spring secutity 2.05的配置

spring secutity 2.05的配置
参考：http://blog.csdn.net/superboo/article/details/5025435
xml配置中多次出现“/”，如login-page="/userLoginAction_init"，是为了区分是一个引用的名字还是跳转到一个方法中
1.导入jar
2.在web.xml中引入spring secutity3.0
 <filter>
  <filter-name>springSecurityFilterChain</filter-name>
  <filter-class>
   org.springframework.web.filter.DelegatingFilterProxy
  </filter-class>
 </filter>
 <filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
 </filter-mapping>
3.在classpath下建一个applicationContext-security.xml
3.1.导入
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:security="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
3.2哪些资源需要过滤
<http auto-config="true" access-denied-page="/jsp/accessDenied.jsp"> 
        <intercept-url pattern="/css/**" filters="none" /> 
        <intercept-url pattern="/images/**" filters="none" /> 
        <intercept-url pattern="/js/**" filters="none" /> 
        <!-- 增加一个filter，这点与Acegi是不一样的，不能修改默认的filter了。这个filter位于FILTER_SECURITY_INTERCEPTOR之前  --> 
        <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR" /> 
配置需要特定角色访问的资源
<security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<security:intercept-url pattern="/space/**" access="ROLE_USER" />
3.2.1登录（注销）页面设置
<form-login login-page="/login.jsp"  authentication-failure-url="/common/403.jsp"  default-target-url="/admin.jsp" /> 
<logout logout-success-url="/login.jsp"/>
</http>

3.3认证管理方面（如何自定义一个filter，必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性，然后写三个类分别实现相应的接口）
<bean id="myFilter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> 
        <!-- 认证管理器，实现用户认证的入口 --> 
        <property name="authenticationManager" ref="authenticationManager" /> 
        <!-- 访问决策器，决定某个用户具有的角色，是否有足够的权限去访问某个资源 --> 
        <property name="accessDecisionManager" ref="accessDecisionManager" /> 
        <!-- 资源源数据定义，即定义某一资源可以被哪些角色访问 --> 
        <property name="securityMetadataSource" ref="secureResourceFilterInvocationDefinitionSource" /> 
    </bean>
3.3.1认证管理器
<security:authentication-manager alias="authenticationManager"> 
        <!-- 认证管理器提供者[user-service-ref]引用的服务组件，通过securityManager进行对用户信息的认证--> 
        <security:authentication-provider ref="authenticationProvider">      
        </security:authentication-provider>
</security:authentication-manager> 
3.3.1.1认证管理器提供者
    <bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
        <property name="userDetailsService" ref="userDetailsService"/> 
        <!-- value设置为false,为了能在myAuthenticationfailureHandler（认证失败）中接受到该异常，通过异常响应不同的页面 -->
        <property name="hideUserNotFoundExceptions" value="false"/>
        <!-- 自定义密码加密校验机制 -->
        <property name="passwordEncoder" ref="md5ShaPasswordEncoder"/>
    </bean>
3.3.2访问决策器
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> 
        <property name="allowIfAllAbstainDecisions" value="false" /> 
        <property name="decisionVoters"> 
            <list> 
                <bean class="org.springframework.security.access.vote.RoleVoter" /> 
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> 
            </list> 
        </property>
    </bean>
3.3.3资源源数据定义（将所有的资源和权限对应关系建立起来，即定义某一资源可以被哪些角色访问）
<beans:bean id="MySecurityMetadataSource" init-method="loadResourceDefine"  class="com.softvan.spring.security.InvocationSecurityMetadataSourceService"> 
        <beans:property name="roleService" ref="RoleService" /> 
        <beans:property name="actionService" ref="ActionService" /> 
</beans:bean>

 

 

高级//////////////////////////////////////////////////////////////////////////////////////
3.2的另外一种配置
建立一个资源表和一个资源角色中间表用于存放角色所能访问的url。
然后再写一个自定义过滤器，用于读取表中角色所能访问的url。
这样需要先导入这个自定义过滤器，
<beans:bean id="filterSecurityInterceptor"
        class="org.springframework.security.intercept.web.FilterSecurityInterceptor" autowire="byType">
        <custom-filter before="FILTER_SECURITY_INTERCEPTOR"/>
        <beans:property name="objectDefinitionSource" ref="filterInvocationDefinitionSource" />
</beans:bean>
<beans:bean id="filterInvocationDefinitionSource" class="com.lovo.JdbcFilterInvocationDefinitionSourceFactoryBean">
        <beans:property name="dataSource" ref="dataSource"/>
        <beans:property name="resourceQuery" value="select m.address,r.descn from t_module_role mr join t_module m on mr.m_id=m.id join t_role r on mr.r_id=r.id; "/>
</beans:bean>
再写对应的com.lovo.JdbcFilterInvocationDefinitionSourceFactoryBean类

3.2.1的高级配置
<security:form-login login-page="/userLoginAction_init" authentication-failure-handler-ref="myAuthenticationfailureHandler"  authentication-success-handler-ref="myAuthenticationSuccessHandler"  always-use-default-target="true" />
<security:access-denied-handler error-page="/accessDenied.jsp" />
<security:remember-me  user-service-ref="userDetailsService"  token-validity-seconds="123456789" />  
<security:logout invalidate-session="true" logout-success-url="/" logout-url="/j_spring_security_logout" />
然后再配置两个filter
<!--自定义认证成功--> 
    <bean id="myAuthenticationSuccessHandler" class="com.miaopu.core.security.MyAuthenticationSuccessHandler">
     <property name="defaultTargetUrl" value="/userLoginAction_entry" /> 
        <property name="alwaysUseDefaultTargetUrl" value="false" />
        <property name="userLoginService" ref="userLoginService"/> 
    </bean>
<!-- 认证失败 --> 
    <bean id="myAuthenticationfailureHandler" class="com.miaopu.core.security.MyAuthenticationFailureHandler"> 
        <property name="defaultFailureUrl" value="/userLoginAction_loginFailure" /> 
        <property name="allowSessionCreation" value="false"/>
    </bean>