Spring MVC+BlazeDS+Flex框架实践：Security篇

    在Spring MVC+BlazeDS+Flex框架实践：Database篇的基础上，这次要加入的是Spring Security的配置与应用。至于Spring Security的原理及配置详解网上已经有很多可参考的文章，在这里就不再重复了。

一、Spring Security配置

1）添加Application-Security.xml

在JAVA工程src下创建Application-Security.xml
<?xml version="1.0" encoding="UTF-8"?><beans:beans xmlns:beans="http://www.springframework.org/schema/beans"xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd "><http auto-config="true" session-fixation-protection="none" access-denied-page="/modules/common/403.jsp"><form-login login-page="/modules/common/Index.html" authentication-failure-url="/modules/common/Index.html"default-target-url="/modules/common/Index.html" /><logout logout-success-url="/modules/common/index.html" /><intercept-url pattern="/modules/common/**" access="ROLE_ANONYMOUS" /><intercept-url pattern="/messagebroker/**" access="ROLE_ANONYMOUS" /> <intercept-url pattern="/modules/admin/**" access="ROLE_ADMIN" /><intercept-url pattern="/**" access="ROLE_USER" /></http><authentication-manager alias="authenticationManager" /><authentication-provider user-service-ref="customUserDetailsService"></authentication-provider><beans:bean id="loggerListener" class="com.hand.common.security.SecurityLogListener"><beans:property name="genericService" ref="genericService" /></beans:bean><beans:bean id="customLogoutFilter" class="org.springframework.security.ui.logout.LogoutFilter"><custom-filter before="LOGOUT_FILTER" /><beans:constructor-arg value="/"></beans:constructor-arg><beans:constructor-arg><beans:list><beans:bean class="com.hand.common.security.SecurityLogoutHandler"><beans:property name="genericService" ref="genericService" /></beans:bean></beans:list></beans:constructor-arg></beans:bean><beans:bean id="customUserDetailsService" class="com.hand.common.security.FlexUserDetailsService"><beans:property name="genericService" ref="genericService"></beans:property><beans:property name="userNameProperty"><beans:value>userName</beans:value></beans:property></beans:bean></beans:beans>

2）修改web.xml

在添加Application-Security.xml后，需要在web.xml中将其添加到初始化加载列表中
修改web.xml以下配置：
<context-param><param-name>contextConfigLocation</param-name><param-value>classpath:ApplicationContext.xml,classpath:Application-Flex.xml,classpath:Application-hibernate.xml,classpath:Application-Security.xml</param-value></context-param>

 

二、Security类创建

在JAVA工程src下创建package com.common.security

创建SecurityLogListener.java

package com.common.security;import java.util.Date;import java.util.HashMap;import java.util.List;import java.util.Map;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import org.springframework.context.ApplicationEvent;import org.springframework.context.ApplicationListener;import org.springframework.security.event.authentication.AbstractAuthenticationEvent;import org.springframework.security.event.authentication.AuthenticationSuccessEvent;import org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent;import org.springframework.security.ui.WebAuthenticationDetails;import org.springframework.security.ui.session.HttpSessionApplicationEvent;import org.springframework.security.ui.session.HttpSessionDestroyedEvent;import com.common.hibernate.GenericService;import flex.messaging.FlexContext;public class SecurityLogListener implements ApplicationListener {private static final Log logger = LogFactory.getLog(SecurityLogListener.class);GenericService genericService;public GenericService getGenericService() {return genericService;}public void setGenericService(GenericService genericService) {this.genericService = genericService;}public void onApplicationEvent(ApplicationEvent event) {if (event instanceof AbstractAuthenticationEvent) {try {AbstractAuthenticationEvent authEvent = (AbstractAuthenticationEvent) event;if (event instanceof AuthenticationSuccessEvent) {Object obj = authEvent.getAuthentication().getPrincipal();if (obj instanceof FlexUserDetails) {System.out.println("Username: "+((FlexUserDetails) obj).getUsername());System.out.println("Login Date: "+new Date());System.out.println("Session Id: "+FlexContext.getFlexSession().getId());}} else if (event instanceof InteractiveAuthenticationSuccessEvent)logger.warn("InteractiveAuthenticationSuccessEvent:" + authEvent.getAuthentication().getDetails());} catch (Exception e) {// TODO Auto-generated catch blocke.printStackTrace();}} else if (event instanceof HttpSessionApplicationEvent) {HttpSessionApplicationEvent sessionEvent = (HttpSessionApplicationEvent) event;if (event instanceof HttpSessionDestroyedEvent) {logger.info("[destroy]"+sessionEvent.getSession().getId());Map<String, Object> params = new HashMap<String, Object>();params.put("sessionId", sessionEvent.getSession().getId());System.out.println("Session Id: "+sessionEvent.getSession().getId());System.out.println("Session remove date: "+new Date());}else logger.info("[create]"+sessionEvent.getSession().getId());}}}

