spring security2【与数据库权限关联】
来源:互联网 发布:中国主席怎么选举 知乎 编辑:程序博客网 时间:2024/05/29 14:44
- 设计数据库
数据库权限概念
角色用户组权限关联
数据库实体图:
2、将用户权限表与springsecurity相关联
使用自定义的provider
<security:authentication-manager alias="authenticationManager"><security:authentication-providerref="multipleAuthenticationProvider"><!-- <security:user-service> <security:user name="admin" password="admin" authorities="ROLE_USER"/> <security:user name="manager" password="manager" authorities="ROLE_USER"/> </security:user-service> --> <!-- 内存用户测试 --><!-- <security:jdbc-user-service data-source-ref=""/> --> <!-- 数据库源测试 --><!-- <security:ldap-user-service/> --> <!-- ladp数据源测试 --><!-- <security:password-encoder> --> <!-- 密码encoder --><!-- </security:password-encoder> --></security:authentication-provider></security:authentication-manager>
<!-- 配置身份验证器 定义登陆验证过滤器 过后调用 --><bean id="multipleAuthenticationProvider"class="com.bbs.security.authentication.provider.MultipleAuthenticationProvider"><property name="authenticationProviders"><list><ref bean="forendAuthenticationProvider" /></list></property></bean>
<!-- 前台验证器并构建新用户凭证 定义登陆验证过滤器 过后调用 并调用userDetailsService 通过用户名将用户和用户的角色装配 数据库中验证用户 重新构建UsernamePasswordAuthenticationToken传递给决策管理器进行授权管理 --><bean id="forendAuthenticationProvider"class="com.bbs.security.authentication.provider.ForendAuthenticationProvider"><property name="userDetailsService" ref="forendUserDetailsService"></property><property name="passwordEncoder" ref="shaPasswordEncoder"></property><property name="saltSource" ref="saltSource"></property></bean>
<!-- 配置加密策略 --><bean id="shaPasswordEncoder"class="org.springframework.security.authentication.encoding.ShaPasswordEncoder"><!-- 加密方式 SHA-256 --><constructor-arg value="256" /></bean>
<!-- 配置密码的盐值 --><bean id="saltSource"class="org.springframework.security.authentication.dao.ReflectionSaltSource"><!-- 以用户名作为加密盐值 --><property name="userPropertyToUse" value="username"></property></bean>
<bean id="forendUserDetailsService"class="com.bbs.security.authentication.userdetailservice.ForendUserDetailsService"></bean>
运行顺序是解释xml,提供权限验证,manager提供管理权限验证,加载bean,配置bean。
自定义的multipleAuthenticationProvider
import java.util.List;import org.springframework.security.authentication.AuthenticationProvider;import org.springframework.security.core.Authentication;import org.springframework.security.core.AuthenticationException;public class MultipleAuthenticationProvider implements AuthenticationProvider {private List<AuthenticationProvider> authenticationProviders;/** * 根据登录前的用户凭证筛选匹配的Provider,并构建新的用户凭证供登陆后的决策器调用 身份验证器 */public Authentication authenticate(Authentication authentication)throws AuthenticationException {Authentication authenticationToken = null;for (AuthenticationProvider authenticationProvider : authenticationProviders) {if (authenticationProvider.supports(authentication.getClass())) {authenticationToken = authenticationProvider.authenticate(authentication);}}return authenticationToken;}public boolean supports(Class<? extends Object> authentication) {return true;}public List<AuthenticationProvider> getAuthenticationProviders() {return authenticationProviders;}public void setAuthenticationProviders(List<AuthenticationProvider> authenticationProviders) {this.authenticationProviders = authenticationProviders;}}
这里才是真正的provider,前面那个只是提供赛选
