博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
SpringSecurity-----登录用户权限验证demo
阅读量:4647 次
发布时间:2019-06-09

本文共 11424 字,大约阅读时间需要 38 分钟。

准备:

  1、Spring Security需要自定义一个继承至AbstractSecurityInterceptor的Filter,该抽象类包含了AccessDecisionManager(决策管理器)、AuthenticationManager(身份认证管理器)的setter, 可以通过Spring自动注入,另外,资源角色授权器需要单独自定义注入

  2、AccessDecisionManager(决策管理器)的实现需要实现AccessDecisionManager接口,在实现的decide(Authentication arg0, Object arg1,Collection<ConfigAttribute> arg2)方法中,需要将用户具有的角色权限Collection<GrantedAuthority> grantedAuthorities=arg0.getAuthorities();与访问该资源所需要的金额角色权限Collection<ConfigAttribute> arg2进行比较,若有一个角色匹配,则放行允许该用户访问此资源。

  3、AuthenticationManager(身份认证管理器)可以通过applicationContext-security.xml中<authentication-manager />标签实现。该标签需要引用一个实现了UserDetailService接口的类。该类的loadUserByUsername(String username)方法,通过传进来的用户名返回一个User对象,构造该User对象时需要传入GrantedAuthority的Collection,此时可以通过不同的用户名赋予不同的GrantedAuthority。

  4、资源角色授权器需要实现FilterInvocationSecurityMetadataSource接口。请求的资源所需要的角色权限在服务器启动时候就已经确定的,所以在该实现类的构造方法中需要确定每一种资源需要那些角色权限,通过一个Map<String, List<ConfigAttribute>>即可将所有资源所需要的List<ConfigAttribute>存储起来。该实现类中getAttributes(Object arg0)方法,可以通过请求的url返回对应的Collection<ConfigAttribute>,通过传进来的FilterInvocation可以得到RequestUrl,然后遍历Map<String, List<ConfigAttribute>>。

一、定义继承至AbstractSecurityInterceptor的CustomSecurityFilter。

View Code 
1 package com.spring.security.demo; 2  3 import java.io.IOException; 4  5 import javax.servlet.Filter; 6 import javax.servlet.FilterChain; 7 import javax.servlet.FilterConfig; 8 import javax.servlet.ServletException; 9 import javax.servlet.ServletRequest;10 import javax.servlet.ServletResponse;11 12 import org.springframework.security.access.SecurityMetadataSource;13 import org.springframework.security.access.intercept.AbstractSecurityInterceptor;14 import org.springframework.security.access.intercept.InterceptorStatusToken;15 import org.springframework.security.web.FilterInvocation;16 import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;17 18 public class CustomSecurityFilter extends AbstractSecurityInterceptor implements19         Filter20 {21     private FilterInvocationSecurityMetadataSource securityMetadataSource;22 23     public FilterInvocationSecurityMetadataSource getSecurityMetadataSource()24     {25         return securityMetadataSource;26     }27 28     public void setSecurityMetadataSource(29             FilterInvocationSecurityMetadataSource securityMetadataSource)30     {31         this.securityMetadataSource = securityMetadataSource;32     }33 34     @Override35     public void destroy()36     {37         // TODO Auto-generated method stub38 39     }40 41     @Override42     public void doFilter(ServletRequest arg0, ServletResponse arg1,43             FilterChain arg2) throws IOException, ServletException44     {45         FilterInvocation fileInvocation = new FilterInvocation(arg0, arg1, arg2);46         InterceptorStatusToken interceptorStatusToken = this47                 .beforeInvocation(fileInvocation);48         fileInvocation.getChain().doFilter(arg0, arg1);49         this.afterInvocation(interceptorStatusToken, null);50     }51 52     @Override53     public void init(FilterConfig arg0) throws ServletException54     {55         // TODO Auto-generated method stub56 57     }58 59     @Override60     public Class
       getSecureObjectClass()61     {62         return FilterInvocation.class;63     }64 65     @Override66     public SecurityMetadataSource obtainSecurityMetadataSource()67     {68         return this.securityMetadataSource;69     }70 71 }

 

 

二、定义AccessDecisionManager(决策管理器)、AuthenticationManager(身份认证管理器)、实现了UserDetailService接口的CustomUserDetailService。

