Acegi配置实例

1、在web.xml中

<!-- ******应用范围内参数初始化，安全认证将放在applicationContext-acegi-security.xml****** -->
    <context-param>
  <param-name>contextConfigLocation</param-name>
  <param-value>
   /WEB-INF/context/applicationContext-*.xml
  </param-value>
    </context-param>

<!--Acegi Filter Chain Proxy -->
   <filter>
     <filter-name>Acegi Filter Chain Proxy</filter-name>
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
     <init-param>
      <param-name>targetBeanName</param-name>
      <param-value>filterChainProxy</param-value>
    </init-param>
   </filter>

<!--Acegi Filter Chain Proxy -->

<filter-mapping>
      <filter-name>Acegi Filter Chain Proxy</filter-name>
      <url-pattern>/j_oa_security_check</url-pattern>
    </filter-mapping>
   
    <!-- LogOut -->
<filter-mapping>
      <filter-name>Acegi Filter Chain Proxy</filter-name>
      <url-pattern>/j_spring_security_logout</url-pattern>
    </filter-mapping>
   
    <filter-mapping>
      <filter-name>Acegi Filter Chain Proxy</filter-name>
      <url-pattern>*.ao</url-pattern>
    </filter-mapping>
   
    <filter-mapping>
      <filter-name>Acegi Filter Chain Proxy</filter-name>
      <url-pattern>*.jsp</url-pattern>
    </filter-mapping>

<filter-mapping>
      <filter-name>Acegi Filter Chain Proxy</filter-name>
      <url-pattern>*.servlet</url-pattern>
    </filter-mapping>
   
    <filter-mapping>
      <filter-name>Acegi Filter Chain Proxy</filter-name>
      <url-pattern>*.editDoc</url-pattern>
    </filter-mapping>
    <filter-mapping>
      <filter-name>Acegi Filter Chain Proxy</filter-name>
      <url-pattern>*.openAccessory</url-pattern>
    </filter-mapping>

2、applicationContext-acegi-security.xml中

<?xml version="1.0" encoding="UTF-8"?> 
<beans xmlns="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">

<!-- ======================== FILTER CHAIN ======================= -->
<!--
  FilterChainProxy会按顺序来调用这些filter,使这些filter能享用Spring ioc的功能,
  CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON定义了url比较前先转为小写
  PATTERN_TYPE_APACHE_ANT定义了使用Apache ant的匹配模式
  rememberMeProcessingFilter,,anonymousProcessingFilter
  channelProcessingFilter,filterInvocationInterceptor
-->
<!-- CAS 单点登陆 用casProcessingFilter代替authenticationProcessingFilter实现单点登陆 -->
<bean id="filterChainProxy" class="org.springframework.security.util.FilterChainProxy">
  <security:filter-chain-map path-type="ant"> 
    <!--security:filter-chain pattern="/**" 
                filters="httpSessionContextIntegrationFilter,logoutFilter,casProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor" /--> 
            <security:filter-chain pattern="/**" 
                filters="httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor" /> 
        </security:filter-chain-map>
</bean>

<!-- ======================== AUTHENTICATION ======================= -->
     <!--
         通过Providers提供认证者列表,如果一个认证提供者失败可以尝试另外一个认证提供者,以保证获取不同来源的身份认证，如
         DaoAuthenticationProvider 从数据库中读取用户信息验证身份
         AnonymousAuthenticationProvider 匿名用户身份认证
         RememberMeAuthenticationProvider 已存cookie中的用户信息身份认证

         其它的还有
         AuthByAdapterProvider 使用容器的适配器验证身份
         CasAuthenticationProvider 根据Yale中心认证服务验证身份, 用于实现单点登录
         JaasAuthenticationProvider 从JASS登录配置中获取用户信息验证身份
         RemoteAuthenticationProvider 根据远程服务验证用户身份
         RunAsImplAuthenticationProvider 对身份已被管理器替换的用户进行验证
         X509AuthenticationProvider 从X509认证中获取用户信息验证身份
         TestingAuthenticationProvider 单元测试时使用

