Spring Security 4.X xml配置,草稿记录
来源:互联网 发布:jquery.extend 源码 编辑:程序博客网 时间:2024/06/05 05:23
"org.springframework.security:spring-security-web:4.1.0.RELEASE",
"org.springframework.security:spring-security-taglibs:4.1.0.RELEASE",
"org.springframework.security:spring-security-config:4.1.0.RELEASE"
配置framework-spring-security.xml
在framework-spring-mvc.xml引用其它依赖的配置文件
<!--数据库 xml -->
<import resource="dbcp-spring-framework.xml"></import>
<!--spring-security xml -->
<import resource="framework-spring-security.xml"></import>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:p="http://www.springframework.org/schema/p" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:context="http://www.springframework.org/schema/context" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <context:component-scan base-package="com.framework.security"/> <!--<http pattern="/pm/**" security="none" />--> <http pattern="/login.jsp" security="none" /> <http pattern="/common/**" security="none" /> <http pattern="/*.ico" security="none" /> <http use-expressions="false" > <!-- IS_AUTHENTICATED_ANONYMOUSLY 匿名登录 --> <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/pm/**/*.jsp" access="ROLE_STATIC" /> <form-login login-page="/login" authentication-failure-url="/login?error=1" authentication-success-forward-url="/main.to" /> <logout invalidate-session="true" logout-url="/logout" logout-success-url="/" /> <http-basic/> <headers > <frame-options disabled="true"></frame-options> </headers> <csrf token-repository-ref="csrfTokenRepository" /> <session-management session-authentication-error-url="/frame.expired" > <!-- max-sessions只容许一个账号登录,error-if-maximum-exceeded 后面账号登录后踢出前一个账号,expired-url session过期跳转界面 --> <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/frame.expired" session-registry-ref="sessionRegistry" /> </session-management> <expression-handler ref="webexpressionHandler" ></expression-handler> </http> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <beans:bean id="userDetailsService" class="com.framework.security.UserDetailsServiceImpl" /> <!--配置web端使用权限控制--> <beans:bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" /> <authentication-manager > <authentication-provider ref="authenticationProvider" /> </authentication-manager> <!-- 自定义userDetailsService, 盐值加密 --> <beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <beans:property name="hideUserNotFoundExceptions" value="true" /> <beans:property name="userDetailsService" ref="userDetailsService" /> <beans:property name="passwordEncoder" ref="passwordEncoder" /> <beans:property name="saltSource" ref="saltSource" /> </beans:bean> <!-- Md5加密 --> <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" /> <!-- 盐值加密 salt对应数据库字段--> <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource"> <beans:property name="userPropertyToUse" value="salt"/> </beans:bean> <beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" /></beans:beans>
3.编写自定义UserDetailsService
package com.framework.security;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import org.springframework.context.support.MessageSourceAccessor;import org.springframework.dao.DataAccessException;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.SpringSecurityMessageSource;import org.springframework.security.core.authority.AuthorityUtils;import org.springframework.security.core.authority.SimpleGrantedAuthority;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;import org.springframework.security.provisioning.JdbcUserDetailsManager;import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;import org.springframework.stereotype.Service;import org.springframework.transaction.annotation.Transactional;import javax.annotation.Resource;import java.util.