spring security 续
来源:互联网 发布:平面设计书籍知乎 编辑:程序博客网 时间:2024/06/07 12:53
发现spring的配置是各种各样,刚才又发现了一个配置的方法,如下把sql写在配置文件里,但是我感觉这样不好,但也是个方式。
spring配置文件中定义 <authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password,enabled from t_account where username=?" authorities-by-username-query="select r.descn from t_account_role ar join t_account a on ar.a_id=a.id join t_role r on ar.r_id=r.id where a.username=?"/> </authentication-provider> users-by-username-query:根据用户名查找用户 authorities-by-username-query:根据用户名查找这个用户所有的角色名,将用户访问的URL地址和 查询结果与<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />标签进行匹配。 匹配成功就允许访问,否则就返回到提示页面。
注意:users-by-username-query指定的查询,必须至少按顺序返回3列,列名必须是username,password,enabled authorities-by-username-query指定的查询,必须至少按顺序返回2列,第一列列名必须是username 第2列必须是权限的名字,与<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" />中的 access匹配。 不能使用select *
下面把url资源放在数据库里,这样配置文件就不会暴露那么多的信息,并且便于管理
import java.util.ArrayList;import java.util.Collection;import java.util.HashMap;import java.util.HashSet;import java.util.List;import java.util.Map;import java.util.Set;import java.util.Map.Entry;
import org.springframework.security.access.ConfigAttribute;import org.springframework.security.access.SecurityConfig;import org.springframework.security.web.FilterInvocation;import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
public class URLService implements FilterInvocationSecurityMetadataSource { private UrlPathMatcher urlMatcher = new AntUrlPathMatcher(); private Map<String, Collection<ConfigAttribute>> map = null;
/** 自定义初始化方法,在spring启动的时候去数据库读取信息 */
public void init() { this.map = new HashMap<String, Collection<ConfigAttribute>>();
for (Reource reource : URLDao.getAllReource()) { map.put(recource.getUrl(), listToCollection(recource.getRoles())); }
}
/** 把List<Role>转化为Collection<ConfigAttribute> */ public Collection<ConfigAttribute> listToCollection(List<Role> roles) { Collection<ConfigAttribute> list = new ArrayList<ConfigAttribute>(); for (Role role : roles) { list.add(new SecurityConfig(role.getRoleName())); } return list; }/** * 得到所有的权限结合 */ public Collection<ConfigAttribute> getAllConfigAttributes() { Set<ConfigAttribute> set = new HashSet<ConfigAttribute>(); for (Entry<String, Collection<ConfigAttribute>> entry : this.map .entrySet()) { set.addAll(entry.getValue()); } return set; }/** * 根据请求的url来得到相应的权限集合 */ public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException { FilterInvocation fi=(FilterInvocation)object; String url=fi.getRequestUrl(); for(String dbUrl:this.map.keySet()){ if(urlMatcher.pathMatchesUrl(url,dbUrl)){ Collection<ConfigAttribute> returnCollection=map.get(dbUrl); return returnCollection; } } return null; }
public boolean supports(Class<?> clazz) { return true; }
}
applicationContext。xml中这样配置
<!-- 配置自己的过滤器 --> <beans:bean id="urlFilter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="accessDecisionManager"> <beans:bean class="org.springframework.security.access.vote.AffirmativeBased"> <beans:property name="decisionVoters"> <beans:list> <beans:bean class="org.springframework.security.access.vote.RoleVoter"></beans:bean> </beans:list> </beans:property> </beans:bean> </beans:property> <beans:property name="securityMetadataSource" ref="URLService"/> </beans:bean> <beans:bean id="URLService" class="URLService"/>
将自己的过滤器配置到FILTER_SECURITY_INTERCEPTOR之前
<http access-denied-page="/error.jsp" auto-config="true" use-expressions="true">
<form-login login-page="/login.jsp" always-use-default-target="true" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/servlet/LoginServlet" /> <custom-filter ref="urlFilter" before="FILTER_SECURITY_INTERCEPTOR"/> <http-basic /> <!-- 防止重复登录(web。xml中需配置过滤器) --> <session-management invalid-session-url="/sessionOuttime.jsp"> <!-- 只能有一个登录,第二个将会替代第一个 --> <concurrency-control max-sessions="1"/> <!-- 防止第二次登录 <concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>--> </session-management> </http>
时间有限就这样先!
- spring security 续
- Spring Security
- Spring Security
- spring security
- spring security
- spring security
- spring security
- spring security
- spring security
- spring security
- spring security
- spring security
- Spring Security
- spring security
- spring-security
- Spring Security
- Spring Security
- spring security
- web安全测试之基本观察学习笔记——使用Tamper Data观察实时的响应头
- 在Ubuntu/Debian Linux系统中安装Chrome浏览器
- Java学习计划
- Oracle中伪列、分页语句
- spagobi系列文章-04 Highcharts配置
- spring security 续
- Source not found for StandardContext.start() line
- VC++用 API 作简繁体转换
- 聚合与组合的区别
- Any、All查询
- 【转】浏览器升级到ie9后fckeditor无法复制,上传图片,弹出浮层内容不显示怎么办?
- 计算机各个领域内较好的期刊和会议
- equals和==的一些测试!【转】
- Opencv基础教程笔记2