spring security 续

发现spring的配置是各种各样，刚才又发现了一个配置的方法，如下把sql写在配置文件里，但是我感觉这样不好，但也是个方式。

spring配置文件中定义 <authentication-provider>         <jdbc-user-service data-source-ref="dataSource"         users-by-username-query="select username,password,enabled from t_account where username=?"         authorities-by-username-query="select r.descn from t_account_role ar join          t_account a on ar.a_id=a.id join t_role r on ar.r_id=r.id where a.username=?"/>     </authentication-provider>         users-by-username-query：根据用户名查找用户     authorities-by-username-query：根据用户名查找这个用户所有的角色名，将用户访问的URL地址和     查询结果与<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />标签进行匹配。     匹配成功就允许访问，否则就返回到提示页面。 

注意：users-by-username-query指定的查询，必须至少按顺序返回3列，列名必须是username,password,enabled           authorities-by-username-query指定的查询，必须至少按顺序返回2列，第一列列名必须是username           第2列必须是权限的名字，与<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />中的           access匹配。           不能使用select * 

下面把url资源放在数据库里，这样配置文件就不会暴露那么多的信息，并且便于管理

import java.util.ArrayList;import java.util.Collection;import java.util.HashMap;import java.util.HashSet;import java.util.List;import java.util.Map;import java.util.Set;import java.util.Map.Entry;

import org.springframework.security.access.ConfigAttribute;import org.springframework.security.access.SecurityConfig;import org.springframework.security.web.FilterInvocation;import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

public class URLService implements FilterInvocationSecurityMetadataSource { private UrlPathMatcher urlMatcher = new AntUrlPathMatcher(); private Map<String, Collection<ConfigAttribute>> map = null;

 /** 自定义初始化方法，在spring启动的时候去数据库读取信息 */

 public void init() {  this.map = new HashMap<String, Collection<ConfigAttribute>>();

  for (Reource reource : URLDao.getAllReource()) {   map.put(recource.getUrl(), listToCollection(recource.getRoles()));  }

 }

 /** 把List<Role>转化为Collection<ConfigAttribute> */ public Collection<ConfigAttribute> listToCollection(List<Role> roles) {  Collection<ConfigAttribute> list = new ArrayList<ConfigAttribute>();  for (Role role : roles) {   list.add(new SecurityConfig(role.getRoleName()));  }  return list; }/** * 得到所有的权限结合 */ public Collection<ConfigAttribute> getAllConfigAttributes() {  Set<ConfigAttribute> set = new HashSet<ConfigAttribute>();  for (Entry<String, Collection<ConfigAttribute>> entry : this.map    .entrySet()) {   set.addAll(entry.getValue());  }  return set; }/** * 根据请求的url来得到相应的权限集合 */ public Collection<ConfigAttribute> getAttributes(Object object)   throws IllegalArgumentException {  FilterInvocation fi=(FilterInvocation)object;    String url=fi.getRequestUrl();    for(String dbUrl:this.map.keySet()){   if(urlMatcher.pathMatchesUrl(url,dbUrl)){    Collection<ConfigAttribute> returnCollection=map.get(dbUrl);    return returnCollection;   }  }  return null; }

 public boolean supports(Class<?> clazz) {  return true; }

}

applicationContext。xml中这样配置

<!-- 配置自己的过滤器 -->  <beans:bean id="urlFilter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">        <beans:property name="authenticationManager" ref="authenticationManager"/>                <beans:property name="accessDecisionManager">               <beans:bean class="org.springframework.security.access.vote.AffirmativeBased">                      <beans:property name="decisionVoters">                            <beans:list>                                  <beans:bean class="org.springframework.security.access.vote.RoleVoter"></beans:bean>                            </beans:list>                      </beans:property>               </beans:bean>        </beans:property>                <beans:property name="securityMetadataSource" ref="URLService"/> </beans:bean>  <beans:bean id="URLService" class="URLService"/>

将自己的过滤器配置到FILTER_SECURITY_INTERCEPTOR之前

<http access-denied-page="/error.jsp" auto-config="true"  use-expressions="true">
  <form-login login-page="/login.jsp"   always-use-default-target="true" authentication-failure-url="/login.jsp?login_error=1"   default-target-url="/servlet/LoginServlet" />     <custom-filter ref="urlFilter" before="FILTER_SECURITY_INTERCEPTOR"/>  <http-basic />  <!-- 防止重复登录（web。xml中需配置过滤器） -->  <session-management invalid-session-url="/sessionOuttime.jsp">  <!-- 只能有一个登录，第二个将会替代第一个 -->        <concurrency-control max-sessions="1"/>   <!-- 防止第二次登录  <concurrency-control max-sessions="1"  error-if-maximum-exceeded="true"/>-->       </session-management>   </http>

时间有限就这样先！