*;/**** * @author tzz * @功能描述 * @date 2016/5/3 * 修改人 修改时间 修改说明 ****/@Service@Transactional(rollbackFor=Exception.class)public class UserDetailsServiceImpl implements UserDetailsService { @Resource CustomUserDao customUserDao; JdbcUserDetailsManager k; private Map<String, UserInfo> userMap = null; protected final Log logger = LogFactory.getLog(getClass()); protected final MessageSourceAccessor messages = SpringSecurityMessageSource .getAccessor(); private String usersByUsernameQuery = "SELECT account,pwd,stat,salt,id,company_id,name,login_stat,login_date ,login_ip FROM USER_ACCOUNT WHERE ACCOUNT = ?"; private String authoritiesByUsernameQuery ="SELECT NAME,POWER_CODE FROM VW_USER_POWER WHERE ACCOUNT_ID = ?"; public UserDetailsServiceImpl() { userMap = new HashMap<>(); } public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { /*SecurityContextHolder.getContext() .getAuthentication().getName();*/ List<UserDetails> users = loadUsersByUsername(username); if (users.size() == 0) { logger.debug("Query returned no results for user '" + username + "'"); throw new UsernameNotFoundException(messages.getMessage( "JdbcDaoImpl.notFound", new Object[] { username }, "Username {0} not found")); } UserInfo user = (UserInfo)users.get(0); Set<GrantedAuthority> dbAuthsSet = new HashSet<>(); dbAuthsSet.addAll(loadUserAuthorities(user.getId())); dbAuthsSet.add(new SimpleGrantedAuthority("ROLE_STATIC")); List<GrantedAuthority> dbAuths = new ArrayList<>(dbAuthsSet); if (dbAuths.size() == 0) { logger.debug("User '" + username + "' has no authorities and will be treated as 'not found'"); throw new UsernameNotFoundException(messages.getMessage( "JdbcDaoImpl.noAuthority", new Object[] { username }, "User {0} has no GrantedAuthority")); } return createUserDetails(username,user,dbAuths); //return user; } protected UserDetails createUserDetails(String username, UserInfo userFromUserQuery, List<GrantedAuthority> combinedAuthorities) { String returnUsername = userFromUserQuery.getUsername(); UserInfo user = new UserInfo(returnUsername,userFromUserQuery.getPassword(), userFromUserQuery.isEnabled(), true, true, true, combinedAuthorities); user.setId(userFromUserQuery.getId()); user.setCompanyId(userFromUserQuery.getCompanyId()); user.setName(userFromUserQuery.getName()); user.setLoginStat(userFromUserQuery.getLoginStat()); user.setLoginDate(userFromUserQuery.getLoginDate()); user.setLoginIP(userFromUserQuery.getLoginIP()); user.setSalt(userFromUserQuery.getSalt()); return user; } /** * Loads authorities by executing the SQL from * <tt>groupAuthoritiesByUsernameQuery</tt>. * * @return a list of GrantedAuthority objects for the user */ protected List<GrantedAuthority> loadUserAuthorities(int userId) { try { return customUserDao.queryForList(this.authoritiesByUsernameQuery, new Object[] { userId },(rs,rowNum)-> { String roleName = getRolePrefix() + rs.getString(2); return new SimpleGrantedAuthority(roleName); }); } catch (Exception e) { e.printStackTrace(); } return null; } public String getRolePrefix() { return "ROLE_"; } /** * Loads authorities by executing the SQL from <tt>authoritiesByUsernameQuery</tt>. * * @return a list of GrantedAuthority objects for the user */ protected List<UserDetails> loadUsersByUsername(String username) { try { return customUserDao.queryForList(this.usersByUsernameQuery, new Object[] { username}, (rs, rowNum) -> { String username1 = rs.getString(1); String password = rs.getString(2); boolean enabled = rs.getBoolean(3); UserInfo user = new UserInfo(username1, password, enabled, true, true, true, AuthorityUtils.NO_AUTHORITIES); user.setSalt(rs.getString(4)); user.setId(rs.getInt(5)); user.setCompanyId(rs.getInt(6)); user.setName(rs.getString(7)); user.setLoginStat(rs.getInt(8)); user.setLoginDate(rs.getLong(9)); user.setLoginIP(rs.getString(10)); return user; } ); } catch (Exception e) { e.printStackTrace(); } return null; }}
