【转】Spring security3 sec:authorize url 无效的问题

原贴地址：http://my.oschina.net/u/2259804/blog/476044

转载注：在需要用SS控制界面元素的显示隐藏，而又无法为sec:authorize标签提供一个确定的Role列表（这通常出现在系统的角色有增、减需求的场合），则可以使用下面的方法解决问题。

如果项目里SS的权限控制已经完备，那么只需要做第1步就好了。记住将ref指向的过滤器改成自己的。

Spring security3 sec:authorize url 无效的问题

发表于2个月前(2015-07-08 10:44)   阅读（85） | 评论（1） 0人收藏此文章, 我要收藏

赞0

9月19日成都 OSC 源创会正在报名，送机械键盘和开源无码内裤  

sexurity的xml文件里

1、在<http auto-config="true">上面加上如下代码

?

1

2

3

<beans:bean id="customWebInvocationPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">  

        <beans:constructor-arg name="securityInterceptor" ref="filterSecurityInterceptor" />  

    </beans:bean>

2、ref="filterSecurityInterceptor" 这里是自定义的过滤器

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

<beans:bean id="filterSecurityInterceptor"

    class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor" autowire="byType">

    <beans:property name="securityMetadataSource" ref="filterInvocationSecurityMetadataSource" />

    <beans:property name="authenticationManager" ref="org.springframework.security.authenticationManager"/>

</beans:bean>

 

<beans:bean id="filterInvocationSecurityMetadataSource"

    class="com.iqilu.security.JdbcFilterInvocationDefinitionSourceFactoryBean">

    <beans:property name="dataSource" ref="dataSource"/>

    <beans:property name="resourceQuery" value="

            select re.c_res_string,r.c_name 

            from t_role r 

            join t_resc_role rr on r.C_ID=rr.C_ROLE_ID 

            join t_resc re on re.C_ID=rr.C_RESC_ID 

            order by re.c_priority

    "/>

</beans:bean>

完整的配置：

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

<?xml version="1.0" encoding="UTF-8"?>  

<beans:beans xmlns="http://www.springframework.org/schema/security"   

    xmlns:beans="http://www.springframework.org/schema/beans"   

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   

    xsi:schemaLocation="http://www.springframework.org/schema/beans   

        http://www.springframework.org/schema/beans/spring-beans-3.0.xsd   

        http://www.springframework.org/schema/security   

        http://www.springframework.org/schema/security/spring-security-3.1.xsd">  

         

    <beans:bean id="customWebInvocationPrivilegeEvaluator" class="org.springframework.security.web.access.DefaultWebInvocationPrivilegeEvaluator">  

        <beans:constructor-arg name="securityInterceptor" ref="filterSecurityInterceptor" />  

    </beans:bean>      

     

    <!-- 对于一些css、js、图片等文件不进行过滤 -->

    <http pattern="/css/**" security="none" />

    <http pattern="/js/**" security="none" />

    <http pattern="/images/**" security="none" />

    <http pattern="/themes/**" security="none" />

    <http auto-config="true" access-denied-page="/accessDenied.jsp">

        <intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />

        <intercept-url pattern="/upload.jsp" access="ROLE_ADMIN" />

        <intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />

        <form-login login-page="/login.jsp"

            authentication-failure-url="/login.jsp?error=true"

            default-target-url="/index.jsp" />

        <logout invalidate-session="true"  

           logout-success-url="/login.jsp"  

           logout-url="/j_spring_security_logout"/>

        <custom-filter ref="filterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />

    </http>  

     

    <!-- 认证管理器 -->

    <authentication-manager>

        <authentication-provider>

            <jdbc-user-service data-source-ref="dataSource"

                users-by-username-query="select C_ACCOUNT as username,C_PASSWORD as password, 1  as enabled from t_user where C_ACCOUNT=?"

                authorities-by-username-query="select u.C_ACCOUNT as username,r.c_name as authority 

                    from t_user u

                    join t_user_role ur

                    on u.C_BH=ur.c_user_id

                    join t_role r

                    on r.c_id=ur.c_role_id

                    where u.C_ACCOUNT=?"/>

        </authentication-provider>

    </authentication-manager>

     

