`
yangzb
  • 浏览: 3506866 次
  • 性别: Icon_minigender_1
  • 来自: 北京
社区版块
存档分类
最新评论

Pathway from ACEGI to Spring Security 2.0

阅读更多

Formerly called ACEGI Security for Spring, the re-branded Spring Security 2.0 has delivered on its promises of making it simpler to use and improving developer productivity. Already considered as the Java platform's most widely used enterprise security framework with over 250,000 downloads from SourceForge, Spring Security 2.0 provides a host of new features.

This article outlines how to convert your existing ACEGI based Spring application to use Spring Security 2.0.

What is Spring Security 2.0

Spring Security 2.0 has recently been released as a replacement to ACEGI and it provides a host of new security features:

  • Substantially simplified configuration.
  • OpenID integration, single sign on standard.
  • Windows NTLM support, single sign on against Windows corporate networks.
  • Support for JSR 250 ("EJB 3") security annotations.
  • AspectJ pointcut expression language support.
  • Comprehensive support for RESTful web request authorization.
  • Long-requested support for groups, hierarchical roles and a user management API.
  • An improved, database-backed "remember me" implementation.
  • New support for web state and flow transition authorization through the Spring Web Flow 2.0 release.
  • Enhanced WSS (formerly WS-Security) support through the Spring Web Services 1.5 release.
  • A whole lot more...

Goal

Currently I work on a Spring web application that uses ACEGI to control access to the secure resources. Users are stored in a database and as such we have configured ACEGI to use a JDBC based UserDetails Service. Likewise, all of our web resources are stored in the database and ACEGI is configure to use a custom AbstractFilterInvocationDefinitionSource to check authorization details for each request.
With the release of Spring Security 2.0 I would like to see if I can replace ACEGI and keep the current ability to use the database as our source of authentication and authorization instead of the XML configuration files (as most examples demonstrate).

Here are the steps that I took...

Steps

  1. The first (and trickiest) step was to download the new Spring Security 2.0 Framework and make sure that the jar files are deployed to the correct location. (/WEB-INF/lib/ )
    There are 22 jar files that come with the Spring Security 2.0 download. I did not need to use all of them (especially not the *sources packages). For this exercise I only had to include:
    • spring-security-acl-2.0.0.jar
    • spring-security-core-2.0.0.jar
    • spring-security-core-tiger-2.0.0.jar
    • spring-security-taglibs-2.0.0.jar
  2. Configure a DelegatingFilterProxy in the web.xml file.
    <filter>
    	<filter-name>springSecurityFilterChain</filter-name>
    	<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>
    <filter-mapping>
    	<filter-name>springSecurityFilterChain</filter-name>
    	<url-pattern>/*</url-pattern>
    </filter-mapping>
  3. Configuration of Spring Security 2.0 is far more concise than ACEGI, so instead of changing my current ACEGI based configuration file, I found it easier to start from a empty file. If you do want to change your existing configuration file, I am sure that you will be deleting more lines than adding.

    The first part of the configuration is to specifiy the details for the secure resource filter, this is to allow secure resources to be read from the database and not from the actual configuration file. This is an example of what you will see in most of the examples:
    <http auto-config="true" access-denied-page="/403.jsp">
    	<intercept-url pattern="/index.jsp" access="ROLE_ADMINISTRATOR,ROLE_USER"/>
    	<intercept-url pattern="/securePage.jsp" access="ROLE_ADMINISTRATOR"/>
    	<intercept-url pattern="/**" access="ROLE_ANONYMOUS" />
    </http>
    Replace this with:
    <authentication-manager alias="authenticationManager"/>
    	
    <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
    	<beans:property name="allowIfAllAbstainDecisions" value="false"/>
    	<beans:property name="decisionVoters">
    		<beans:list>
    			<beans:bean class="org.springframework.security.vote.RoleVoter"/>
    			<beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/>
    		</beans:list>
     	</beans:property>
    </beans:bean>
    