CustomAccessDecisionManager.java

View Code 
1 package com.spring.security.demo.dependent.components; 2  3 import java.util.Collection; 4 import java.util.Iterator; 5  6 import org.springframework.security.access.AccessDecisionManager; 7 import org.springframework.security.access.AccessDeniedException; 8 import org.springframework.security.access.ConfigAttribute; 9 import org.springframework.security.access.SecurityConfig;10 import org.springframework.security.authentication.InsufficientAuthenticationException;11 import org.springframework.security.core.Authentication;12 import org.springframework.security.core.GrantedAuthority;13 14 public class CustomAccessDecisionManager implements AccessDecisionManager15 {16     /**17      * Authentication arg0 --->用户具有的角色权限 18      * Collection
      
        arg2 --->访问该资源所需的角色权限19      */20     @Override21     public void decide(Authentication arg0, Object arg1,22             Collection
       
         arg2) throws AccessDeniedException,23             InsufficientAuthenticationException24     {25         Iterator
        
          iter = arg2.iterator();26         while (iter.hasNext())27         {28             String accessResourceNeedRole = ((SecurityConfig) iter.next())29                     .getAttribute();30             for (GrantedAuthority grantedAuthority : arg0.getAuthorities())31             {32                 String userOwnRole = grantedAuthority.getAuthority();33                 if (accessResourceNeedRole.equals(userOwnRole))34                 {35                     return;36                 }37             }38         }39         throw new AccessDeniedException("访问被拒绝!");40     }41 42     @Override43     public boolean supports(ConfigAttribute arg0)44     {45         return true;46     }47 48     @Override49     public boolean supports(Class
          arg0)50     {51         return true;52     }53 54 }

CustomFilterInvocationSecurityMetadataSource.java

View Code 
1 package com.spring.security.demo.dependent.components; 2  3 import java.util.ArrayList; 4 import java.util.Collection; 5 import java.util.HashMap; 6 import java.util.Iterator; 7 import java.util.List; 8 import java.util.Map; 9 10 import org.springframework.security.access.ConfigAttribute;11 import org.springframework.security.access.SecurityConfig;12 import org.springframework.security.web.FilterInvocation;13 import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;14 import org.springframework.security.web.util.AntUrlPathMatcher;15 import org.springframework.security.web.util.UrlMatcher;16 17 public class CustomFilterInvocationSecurityMetadataSource implements18         FilterInvocationSecurityMetadataSource19 {20     private Map
      
       > mp;21     private UrlMatcher urlMatcher;22 23     /**24      * 构造每一种资源所需要的角色权限25      */26     public CustomFilterInvocationSecurityMetadataSource()27     {28         super();29         this.mp = new HashMap
       
        >();30         this.urlMatcher = new AntUrlPathMatcher();31         List
        
          list = new ArrayList
         
          ();32         ConfigAttribute cb = new SecurityConfig("Role_ADMIN"); // 构造一个权限(角色)33         ConfigAttribute cbUser = new SecurityConfig("Role_USER"); // 构造一个权限(角色)34         ConfigAttribute cbManager = new SecurityConfig("Role_MANAGER"); // 构造一个权限(角色)35         list.add(cb);36         list.add(cbUser);37         list.add(cbManager);38         39         mp.put("/Main.jsp", list);40         list.remove(2);41         mp.put("/Main2.jsp", list);42     }43 44     @Override45     public Collection
          
            getAllConfigAttributes()46     {47         return null;48     }49 50     /**51      * 获取访问某一个url所需的角色52      */53     @Override54     public Collection
           
             getAttributes(Object arg0)55 throws IllegalArgumentException56 {57 String requestUrl = ((FilterInvocation) arg0).getRequestUrl();58 Iterator
            
              iter = this.mp.keySet().iterator();59 while (iter.hasNext())60 {61 String temp = iter.next();62 if (this.urlMatcher.pathMatchesUrl(requestUrl, temp))63 {64 return mp.get(temp);65 }66 }67 68 return null;69 }70 71 @Override72 public boolean supports(Class
              arg0)73 {74 return true;75 }76 77 }

