Acegi保护对方法的呼叫
Acegi是专为 Spring 设计的安全框架,藉由Spring所提供的AOP功能,
可以使用org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor来对方法呼叫进行拦截,
对方法的呼叫设定权限保护。
举个实际的例子来说,假设您设计了以下的介面与方法:
* ISome.java
package onlyfun.caterpillar;
public interface ISome {
public void doNormal();
public void doSupervisor();
}
* Some.java
package onlyfun.caterpillar;
public class Some implements ISome {
public void doNormal() {
System.out.println("do normal...");
}
public void doSupervisor() {
System.out.println("do supervisor...");
}
}
假设某个请求下,会对Some的实例之方法进行呼叫,例如某个Servlet:
* SomeServlet.java
package onlyfun.caterpillar;
import java.io.*;
import java.net.*;
import javax.servlet.*;
import javax.servlet.http.*;
import org.springframework.context.ApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;
public class SomeServlet extends HttpServlet {
protected void processRequest(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(
request.getSession().getServletContext());
ISome some = (ISome) ctx.getBean("some");
some.doNormal();
some.doSupervisor();
PrintWriter out = response.getWriter();
out.print("process successfully...");
out.close();
}
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
processRequest(request, response);
}
public String getServletInfo() {
return "Short description";
}
}
在web.xml中增加SomeServlet的定义:
<servlet>
<servlet-name>SomeServlet</servlet-name>
<servlet-class>onlyfun.caterpillar.SomeServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>SomeServlet</servlet-name>
<url-pattern>/SomeServlet</url-pattern>
</servlet-mapping>
在不设限的情况下,请求SomeServlet,会呼叫Some实例的doNormal()方法与doSecurity()方法,
现在假设您想让 doSecurity()只让ROLE_SUPERVISOR的使用者来呼叫,则您可以在acegi-config.xml中加入:
* acegi-config.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
...
<bean />
<bean
>
<property >
<ref bean="authenticationManager"/>
</property>
<property >
<ref bean="accessDecisionManager"/>
</property>
<property >
<value>onlyfun.caterpillar.ISome.doSupervisor=ROLE_SUPERVISOR</value>
</property>
</bean>
<bean
>
<property >
<list>
<value>some</value>
</list>
</property>
<property >
<list>
<value>methodSecurityInterceptor</value>
</list>
</property>
</bean>
</beans>
完成以下设定,如果再次请求SomeServlet,可以在控制台中看到doNormal()执行完成,
但doSecurity()必须是 ROLE_SUPERVISOR才可以存取,因此您会被送往acegilogin.jsp进行登入,
如果登入正确,就会执行doSecurity(),如果登入为非ROLE_SUPERVISOR,则会发生授权失败的例外。
