spring security 2.0 命名空间配置(带例子)

lym6520

浏览: 696054 次
性别:
来自: 福建

最近访客更多访客>>

一往无前bhz

navaa

u013305830

西红柿炒笨蛋

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

spring security

Security Spring 配置管理 Web Struts

    spring security已经成为企业软件中应用最为广泛的Java安全框架之一，它可以在Spring应用上下文中配置的Bean，充分利用了Spring IoC（依赖注入，也称控制反转）和AOP（面向切面编程）功能，为应用系统提供声明式的安全访问控制功能，减少了为企业系统安全控制编写大量重复代码的工作。它提供了全面的认证、授权、基于实例的访问控制、channel安全及人类用户检验能力。
     Spring Security 2.0构建在Acegi Security坚实的基础之上，并在此基础上增加了许多新特性，现在本文的重点是要讲spring security简化的基于命名空间的配置，旧式配置可能需要上百行的XML.
    通过下面的例子，你会了解到基于命名空间的配置是如何的简单。

     spring security 2.0 例子：

     开发环境：MyEclipse 6.0
    服务器：tomcat 6.x
    开发架构：struts 1.2 + spring 2.5
    spring security 版本：2.0

1.首先要搭好应用的款架，struts和spring（省略）
2.在web.xml里把spring-security 的配置文件路径添加进来
3.在web.xml中添加过spring的过滤器代理
4.添加相关的监听器，以便spring的监听管理
具体web.xml文件如下：

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
 <!-- 装载spring配置文件 -->
 <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
  	/WEB-INF/spring-security-ns.xml 
    /WEB-INF/applicationContext.xml
   </param-value>
 </context-param>
 <context-param>
  <param-name>log4jConfigLocation</param-name>
  <param-value>/WEB-INF/classes/log4j.properties</param-value>
 </context-param>
 <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <!--bean的名字是springSecurityFilterChain，这是由命名空间创建的用于处理web安全的一个内部机制 -->
  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
 </filter>

 <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>
 <!--
	  - Loads the root application context of this web app at startup.
	  - The application context is then available via
	  - WebApplicationContextUtils.getWebApplicationContext(servletContext).
    -->
 <listener>
  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
 </listener>
 <!--
	  - Publishes events for session creation and destruction through the application
	  - context. Optional unless concurrent session control is being used.
      -->
 <listener>
  <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>
 </listener>
 <servlet>
  <servlet-name>action</servlet-name>
  <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>
  <init-param>
   <param-name>config</param-name>
   <param-value>/WEB-INF/struts-config.xml</param-value>
  </init-param>
  <init-param>
   <param-name>debug</param-name>
   <param-value>3</param-value>
  </init-param>
  <init-param>
   <param-name>detail</param-name>
   <param-value>3</param-value>
  </init-param>
  <load-on-startup>0</load-on-startup>
 </servlet>
 <servlet-mapping>
  <servlet-name>action</servlet-name>
  <url-pattern>*.do</url-pattern>
 </servlet-mapping>
 <welcome-file-list>
  <welcome-file>login.jsp</welcome-file>
 </welcome-file-list>
 <error-page>
  <error-code>403</error-code>
  <location>/error.html</location>
 </error-page>
 <login-config>
  <auth-method>BASIC</auth-method>
 </login-config>
</web-app>

5.创建spring-security-ns.xml配置文件（具体看配置文件）：

<?xml version="1.0" encoding="UTF-8"?>
<!--
  - 基于名称空间配置
  -->
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

	<global-method-security secured-annotations="enabled" >
		<!-- AspectJ pointcut expression that locates our "post" method and applies security that way
		<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>
		-->
	</global-method-security>
											
    <http access-denied-page="/error.jsp" access-decision-manager-ref="accessDecisionManager" 
    	session-fixation-protection="newSession" auto-config="true" path-type="ant" ><!--session-fixation-protection属性可以防止session固定攻击  -->
       <!-- 权限入口的顺序十分重要，注意必须把特殊的URL权限写在一般的URL权限之前。 -->        
		<intercept-url pattern="/acegiTest.do" access="ROLE_SUPERVISOR"/>        
        <intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_REMEMBERED" />
        <intercept-url pattern="/roleA/**.jsp" access="ROLE_A"/>
        <intercept-url pattern="/roleB/**.jsp" access="ROLE_B"/>
        <intercept-url pattern="/roleC/**.jsp" access="ROLE_C"/>
        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
		<!--
    	x509认证
        <x509 /> 
		-->
        <!-- All of this is unnecessary if auto-config="true"
        <form-login />
        <anonymous />
        <http-basic />
        <logout />
        <remember-me />
         -->
        <form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?login_error=1" />
        <anonymous key="cookie_key" username="ananoymous" granted-authority="IS_AUTHENTICATED_ANONYMOUSLY"/>        
        <logout invalidate-session="true" />
        <!-- session并发控制 -->				
		<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /><!-- exception-if-maximum-exceeded="true" 第二次登入失效 -->
   		
    </http>   
    
    <!-- 访问决策管理 -->
	<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
		<beans:property name="allowIfAllAbstainDecisions" value="true"/>
		<beans:property name="decisionVoters"><!-- 投票者列表 -->
			<beans:list>
				<beans:bean class="org.springframework.security.vote.RoleVoter"/>
				<beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/>
			</beans:list>
		</beans:property>
	</beans:bean>
  
    <authentication-provider><!-- user-service-ref="userDetailsService" -->    
     	 <!-- 基于内存存储用户 -->
    	<user-service>
    		<user name="admin" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B, ROLE_C, ROLE_SUPERVISOR"/>
    		<user name="userab" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B"/>
    		<user name="usera" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A"/>
    		<user name="userb" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_B"/>
    	</user-service>    	 
    	 <!--密码md5加密--> 
        <password-encoder hash="md5"/>  
        <!--
	    <jdbc-user-service data-source-ref="f3CenterDS" 
	    		users-by-username-query="select name as 'username',password`,'true' as 'enabled' from users where name = ?" 
	    		authorities-by-username-query="select name as 'username',authorities as 'authority' from authentication where name = ?" 
	    		 />     
	 	--> 
	</authentication-provider>	
	<!--用户信息存在在数据库的验证-->
	<!--  
	<beans:bean id="userDetailsService"
		class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
		<beans:property name="dataSource" ref="f3CenterDS" />
		<beans:property name="usersByUsernameQuery">
			<beans:value>
				select name as 'username',password,'true' as 'enabled' from users where name = ?
			</beans:value>
		</beans:property>
		<beans:property name="authoritiesByUsernameQuery">
			<beans:value>
				select name as 'username',authorities as 'authority' from authentication where name = ?
			</beans:value>
		</beans:property>
	</beans:bean>		
	-->
	
	
</beans:beans>

6.创建相关的jsp页面和action，见附件.

有兴趣的可以下载附件运行看看！
附件中还包含了spring-security 的jar包

SpringSecurityTest.rar (76.5 KB)
下载次数: 449

spring-security-2.0.4.rar (1.6 MB)
下载次数: 403

10
顶

0
踩

分享到：

按照a;b,c;d格式转换为二维数组 | SQL 索引分页

2009-01-03 14:38
浏览 4750
评论(2)
分类:企业架构
查看更多

2 楼 huzhiyong56 2011-10-14

楼主怎么都没包呀？

1 楼 whoisthat 2009-09-02

[color=red][/楼主你好！
太感谢你这篇帖子了，我研究了1个星期都没有结果的东西，在参照你的源码和文章之后豁然开朗了，十分感谢！！！color]

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论