CustomUserDetailService.java

View Code 
1 package com.spring.security.demo.dependent.components; 2  3 import java.util.ArrayList; 4 import java.util.List; 5  6 import org.springframework.dao.DataAccessException; 7 import org.springframework.security.core.GrantedAuthority; 8 import org.springframework.security.core.authority.GrantedAuthorityImpl; 9 import org.springframework.security.core.userdetails.User;10 import org.springframework.security.core.userdetails.UserDetails;11 import org.springframework.security.core.userdetails.UserDetailsService;12 import org.springframework.security.core.userdetails.UsernameNotFoundException;13 14 public class CustomUserDetailService implements UserDetailsService15 {16     /**17      * arg0 --->登录的用户名18      */19     @Override20     public UserDetails loadUserByUsername(String arg0)21             throws UsernameNotFoundException, DataAccessException22     {23         List
      
        grantedAuthorities = new ArrayList
       
        ();24         GrantedAuthority grantedAuthority = null;25 26         if ("admin".equals(arg0))27         {28             grantedAuthority = new GrantedAuthorityImpl("Role_ADMIN");29         }30         else if ("manager".equals(arg0))31         {32             grantedAuthority = new GrantedAuthorityImpl("Role_MANAGER");33         }34         else35         {36             grantedAuthority = new GrantedAuthorityImpl("Role_USER");37         }38         grantedAuthorities.add(grantedAuthority);39 40         User user = new User(arg0, "123456", true, true, true, true,41                 grantedAuthorities);42 43         return user;44     }45 46 }

 

 

三、完成applicationContext-security.xml以及web.xml的配置

applicationContext-security.xml

View Code 
1 
      
        5      6     
        8     
       
         9         
        10         
        11         
        13         
        14 15         
        16     
       17 18     
       
        20 21         
        22         
        23 24         
        25         
        26 27         
        28         
        29 30     
       31 32     
       34 35     
       37 38     
       
        39         
        40     
       41 42     
       44

web.xml

View Code 
1 
       2 
      
        6     
       
         7         
        
         org.springframework.web.context.ContextLoaderListener
         8     
        9 10     
       
        11         
        
         contextConfigLocation
        12         
        
         /WEB-INF/applicationContext*.xml
        13     
       14 15     
       
        16         
        
         springSecurityFilterChain
        17         
        
         org.springframework.web.filter.DelegatingFilterProxy
        18     
       19 20     
       
        21         
        
         springSecurityFilterChain
        22         
        
         /*
        23     
       24 25     
       26     
       
        27         
        
         index.jsp
        28     
       29

 

 

四、完成前台测试页面

View Code 
1 <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%> 2 <% 3 String path = request.getContextPath(); 4 String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/"; 5 %> 6  7  8  9 10 11 12 用户登录13 14 
      15 
      16 
      17 
      18 
      19 
      22 23 24 25 26     
      
       27         用户名:admin (admin拥有Role_ADMIN角色,其他任意用户拥有Role_USER角色)28         密码:12345629     
      
30     
      
31     
      
        32         用户名:
       
       
33         密码:
       
       
34         
       35     
      
36 37

转载于:https://www.cnblogs.com/xiongyu/archive/2012/07/21/2602220.html

你可能感兴趣的文章
MyBatis映射配置文件详解
查看>>
采用CDN加速后,如何在程序里获取用户IP地址
查看>>
oracle 角色
查看>>
【AnjularJS系列概况】适用场景
查看>>
SecureCRT卡死的问题
查看>>
053-002
查看>>
用Python 写一个机器人陪你聊天(文尾有彩蛋)
查看>>
Django 中使用权限认证
查看>>
zendframework配置篇
查看>>
油价的秘密
查看>>
SQL Server 用链接服务器 同步MySQL
查看>>
file-API 实现移动端 添加图片 预览缩略图(自己学习)
查看>>
javascript 老王开车去东北
查看>>
mybatis知识点
查看>>
app 应用
查看>>
ZOJ 1008 Gnome Tetravex(DFS)
查看>>
Mysql基础知识:操作数据库
查看>>
mysql 数据库远程访问设置方法
查看>>
Far manager界面混乱问题解决
查看>>
1144.Freckles
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-10-21 05:50:50   当前IP: 3.145.90.26   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我