import org.springframework.security.authentication.AuthenticationProvider;import org.springframework.security.authentication.BadCredentialsException;import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;import org.springframework.security.authentication.dao.DaoAuthenticationProvider;import org.springframework.security.core.Authentication;import org.springframework.security.core.AuthenticationException;import org.springframework.security.core.userdetails.UserDetails;import com.bbs.security.authentication.token.ForendAuthenticationToken;/** * 数据库中验证用户 * @author Administrator * */public class ForendAuthenticationProvider extends DaoAuthenticationProviderimplements AuthenticationProvider {@Override/** * 数据库中验证用户 重新构建UsernamePasswordAuthenticationToken传递给决策管理器进行授权管理 */public Authentication authenticate(Authentication authentication)throws AuthenticationException {ForendAuthenticationToken authenticationToken = (ForendAuthenticationToken) authentication;//获取验证实体 userDetailsUserDetails userDetails = getUserDetailsService().loadUserByUsername(authenticationToken.getPrincipal().toString());// 获得的用户输入密码String presentedPassword = authentication.getCredentials().toString();// 获得用户名,作为加密盐值 加盐值与配置文件中的盐值属性相匹配Object salt = getSaltSource().getSalt(userDetails);// 判断密码是否匹配if (!getPasswordEncoder().isPasswordValid(userDetails.getPassword(),presentedPassword, salt)) {throw new BadCredentialsException("password is error");}// 重新构建UsernamePasswordAuthenticationToken传递给决策管理器进行授权管理return new UsernamePasswordAuthenticationToken(userDetails,authentication.getPrincipal(), userDetails.getAuthorities());} /** * 前台用户凭证 是否正确 * @param authentication * @return */@Overridepublic boolean supports(Class<?> authentication) {return ForendAuthenticationToken.class.isAssignableFrom(authentication);}}
那它是如何从界面得到用户输入的账号与密码并且与数据库中得到的密码进行匹配,这里要进行自己定义的loginFilter进行过滤拦截
<!-- 替换默认的登陆验证Filter --> <security:custom-filter ref="loginFilter" before="FORM_LOGIN_FILTER" />
自己定义的loginfilter,必须继承UsernamePasswordAuthenticationFilter
<bean id="loginFilter"class="com.bbs.security.authentication.filter.MultipleUsernamePasswordAuthenticationFilter"><!-- 登陆页面URL --><property name="filterProcessesUrl" value="/login_check" /><!-- 注入不同类型的用户凭证 --><property name="tokenResolvers"><list><ref bean="forendAuthenticationTokenResolver" /></list></property><!-- 校验用户名及密码,并对用户授权 --><property name="authenticationManager" ref="authenticationManager" /><!-- 验证通过所执行的请求 --><property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" /><!-- 验证未通过所执行的请求 --><property name="authenticationFailureHandler" ref="authenticationFailureHandler" /><!-- 自动登录 --><property name="rememberMeServices" ref="rememberMeServices"></property></bean>
import java.util.List;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import javax.servlet.http.HttpSession;import org.springframework.security.authentication.AuthenticationServiceException;import org.springframework.security.core.Authentication;import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;//import com.ssh.util.CaptchaUtil;//import com.ssh.util.ExeceptionUtil;import java.util.List;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.springframework.security.authentication.AuthenticationServiceException;import org.springframework.security.core.Authentication;import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;//import com.ssh.util.CaptchaUtil;/** * 登陆验证处理类 form表单验证 并传出用户凭证 * 继承UsernamePasswordAuthenticationFilter * @author Administrator * */public class MultipleUsernamePasswordAuthenticationFilter extendsUsernamePasswordAuthenticationFilter {private List<AuthenticationTokenResolver> tokenResolvers;//用户配置的用户凭证标记类(用户类型)以此为依据装配具体的用户凭证 策略模式public static final String CAPTCHA = "captcha"; // 验证码/** * 重写身份验证方法 */public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response) {// 校验验证码checkValidateCode(request);for (AuthenticationTokenResolver tokenResolver : tokenResolvers) {// 检验登陆类型if (tokenResolver.support(request)) {// 获得具体的用户凭证Authentication authentication = tokenResolver.resolve(request);HttpSession session = request.getSession(false); if (session != null || getAllowSessionCreation()) { request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, authentication.getPrincipal().toString()); } // 验证用户凭证return