 

创建SecurityLogoutHandler.java
package com.common.security;import java.util.Date;import java.util.HashMap;import java.util.List;import java.util.Map;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import org.springframework.security.Authentication;import org.springframework.security.ui.logout.SecurityContextLogoutHandler;import com.common.hibernate.GenericService;public class SecurityLogoutHandler extends SecurityContextLogoutHandler {private static final Log logger = LogFactory.getLog(SecurityLogoutHandler.class);GenericService genericService;public SecurityLogoutHandler() {super();}public GenericService getGenericService() {return genericService;}public void setGenericService(GenericService genericService) {this.genericService = genericService;}public void logout(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse,Authentication authentication) {try {Map<String, Object> params = new HashMap<String, Object>();params.put("sessionId", httpservletrequest.getSession().getId());} catch (Exception e) {// TODO Auto-generated catch blocke.printStackTrace();}super.logout(httpservletrequest, httpservletresponse, authentication);}}

 

创建FlexUserDetails.java

此类中的信息与数据库的结构有关
package com.common.security;import java.util.Date;import org.springframework.security.GrantedAuthority;import org.springframework.security.userdetails.UserDetails;import com.admin.domain.FrameworkUser;public class FlexUserDetails implements UserDetails { private FrameworkUser fu; private GrantedAuthority[] authorities; public FlexUserDetails(FrameworkUser user,GrantedAuthority[] roles){ this.fu=user; this.authorities=roles; }public GrantedAuthority[] getAuthorities() {return authorities;}public String getPassword() {return fu.getUserPassword();}public String getUsername() {// TODO Auto-generated method stubreturn fu.getUserName();}public boolean isAccountNonExpired() { return true;}public boolean isAccountNonLocked() {// TODO Auto-generated method stubreturn true;}public boolean isCredentialsNonExpired() {// TODO Auto-generated method stubreturn true;}public boolean isEnabled() {Date now=new Date();return fu.getStartDateActive().before(now)&&(fu.getEndDateActive()==null||fu.getEndDateActive().after(now));}public FrameworkUser getFu() {return fu;}public void setFu(FrameworkUser fu) {this.fu = fu;}public void setAuthorities(GrantedAuthority[] authorities) {this.authorities = authorities;}}

 

创建FlexUserDetailsService.java
     此类中具体执行了用户登录时的授权等操作，其中明确了当用户为"admin"时，为其授予ROLE_ADMIN、ROLE_USER、ROLE_ANONYMOUS权限；而其他用户则只有ROLE_USER、ROLE_ANONYMOUS权限。不同权限的访问范围在Application-Security.xml中进行控制。本例中只有ROLE_ADMIN权限的角色才能访问modules/admin下的页面。
package com.common.security;import java.util.ArrayList;import java.util.HashMap;import java.util.List;import java.util.Map;import org.apache.log4j.Logger;import org.springframework.context.support.MessageSourceAccessor;import org.springframework.dao.DataAccessException;import org.springframework.security.GrantedAuthority;import org.springframework.security.GrantedAuthorityImpl;import org.springframework.security.SpringSecurityMessageSource;import org.springframework.security.userdetails.UserDetails;import org.springframework.security.userdetails.UserDetailsService;import org.springframework.security.userdetails.UsernameNotFoundException;import com.admin.domain.FrameworkUser;import com.common.hibernate.GenericService;public class FlexUserDetailsService implements UserDetailsService {private static final Logger logger = Logger.getLogger(AuthenticationHelper.class);private GenericService genericService;private String userNameProperty;protected MessageSourceAccessor messages;private String authoritiesbyUsernameQuery;public FlexUserDetailsService() {messages = SpringSecurityMessageSource.getAccessor();}public GenericService getGenericService() {return genericService;}public void setGenericService(GenericService genericService) {this.genericService = genericService;}public String getUserNameProperty() {return userNameProperty;}public void setUserNameProperty(String userNameProperty) {this.userNameProperty = userNameProperty;}public String getAuthoritiesbyUsernameQuery() {return authoritiesbyUsernameQuery;}public void setAuthoritiesbyUsernameQuery(String authoritiesbyUsernameQuery) {this.authoritiesbyUsernameQuery = authoritiesbyUsernameQuery;}public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException, DataAccessException {System.out.println("UserDetails: loadUserByUsername");List users = new ArrayList();try {users = this.loadUsersByUsername(name);} catch (Exception e) {// TODO Auto-generated catch blocke.printStackTrace();}if (users.size() == 0)throw new UsernameNotFoundException(messages.getMessage("JdbcDaoImpl.notFound", new Object[] { name },"Username {0} not found"), name);FrameworkUser user = (FrameworkUser) users.get(0);GrantedAuthority[] roles = loadUserAuthorities(name);if (roles == null)throw new UsernameNotFoundException(messages.getMessage("JdbcDaoImpl.noAuthority", new Object[] { name },"User {0} has no GrantedAuthority"), name);logger.info("roles " + roles.length);logger.info("login in success," + user.getUserName());return new FlexUserDetails(user, roles);}private List<Object> loadUsersByUsername(String name) throws Exception {System.out.println("List<Object>: loadUserByUsername");Map<String, Object> params = new HashMap<String, Object>();params.put(this.userNameProperty, name);return genericService.findByProperty(FrameworkUser.class.getName(), params);}private GrantedAuthority[] loadUserAuthorities(String name) {Map params = new HashMap();params.put("userName", name);List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();if(name.equals("admin")){roles.add(new GrantedAuthorityImpl(name));roles.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS"));roles.add(new GrantedAuthorityImpl("ROLE_ADMIN"));roles.add(new GrantedAuthorityImpl("ROLE_USER"));System.out.println("授权: ROLE_ADMIN,ROLE_ANONYMOUS");}else{roles.add(new GrantedAuthorityImpl(name));roles.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS"));roles.add(new GrantedAuthorityImpl("ROLE_USER"));System.out.println("授权: ROLE_USER,ROLE_ANONYMOUS");}GrantedAuthority[] authoritiesarray = new GrantedAuthority[roles.size()];roles.toArray(authoritiesarray);return authoritiesarray;}}