         每个认证者会对自己指定的证明信息进行认证，如DaoAuthenticationProvider仅对UsernamePasswordAuthenticationToken这个证明信息进行认证。
     -->
    <bean id="authenticationManager" class="org.springframework.security.providers.ProviderManager">
     <property name="providers">
         <list>
          <ref local="daoAuthenticationProvider"/>
          <!-- CAS 单点登陆 用casAuthenticationProvider代替 daoAuthenticationProvider实现单点登陆-->
          <!--ref bean="casAuthenticationProvider"/-->
            <ref local="anonymousAuthenticationProvider"/>
    <ref local="rememberMeAuthenticationProvider"/>
         </list>
      </property>
   </bean>
  
   <!-- 认证提供者  -->
   <!-- 用于认证匿名用户 -->
<bean id="anonymousAuthenticationProvider" class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
  <property name="key" value="blhOaWebKey2"/>
</bean>

  <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/>
<!--
  基于数据库的认证提供者
         authenticationDao 认证数据访问对象，用于获取用户信息，包括：用户名，用户密码，用户状态和用户权限
         userCache ehcache 缓存user信息。
         saltSource 对密码进行私钥加密
     -->
<bean id="daoAuthenticationProvider" class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
       <property name="userDetailsService">
        <ref bean="userManagerService"/>
       </property>
       <property name="passwordEncoder"><ref local="passwordEncoder"/></property>
       <property name="saltSource">
        <bean class="org.springframework.security.providers.dao.salt.ReflectionSaltSource">
         <property name="userPropertyToUse">
          <value>getUsername</value>
         </property>
        </bean>
       </property>
</bean>

   
    <!-- ======================== FILTER        ======================= -->
  <!--
         每次request前 HttpSessionContextIntegrationFilter从Session中获取Authentication对象，在request完后
         又把Authentication对象保存到Session中供下次request使用,此filter必须其他Acegi filter前使用
         org.acegisecurity.context.HttpSessionContextIntegrationFilter
     -->
    
    
<bean id="httpSessionContextIntegrationFilter" class="com.ber.acegi.extend.BerHttpSessionContextIntegrationFilter">
  <property name="loginFormUrl" value="/sof_login.jsp"/>
  <!-- 不需要登陆就可以访问的资源 -->
  <property name="noAuthenticationUrl">
   <list>
    <value>/j_oa_security_check</value>
    <value>/sof_login.jsp</value>
    <value>/sysmanage/ug/useradd.ao</value>
   </list>
  </property>
</bean>

<!--
  利用cookie自動登入
-->
   <bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices">
  <property name="userDetailsService" ref="userManagerService"/>
  <property name="key" value="blhOaWebKey"/>
  <property name="tokenValiditySeconds" value="864000"/>
</bean>
   
<bean id="rememberMeAuthenticationProvider" class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
  <property name="key" value="blhOaWebKey"/>
</bean>

<!--
  登出處理
-->
<bean id="logoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
  <!-- URL redirected to after logout -->
  <constructor-arg value="/sof_login.jsp"/>
  <constructor-arg>
   <list>
    <ref bean="rememberMeServices"/>
    <bean class="org.springframework.security.ui.logout.SecurityContextLogoutHandler"/>
    </list>
  </constructor-arg>
</bean>

<!--
   处理基于表单的身份验证请求（Acegi提供了三个认证处理过滤器，另外两个是:BasicProcessingFilter和CasProcessingFilter）
         authenticationFailureUrl定义登录失败时转向的页面
         defaultTargetUrl定义登录成功时转向的页面
         filterProcessesUrl定义登录请求的页面
     -->
<bean id="authenticationProcessingFilter" class="com.ber.acegi.extend.LogAuthenticationProcessingFilter">
       <property name="authenticationManager" ref="authenticationManager"/>
       <property name="authenticationFailureUrl" value="/sof_login.jsp?login_error=1"/>
       <property name="defaultTargetUrl" value="/jsp/desktop/main.jsp"/>
       <!--
     <property name="defaultTargetUrl" value="/jsp/mainFrame.jsp?showFirstMessage=1"/>
        -->
     <!-- CAS单点登陆 用/j_spring_cas_security_check代替 /j_oa_security_check实现单点登陆-->
     <!-- property name="filterProcessesUrl" value="/j_spring_cas_security_check"/-->
       <property name="filterProcessesUrl" value="/j_oa_security_check"/>
    </bean>
  