this.getAuthenticationManager().authenticate(authentication);}}//throw new UnsupportedOperationException(//ExeceptionUtil.getValue("MultipleUsernamePasswordAuthenticationFilter_attemptAuthentication"));//"No authentication token resolver found!"return null;}/** * 使用工具类校验输入的验证码是否匹配 * * @param request */protected void checkValidateCode(HttpServletRequest request) {//if (!CaptchaUtil.validateCaptchaByRequest(request)) {//throw new AuthenticationServiceException("ValidateCode Not Equals");//}}public List<AuthenticationTokenResolver> getTokenResolvers() {return tokenResolvers;}public void setTokenResolvers(List<AuthenticationTokenResolver> tokenResolvers) {this.tokenResolvers = tokenResolvers;}}
这里可以自定义全部拦截实现,可以得到用户输入的密码,后台自己实现把账号传给UsernamePasswordAuthenticationToken,接下来就是ForendUserDetailsService得到账号,实现代码为
import java.util.ArrayList;import java.util.Collection;import java.util.HashSet;import javax.annotation.Resource;import org.springframework.dao.DataAccessException;import org.springframework.security.authentication.BadCredentialsException;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.authority.GrantedAuthorityImpl;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;import org.springframework.transaction.annotation.Transactional;/** * 通过用户名将用户和用户的角色装配 * @author Administrator * */public class ForendUserDetailsService implements UserDetailsService {@Overridepublic UserDetails loadUserByUsername(String username)throws UsernameNotFoundException, DataAccessException {// TODO Auto-generated method stubUserDetail userdetail=new UserDetail();return userdetail;}
}
UserDetail必须实现UserDetails接口
import java.util.Collection;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.userdetails.UserDetails;public class UserDetail implements UserDetails{private String password;private String username;private Collection<GrantedAuthority> grantedauthoritys;private boolean isEnabled; //账户是否有效 @Overridepublic Collection<GrantedAuthority> getAuthorities() {// TODO Auto-generated method stubreturn grantedauthoritys;}@Overridepublic String getPassword() {// TODO Auto-generated method stubreturn "a4a88c0872bf652bb9ed803ece5fd6e82354838a9bf59ab4babb1dab322154e1";}@Overridepublic String getUsername() {// TODO Auto-generated method stubreturn "admin";}@Overridepublic boolean isAccountNonExpired() {// TODO Auto-generated method stubreturn false;}@Overridepublic boolean isAccountNonLocked() {// TODO Auto-generated method stubreturn false;}@Overridepublic boolean isCredentialsNonExpired() {// TODO Auto-generated method stubreturn false;}@Overridepublic boolean isEnabled() {// TODO Auto-generated method stubreturn true;}}
这里面可以自己从数据库中进行得到密码,赋予权限,并且自定义权限字符串,然后每次登陆时就会把权限与配置文件中进行比较
暂时发现的缺点是不能进行动态的配置权限,但是可以自己进行补充,扩展,这点等分析详细后在补充,思路是找到权限验证的类,把用户输入的URL权限与当前用户的浏览申请的URL进行比对,为了考虑运行速度的问题,还必须要把所有的浏览权限保存在内存中,否则每次都会从数据库中进行查询,减低了效率
大家都想自定义实现权限验证,这种方法告诉大家了
好了,如果有问题,请留言,由于分析难度比较大,只能慢慢来了
- spring security2【与数据库权限关联】
- 基于Spring Security2与 Ext 的权限管理设计与实现
- 基于Spring Security2与 Ext 的权限管理设计与实现
- spring-security2.0.2初步配置
- spring security2.0.x资料
- spring security2认证详解说明
- Spring security2 登录例子1
- spring security2配置文件学习小结
- spring security2配置文件学习小结
- spring security2学习笔记一(最小配置)
- spring security2 配置精讲(转)
- spring整合shiro权限管理与数据库设计
- Spring Security2.0的自带DEMO浅析
- spring security2中如何进行同步session控制
- spring security2中对url进行拦截的配置
- spring security2中对method进行拦截的配置
- Spring Security2的COOKIE的保存时间设置
- 请教关于spring security2.0配置IP,MAC,验证码.
- TVideoGrabber如何将网络摄像头影像实时发布到网络
- java下的字符编码转换总结
- android ContentProvider入门使用
- poj 2181 Jumping Cows
- CentOS 6.2安装第三方软件库epel
- spring security2【与数据库权限关联】
- Android音频系统之AudioFlinger(二)
- go语言程序设计中的一个例子 加注释
- php文件无法写入之原因
- firefox(火狐)使用自动填充记住的用户名密码时,会将密码填充到相同name的文本域解决办法
- JMX简介(二)
- VC内存泄露检查工具:VisualLeakDetector
- 802.11 n关键技术
- AS3.0下Loader与URLLoader的比较