 

创建AuthenticationHelper.java

     此类在用户登录时被调用

package com.common.security;import java.util.HashMap;import java.util.Map;import org.apache.log4j.Logger;import org.springframework.security.Authentication;import org.springframework.security.AuthenticationManager;import org.springframework.security.GrantedAuthority;import org.springframework.security.context.SecurityContextHolder;import org.springframework.security.providers.UsernamePasswordAuthenticationToken;import org.springframework.security.userdetails.UserDetails;import flex.messaging.FlexContext;public class AuthenticationHelper {private static final Logger logger = Logger.getLogger(AuthenticationHelper.class);private AuthenticationManager authenticationManager;public AuthenticationManager getAuthenticationManager() {return authenticationManager;}public void setAuthenticationManager(AuthenticationManager authenticationManager) {this.authenticationManager = authenticationManager;}public void authenticatePrincipal(String username, String password) {//try{logger.info("user login system! username:" + username);UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(username, password);Authentication authentication = authenticationManager.authenticate(usernamePasswordAuthenticationToken);SecurityContextHolder.getContext().setAuthentication(authentication);GrantedAuthority[] authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();int numAuthorities = authorities.length;String[] grantedRoles = new String[numAuthorities];for (int counter = 0; counter < numAuthorities; counter++) {grantedRoles[counter] = authorities[counter].getAuthority();}String name = SecurityContextHolder.getContext().getAuthentication().getName();logger.info("登录成功!");//}catch(Exception e){e.printStackTrace();}}public Map getCurrentUser() {if (SecurityContextHolder.getContext() == null|| SecurityContextHolder.getContext().getAuthentication() == null|| SecurityContextHolder.getContext().getAuthentication().getPrincipal() == null) {Map temp = new HashMap();temp.put("userName", "System");temp.put("userId", 0);return temp;}Map user = new HashMap();Object obj = SecurityContextHolder.getContext().getAuthentication().getPrincipal();if (obj instanceof UserDetails) {user.put("userDescription", ((FlexUserDetails) obj).getFu().getUserDescription());user.put("userId", ((FlexUserDetails) obj).getFu().getUserId());user.put("userName", ((FlexUserDetails) obj).getUsername());} else {user.put("userName", obj.toString());user.put("userId", -100);}logger.info(user);return user;}public Long getCurrentUserId() {if (this.getCurrentUser().get("userId") != null)return Long.valueOf(this.getCurrentUser().get("userId").toString());return new Long(-100);}}

 

三、配置AuthenticationHelper

1）发布AuthenticationHelper

在Application-Flex.xml中添加如下配置：
<bean id="authenticationHelper" class="com.hand.common.security.AuthenticationHelper"><property name="authenticationManager" ref="authenticationManager"></property><flex:remoting-destination /></bean>

2）创建CommonModule.mxml

在FLEX工程modules/common目录下创建CommonModule.mxml，用以实现Security验证
<?xml version="1.0" encoding="utf-8"?><mx:Module xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute" width="500" height="300"><mx:RichTextEditor x="0" y="0" title="Title" width="100%" height="100%"></mx:RichTextEditor></mx:Module>