    <beans:bean id="filterSecurityInterceptor"

        class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor" autowire="byType">

        <beans:property name="securityMetadataSource" ref="filterInvocationSecurityMetadataSource" />

        <beans:property name="authenticationManager" ref="org.springframework.security.authenticationManager"/>

    </beans:bean>

 

    <beans:bean id="filterInvocationSecurityMetadataSource"

        class="com.iqilu.security.JdbcFilterInvocationDefinitionSourceFactoryBean">

        <beans:property name="dataSource" ref="dataSource"/>

        <beans:property name="resourceQuery" value="

            select re.c_res_string,r.c_name 

            from t_role r 

            join t_resc_role rr on r.C_ID=rr.C_ROLE_ID 

            join t_resc re on re.C_ID=rr.C_RESC_ID 

            order by re.c_priority

        "/>

    </beans:bean>

</beans:beans>

4、过滤器代码：

?

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

package com.iqilu.security;

 

import java.sql.ResultSet;

import java.sql.SQLException;

import java.util.Collection;

import java.util.LinkedHashMap;

import java.util.List;

import java.util.Map;

 

import javax.sql.DataSource;

 

import org.springframework.beans.factory.FactoryBean;

import org.springframework.jdbc.core.support.JdbcDaoSupport;

import org.springframework.jdbc.object.MappingSqlQuery;

import org.springframework.security.access.ConfigAttribute;

import org.springframework.security.access.ConfigAttributeEditor;

import org.springframework.security.web.access.intercept.DefaultFilterInvocationSecurityMetadataSource;

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

import org.springframework.security.web.util.AntPathRequestMatcher;

import org.springframework.security.web.util.RequestMatcher;

 

 

@SuppressWarnings({ "rawtypes", "deprecation" })

public class JdbcFilterInvocationDefinitionSourceFactoryBean

    extends JdbcDaoSupport implements FactoryBean {

    private String resourceQuery;

 

    public boolean isSingleton() {

        return true;

    }

 

    public Class getObjectType() {

        return FilterInvocationSecurityMetadataSource.class;

    }

 

    public Object getObject() {

        return new DefaultFilterInvocationSecurityMetadataSource(this

            .buildRequestMap());

    }

 

    @SuppressWarnings("unchecked")

    protected Map<String, String> findResources() {

        ResourceMapping resourceMapping = new ResourceMapping(getDataSource(),

                resourceQuery);

 

        Map<String, String> resourceMap = new LinkedHashMap<String, String>();

 

        for (Resource resource : (List<Resource>) resourceMapping.execute()) {

            String url = resource.getUrl();

            String role = resource.getRole();

 

            if (resourceMap.containsKey(url)) {

                String value = resourceMap.get(url);

                resourceMap.put(url, value + "," + role);

            } else {

                resourceMap.put(url, role);

            }

        }

 

        return resourceMap;

    }

 

    @SuppressWarnings({ "unchecked" })

    protected LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> buildRequestMap() {

        LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>> requestMap =

            null;

        requestMap = new LinkedHashMap<RequestMatcher, Collection<ConfigAttribute>>();

 

        ConfigAttributeEditor editor = new ConfigAttributeEditor();

 

        Map<String, String> resourceMap = this.findResources();

 

        for (Map.Entry<String, String> entry : resourceMap.entrySet()) {

            String key = entry.getKey();

            editor.setAsText(entry.getValue());

            requestMap.put(new AntPathRequestMatcher(key),

                (Collection<ConfigAttribute>) editor.getValue());

        }

 

        return requestMap;

    }

 

    public void setResourceQuery(String resourceQuery) {

        this.resourceQuery = resourceQuery;

    }

 

    private class Resource {

        private String url;

        private String role;

 

        public Resource(String url, String role) {

            this.url = url;

            this.role = role;

        }

 

        public String getUrl() {

            return url;

        }

 

        public String getRole() {

            return role;

        }

    }

 

    private class ResourceMapping extends MappingSqlQuery {

        protected ResourceMapping(DataSource dataSource,

            String resourceQuery) {

            super(dataSource, resourceQuery);

            compile();

        }

 

        protected Object mapRow(ResultSet rs, int rownum)

            throws SQLException {

            String url = rs.getString(1);

            String role = rs.getString(2);

            Resource resource = new Resource(url, role);

 

            return resource;

        }

    }

}