    <beans:bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    	<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
    	<beans:property name="objectDefinitionSource" ref="secureResourceFilter" />
    </beans:bean>
    	
    <beans:bean id="secureResourceFilter" class="org.security.SecureFilter.MySecureResourceFilter" />
    
    <http auto-config="true" access-denied-page="/403.jsp">
    	<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" />
    	<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp" default-target-url="/index.jsp" />
    	<logout logout-success-url="/login.jsp"/>
     </http>

    The main part of this piece of configuration is the secureResourceFilter , this is a class that implements FilterInvocationDefinitionSource and is called when Spring Security needs to check the Authorities for a requested page.
    Here is the code for MySecureResourceFilter :
    package org.security.SecureFilter;
    
    import java.util.Collection;
    import java.util.List;
    
    import org.springframework.security.ConfigAttributeDefinition;
    import org.springframework.security.ConfigAttributeEditor;
    import org.springframework.security.intercept.web.FilterInvocation;
    import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
    
    
    public class MySecureResourceFilter implements FilterInvocationDefinitionSource {
    
    	public ConfigAttributeDefinition getAttributes(Object filter) throws IllegalArgumentException {
    		
    		FilterInvocation filterInvocation = (FilterInvocation) filter;
    		
    		String url = filterInvocation.getRequestUrl();
    		
    		// create a resource object that represents this Url object
    		Resource resource = new Resource(url);
    		
    		if (resource == null) return null;
    		else{
    		    ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();
    			// get the Roles that can access this Url
    			List<Role> roles = resource.getRoles();
    			StringBuffer rolesList = new StringBuffer();
    			for (Role role : roles){
    				rolesList.append(role.getName());
    				rolesList.append(",");
    			}
    			// don't want to end with a "," so remove the last ","
    			if (rolesList.length() > 0)
    				rolesList.replace(rolesList.length()-1, rolesList.length()+1, "");
    			configAttrEditor.setAsText(rolesList.toString());
    			return (ConfigAttributeDefinition) configAttrEditor.getValue();
    		}		
    	}
    
    	public Collection getConfigAttributeDefinitions() {
    		return null;
    	}
    
    	public boolean supports(Class arg0) {
    		return true;
    	}
    
    }
    This getAttributes() method above essentially returns the name of Authorities (which I call Roles) that are allowed access to the current Url.
  4. OK, so now we have setup the database based resources and now the next step is to get Spring Security to read the user details from the database. The examples that come with Spring Security 2.0 shows you how to keep a list of users and authorities in the configuration file like this:
    <authentication-provider>
    	<user-service>
    	<user name="rod" password="password" authorities="ROLE_SUPERVISOR, ROLE_USER" />
    	<user name="dianne" password="password" authorities="ROLE_USER,ROLE_TELLER" />
    	<user name="scott" password="password" authorities="ROLE_USER" />
    	<user name="peter" password="password" authorities="ROLE_USER" />
    	</user-service>
    </authentication-provider>
    You could replace these examples with this configuration so that you can read the user details straight from the database like this:
    <authentication-provider>
    	<jdbc-user-service data-source-ref="dataSource" />
    </authentication-provider>
    While this is a very fast and easy way to configure database based security it does mean that you have to conform to a default databases schema. By default, the <jdbc-user-service> requires the following tables: user, authorities, groups, group_members and group_authorities.
    In my case this was not going to work as my security schema it not the same as what the <jdbc-user-service> requires, so I was forced to change the <authentication-provider> :
    <authentication-provider>
    	<jdbc-user-service data-source-ref="dataSource"
    	users-by-username-query="SELECT U.username, U.password, U.accountEnabled AS 'enabled' FROM User U where U.username=?"
    	authorities-by-username-query="SELECT U.username, R.name as 'authority' FROM User U JOIN Authority A ON u.id = A.userId JOIN Role R ON R.id = A.roleId WHERE U.username=?"/>
    </authentication-provider>
    By adding the users-by-username-query and authorities-by-username-query properties you are able to override the default SQL statements with your own. As in ACEGI security you must make sure that the columns that your SQL statement returns is the same as what Spring Security expects. There is a another property group-authorities-by-username-query which I am not using and have therefore left it out of this example, but it works in exactly the same manner as the other two SQL statements.