3）引用authenticationHelper
在FLEX工程remoting-config.xml中添加如下配置：
<destination id="authenticationHelper"><properties><source>authenticationHelper</source></properties></destination>

3）修改Index.mxml

在Index.mxml中调用authenticationHelper，修改后的Index.mxml内容如下：
<?xml version="1.0" encoding="utf-8"?><mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" layout="vertical" horizontalAlign="center" creationComplete="initApp()" fontSize="15" ><mx:Script><!--[CDATA[import mx.rpc.events.FaultEvent;import mx.rpc.events.ResultEvent;import mx.controls.Alert;private function initApp():void{UserService.getMessage();UserService.getMessage.addEventListener(ResultEvent.RESULT, getMessageHandler);}private function getMessageHandler(evt:ResultEvent):void{UserService.getMessage.removeEventListener(ResultEvent.RESULT, getMessageHandler);initText.text = evt.result as String;}private function login():void{//添加登录成功监听器authenticationHelper.authenticatePrincipal.addEventListener(ResultEvent.RESULT, loginSuccess);//添加登录失败监听器authenticationHelper.authenticatePrincipal.addEventListener(FaultEvent.FAULT, loginFailure);//向服务器发送登录请求authenticationHelper.authenticatePrincipal(username.text, password.text);}private function loginSuccess(event:Event):void{authenticationHelper.authenticatePrincipal.removeEventListener(ResultEvent.RESULT, loginSuccess);this.currentState='loginSuccess';}private function loginFailure(event:FaultEvent):void{Alert.show("登录不成功！"+event.fault.faultString);authenticationHelper.removeEventListener(FaultEvent.FAULT, loginFailure);}private function changeState(sign:String):void{currentState = 'moduleState';if(sign=='A'){currentState = 'moduleState';moduleLoader.url = '../admin/UserModule.swf';}else{currentState = 'moduleState';moduleLoader.url = '../common/CommonModule.swf';}}private function logout():void{navigateToURL(new URLRequest("javascript:location.href='TestProject/j_spring_security_logout';"), "_self");}]]--></mx:Script><mx:RemoteObject id="UserService" destination="UserService"/><mx:RemoteObject id="authenticationHelper" destination="authenticationHelper"/><mx:states><mx:State name="loginSuccess"><mx:RemoveChild target="{vbox1}"/><mx:AddChild position="lastChild"><mx:VBox width="50%" height="30%" horizontalAlign="center" verticalAlign="middle"><mx:LinkButton label="admin.mxml" click="changeState('A')"/><mx:LinkButton label="common.mxml" click="changeState('B')"/></mx:VBox></mx:AddChild></mx:State><mx:State name="moduleState"><mx:RemoveChild target="{vbox1}"/><mx:AddChild position="lastChild"><mx:ModuleLoader width="50%" height="50%" id="moduleLoader" url="../admin/UserModule.swf"/></mx:AddChild><mx:AddChild position="lastChild"><mx:LinkButton label="返回" click="currentState='loginSuccess'"/></mx:AddChild><mx:AddChild position="lastChild"><mx:LinkButton label="退出" click="logout()"/></mx:AddChild></mx:State></mx:states><mx:Label text="Welcome" id="initText" fontWeight="bold"/><mx:VBox width="50%" height="50%" horizontalAlign="center" verticalAlign="middle" id="vbox1"> <mx:FormItem label="用户名" labelWidth="100"> <mx:TextInput id="username" width="200"/> </mx:FormItem> <mx:FormItem label="密码" labelWidth="100"> <mx:TextInput id="password" width="200" displayAsPassword="true"/> </mx:FormItem> <mx:Button label="登录" width="80" click="login()"/></mx:VBox></mx:Application>

 

四、编译运行
1）编译FLEX工程
选择Project—>Clean—>TestProject

2）拷贝FLEX编译目录bin-debug/modules到JAVA工程WebRoot下

3）启动本地数据库

4）启动服务器

5）服务器正常启动后，在浏览器内输入(其中9090为服务器端口号)

http://localhost:9090/TestProject/modules/common/Index.html

 

运行结果：
以Sky用户登录

 

登录首页

 

查看modules/admin/UserModule.swf，由于权限控制将无法访问

 

查看modules/common/CommonModule.swf

 

以admin用户登录

 

查看modules/admin/UserModule/swf，由于已经为该用户授予了权限，因此可以访问

 

查看modules/common/CommonModule.swf

 

 

到此Spring MVC+BlzeDS+Flex框架的搭建三个过程都已经结束，如果今后还有新的内容我会及时和大家分享。