   <!--
         filterInvocationInterceptor在执行转向url前检查objectDefinitionSource中设定的用户权限信息
         过程：
         首先，objectDefinitionSource中定义了访问URL需要的属性信息(这里的属性信息仅仅是标志，告诉accessDecisionManager要用哪些voter来投票)
         然后，authenticationManager掉用自己的provider来对用户的认证信息进行校验。
         最后，有投票者根据用户持有认证和访问url需要的属性，调用自己的voter来投票，决定是否允许访问。-->
  
    <bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
         <property name="authenticationManager"><ref bean="authenticationManager"/></property>
       <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property>
       <property name="objectDefinitionSource"> <ref local="rdbmsFilterInvocationDefinitionSource" /></property>
       <property name="observeOncePerRequest" value="false"></property>
       <property name="alwaysReauthenticate" value="true"></property>
    </bean>
    <bean id="rdbmsFilterInvocationDefinitionSource"  class="com.ber.acegi.extend.RdbmsFilterInvocationDefinitionSource">
    <constructor-arg type="org.springframework.security.util.UrlMatcher"  ref="antUrlPathMatcher" />
    <property name="webresdbCache" ref="webresCacheBackend" />
    <property name="rdbmsInvocationDefinition">
     <bean class="com.ber.acegi.extend.RdbmsSecuredUrlDefinition">
      <constructor-arg index="0">
       <ref bean="dataSource"/>
      </constructor-arg>
      <constructor-arg index="1">
       <value>
      SELECT     MATCHURL_ AS url, MENUCODE_ AS role
      FROM         T_MENU_RESOURCE
      ORDER BY INDEX_ DESC
     </value>
      </constructor-arg>
      <property name="urlField" value="url"/>
      <property name="rolesField" value="role"/>
     </bean>
    </property>
    </bean>
    <bean id="antUrlPathMatcher"  class="org.springframework.security.util.AntUrlPathMatcher" /> 
 
    <bean id="webresCacheBackend"  class="org.springframework.cache.ehcache.EhCacheFactoryBean">
       <property name="cacheManager">
          <ref  bean="cacheManager"/>
       </property>
       <property name="cacheName">
          <value>webresdbCache</value>
       </property>
    </bean>
 
   
    <!-- httpRequestAccessDecisionManager（投票通过策略管理器）用于管理投票通过策略。Acegi提供三种投票通过策略的实现：
   AffirmativeBased（至少一个投票者同意方可通过），ConsensusBased（多数投票者同意方可通过），UnanimousBased（所有投
   票者同意方可通过）
   allowIfAllAbstainDecisions : 设定是否允许：“没人反对就通过”的投票策略
   decisionVoters : 投票者
-->
    <bean id="httpRequestAccessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
      <property name="allowIfAllAbstainDecisions"><value>false</value></property>
      <property name="decisionVoters">
         <list>
             <ref bean="roleVoter"/>
         </list>
      </property>
   </bean>
  
   <!--
         必须是以rolePrefix设定的value开头的才会进行投票,否则为弃权
     -->
   <bean id="roleVoter" class="org.springframework.security.vote.RoleVoter">
     <property name="rolePrefix"><value>AUTH_</value></property>
   </bean>
  
<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
  <property name="authenticationEntryPoint">
   <ref bean="authenticationProcessingFilterEntryPoint"/>
   <!-- CAS 单点登陆 用casProcessingFilterEntryPoint代替authenticationProcessingFilterEntryPoint实现单点登陆 -->
   <!--ref bean="casProcessingFilterEntryPoint"/-->
  </property>
  <property name="accessDeniedHandler">
   <bean class="org.springframework.security.ui.AccessDeniedHandlerImpl">
    <property name="errorPage" value="/jsp/common/403.jsp"/>
   </bean>
  </property>
   </bean>
<!--
    用户尚未通过身份验证时，会将控制转交到一个认证入口点，提供三种实现
    BasicProcessingFilterEnteyPoint :HTTP基本认证处理
    AuthenticationProcessingFilterEntryPoint :将用户重新定向到一个基于HTML表单的登入界面
    CasProssingFilterEntryPoint :将用户重新定向到一个基于Yale CAS登入界面
  -->
  <bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <property name="loginFormUrl" value="/sof_login.jsp"/>
    <property name="forceHttps" value="false"/>
    <property name="serverSideRedirect" value="false"></property>
</bean>

</beans>