    This feature of the <jdbc-user-service> has only been included in the past month or so and was not available in the pre-release versions of Spring Security. Luckily it has been added as it does make life a lot easier. You can read about this here and here .

    The dataSource bean instructs which database to connect to, it is not included in my configuration file as it's not specific to security. Here is an example of a dataSource bean for those who are not sure:
    	<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    		<property name="driverClassName" value="com.mysql.jdbc.Driver"/>
    		<property name="url" value="jdbc:mysql://localhost/db_name?useUnicode=true&characterEncoding=utf-8"/>
    		<property name="username" value="root"/>
    		<property name="password" value="pwd"/>
    	</bean>
  5. And that is all for the configuration of Spring Security. My last task was to change my current logon screen. In ACEGI you could create your own logon <form> by making sure that you POSTED the correctly named HTML input elements to the correct URL. While you can still do this in Spring Security 2.0, some of the names have changed.
    You can still call your username field j_username and your password field j_password as before.
    <input type="text" name="j_username" id="j_username"/>
    <input type="password" name="j_password" id="j_password"/>
    However you must set the action property of your <form> to point to j_spring_security_check and not j_acegi_security_check .
    <form method="post" id="loginForm" action="<c:url value='j_spring_security_check'/>"
    There are a few places in our application where the user can logout, this is a link that redirects the logout request to the security framework so that it can be handled accordingly. This needs to be changed from j_acegi_logout to j_spring_security_logout .
    <a href='<c:url value="j_spring_security_logout"/>'>Logout</a>

Conclusion

This short guide on how to configure Spring Security 2.0 with access to resources stored in a database does not come close to illustrating the host of new features that are available in Spring Security 2.0, however I think that it does show some of the most commonly used abilities of the framework and I hope that you will find it useful.

One of the benefits of Spring Security 2.0 over ACEGI is the ability to write more consice configuration files, this is clearly shown when I compare my old ACEGI configration (172 lines) file to my new one (42 lines).
Here is my complete securityContext.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" 
xmlns:beans="http://www.springframework.org/schema/beans" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.springframework.org/schema/beans,http://www.springframework.org/schema/beans/spring-beans-2.0.xsd,http://www.springframework.org/schema/security,http://www.springframework.org/schema/security/spring-security-2.0.xsd"> <authentication-manager alias="authenticationManager"/>  <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"> <beans:property name="allowIfAllAbstainDecisions" value="false"/> <beans:property name="decisionVoters"> <beans:list> <beans:bean class="org.springframework.security.vote.RoleVoter"/> <beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/> </beans:list> </beans:property> </beans:bean> <beans:bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="accessDecisionManager" ref="accessDecisionManager"/> <beans:property name="objectDefinitionSource" ref="secureResourceFilter" /> </beans:bean>  <beans:bean id="secureResourceFilter" class="org.security.SecureFilter.MySecureResourceFilter" /> <http auto-config="true" access-denied-page="/403.jsp">  <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp" default-target-url="/index.jsp" /> <logout logout-success-url="/login.jsp"/> </http>  <beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/>  <authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="SELECT U.username, U.password, U.accountEnabled AS 'enabled' FROM User U where U.username=?" authorities-by-username-query="SELECT U.username, R.name as 'authority' FROM User U JOIN Authority A ON u.id = A.userId JOIN Role R ON R.id = A.roleId WHERE U.username=?" /> </authentication-provider> </beans:beans>

As I said in step 1, downloading Spring Security was the trickiest step of all. From there on it was plain sailing...

