()));
        }
    }
    return authSet.toArray(new GrantedAuthority[authSet.size()]);
}

}

ResourceDetailServiceImpl类
public class ResourceDetailServiceImpl implements ResourceDetailService {

private IResourceDAO resourceDAO;

public IResourceDAO getResourceDAO() {
    return resourceDAO;
}
public void setResourceDAO(IResourceDAO resourceDAO) {
    this.resourceDAO = resourceDAO;
}

@SuppressWarnings("unchecked")
public LinkedHashMap<String, String> getRequestMap() throws Exception {
    List<Resources> list = (List<Resources>) this.getResourceDAO().findAll();
    LinkedHashMap<String, String> requestMap = new LinkedHashMap<String, String>();
    for(Resources resources : list)
    {
        System.out.println(resources.getValue() + "====" + resources.getAuthNames());
        requestMap.put(resources.getValue(), resources.getAuthNames());
    }
    return requestMap;
}

}

DefinitionSourceFactoryBean类

public class DefinitionSourceFactoryBean implements FactoryBean {

private ResourceDetailService resourceDetailService;

public void setResourceDetailService(ResourceDetailService requestMapService) {
    this.resourceDetailService = requestMapService;
}

public Object getObject() throws Exception {
    LinkedHashMap<RequestKey, ConfigAttributeDefinition> requestMap = getRequestMap();
    UrlMatcher matcher = getUrlMatcher();
    DefaultFilterInvocationDefinitionSource definitionSource = new DefaultFilterInvocationDefinitionSource(matcher,
            requestMap);
    return definitionSource;
}

@SuppressWarnings("unchecked")
public Class getObjectType() {
    return FilterInvocationDefinitionSource.class;
}

public boolean isSingleton() {
    return true;
}

private UrlMatcher getUrlMatcher() {
    return new AntUrlPathMatcher();
}

private LinkedHashMap<RequestKey, ConfigAttributeDefinition> getRequestMap() throws Exception {
    LinkedHashMap<String, String> srcMap = resourceDetailService.getRequestMap();
    LinkedHashMap<RequestKey, ConfigAttributeDefinition> requestMap = new LinkedHashMap<RequestKey, ConfigAttributeDefinition>();
    ConfigAttributeEditor editor = new ConfigAttributeEditor();
    for (Map.Entry<String, String> entry : srcMap.entrySet()) {
        RequestKey key = new RequestKey(entry.getKey(), null);
        editor.setAsText(entry.getValue());
        requestMap.put(key, (ConfigAttributeDefinition) editor.getValue());
    }
    return requestMap;
}

}

数据库里头配置url和权限,在web页面拦截不了,不知道为什么?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

1条回答

  • zhiweiv zhiweiv 12年前

    springside里面的代码吧? 和你说,springside里面关于springsecurity的部分我个人认为弄的不怎么样,它分的太细了。对于普通应用的话,仅仅需要授权与资源就够了,即user有ROLE_**的授权,ROLE_***对应不同的url。而springside里面的是用户,角色,授权,资源,其实角色和授权合并为一体就可以了,那样子实在是费力不讨好。要是springsecurity有问题的话咱们可以探讨一下,前一段时间我研究了一下这个,稍微有点心得。

    点赞 评论 复制链接分享

相关推荐