spring Security 调试的时候用到BasicAuthenticationFilter
UsernamePasswordAuthenticationFilter
BasicAuthenticationFilter
MessageDigestPasswordEncoder.isPasswordValid
package com.framework.security;import com.framework.db.BaseDao;import org.springframework.stereotype.Repository;@Repository("customUserDao")public class CustomUserDao extends BaseDao {public CustomUserDao() {super(Object.class);}}
基于框架的BaseDao
@Repository("baseDao")public class BaseDao<T> implements BaseDaoImp<T> {Logger log1 = LoggerFactory.getLogger(BaseDao.class);@Resource(name="jdbcTemplate")private JdbcTemplate jdbcTemplate;public JdbcTemplate getJdbcTemplate(){return this.jdbcTemplate;}private Class<T> entityClass; public BaseDao(){}public BaseDao(Class<T> entityClass) { this.entityClass = entityClass; }@Override<span style="white-space:pre"></span>public <T1> List<T1> queryForList(String sql, Object[] args, RowMapper<T1> rowMapper) throws DataAccessException { <span style="white-space:pre"></span>return jdbcTemplate.query(sql, args,rowMapper); <span style="white-space:pre"></span>}}
自定义UserInfo对象
package com.framework.security;import org.springframework.security.core.GrantedAuthority;import org.springframework.security.core.userdetails.User;import java.util.Collection;/**** * @author tzz * @功能描述 * @date 2016/5/3 * 修改人 修改时间 修改说明 ****/public class UserInfo extends User { private int id; private int companyId;//所属公司 private int loginSystemId = 0;//当前登录系统ID private String name;//用户名称 private int loginStat;//登录状态 1:登录 2:未登陆 private String loginIP;//登录IP private long loginDate;//登录时间 private String salt;//盐值字段 public UserInfo(String username, String password, Collection<? extends GrantedAuthority> authorities) { super(username, password, authorities); } public UserInfo(String username, String password, boolean enabled, boolean accountNonExpired,
boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) { super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities); } public String getSalt() { return salt; } public void setSalt(String salt) { this.salt = salt; } public int getId() { return id; } public void setId(int id) { this.id = id; } public int getCompanyId() { return companyId; } public void setCompanyId(int companyId) { this.companyId = companyId; } public int getLoginSystemId() { return loginSystemId; } public void setLoginSystemId(int loginSystemId) { this.loginSystemId = loginSystemId; } public String getName() { return name; } public void setName(String name) { this.name = name; } public int getLoginStat() { return loginStat; } public void setLoginStat(int loginStat) { this.loginStat = loginStat; } public String getLoginIP() { return loginIP; } public void setLoginIP(String loginIP) { this.loginIP = loginIP; } public long getLoginDate() { return loginDate; } public void setLoginDate(long loginDate) { this.loginDate = loginDate; }}
1 0
- Spring Security 4.X xml配置,草稿记录
- Spring Security 4.X 零配置,草稿记录
- Spring Security 4.X xml配置重定向
- xml :spring-security 配置
- Spring Security 4.X xml配置 session 超时处理(http、ajax)
- Spring 4.X 版本 json配置记录
- spring security xml配置官方详解
- Spring Security 4.x 启用BCrypt加密
- Spring Security无xml配置开发中的若干个配置
- 学习记录 -- web.xml中security-constraint配置测试
- spring security 学习记录
- spring security 3.x 多页面登录配置入门教程
- spring-security.xml 配置文件
- Spring-security-xml
- spring security-config.xml
- spring-security-4.2.1.RELEASE命名空间基本配置(xml)
- web.xml配置spring异常记录
- Spring Security的配置
- VirtualBox,vagrant,ubuntu,nodejs环境搭建
- iostat 监视I/O子系统
- 基于Hiredis异步API的聊天系统实现
- ECMAScript Generator
- java设计模式—模板方法模式
- Spring Security 4.X xml配置,草稿记录
- Android学习笔记--adapter.notifyDataSetChanged()延迟执行
- Python下使用OpenCV教程(图像的载入、显示和保存)
- Android Studio 多渠道打包、自动版本号及 gradlew 命令的基本使用
- Java泛型
- Android特效开发(仿zaker用手向上推动的效果(推动门效果))
- 第十一周实践项目(5)——c
- Qt样式表的使用
- SQLite3嵌入式数据库arm+linux移植