分享到:
评论

相关推荐

    Spring Security 2 参考手册 中文版 (html格式)

    `z-pathway-acegi-spring-security.html`可能涉及Acegi安全系统的过渡信息,因为Spring Security最初是作为Acegi的后续项目发展起来的。这部分内容可能帮助那些从Acegi迁移到Spring Security的开发者理解两者之间的...

    Portable_Pathway_Builder_Tool 信号通路选件

    "Portable Pathway Builder Tool 2.0"版本在前一版本的基础上进行了优化升级,可能包括更丰富的图形库、增强的编辑功能、以及更好的兼容性。用户可以预设或自定义各种通路元素的形状、颜色和大小,以适应不同的展示...

    Microarray Analysis of the Secretory Pathway Genes Response to TuMV Infection in Brassica rapa

    利用基因芯片分析TuMV侵染对白菜分泌途径基因的影响,李彦肖,张昌伟,前人研究发现病毒的复制复合体(viral RNP complex)和病毒RNA通过分泌途径移动到胞间连丝。本研究通过拟南芥基因芯片鉴定病原物侵染引�

    IPA-Ingenuity Pathway Analysis

    IPA(Ingenuity Pathway Analysis)是一款在生物信息学领域广泛应用的通路分析工具,它专为研究人员提供了一整套分析方案,以理解基因表达数据、蛋白质组学数据或其他分子交互数据背后的生物学意义。这款软件的强大...

    Pathway_Builder

    软件名字叫做 pathway builder tool 官网是http: www proteinlounge com PathwayBuilder aspx(官网可以7天试用) 软件自带几乎所有分子生物学会用到的元素 如不同的细胞 细胞器 分子 老鼠模型 另外 这个软件自带...

    Notch1 signaling pathway

    标题“Notch1 signaling pathway”(Notch1信号通道)直接指出了本文研究的核心对象——Notch1信号通路。Notch信号通路是一种高度保守的细胞间通讯系统,在多种生物体中发挥着重要作用,特别是在发育过程中调控细胞...

    pathwaytool

    这款软件基于Pathway/Genome Database (PGDB) 数据库,提供了丰富的生物信息分析功能,包括基因功能注释、通路分析、基因集富集分析以及差异表达基因的可视化。 PathwayTool的核心功能: 1. **通路分析**:...

    Unsupervised Learning From Video to Detect Foreground Objects in

    通过这种方式,Student pathway 可以学习到 Teacher pathway 的知识和经验,从而实现对单图像前景对象的检测。 4. 无监督对象发现 无监督对象发现是指在没有标记数据的情况下,检测和识别图像中的对象的方法。这种...

    Protein Networks and Pathway Analysis (Methods in Molecular Biology)

    《蛋白质网络与途径分析》(Protein Networks and Pathway Analysis)是分子生物学方法系列书籍中的一部,由尤里·尼科尔斯基(Yuri Nikolsky)和朱莉·布莱恩特(Julie Bryant)编辑,专注于蛋白质网络和生物途径的...

    工艺流程绘图软件

    在Portable_Pathway_Builder_Tool_2.0这个压缩包文件中,很可能包含的是这款工艺流程绘图软件的便携版本。便携版软件的一大优点是无需安装,可以直接运行,不会在用户的电脑上留下任何痕迹,方便在不同设备间切换...

    Measurement of Mitochondrial Respiration in Isolated Protoplasts

    The AOX pathway is thought to act as a safety valve, preventing overreduction of the ETC and protecting cells from oxidative damage. 3. Mesophyll Protoplasts and Their Isolation Mesophyll ...

    A histone methylation-dependent DNA methylation pathway is uniquely impaired by deficiency in S-adenosylhomocysteine hydrolase

    A histone methylation-dependent DNA methylation pathway is uniquely impaired by deficiency in S-adenosylhomocysteine hydrolase

    dos下的pathway开发包

    Pathway是一款在DOS操作系统环境下使用的开发工具,它在80年代末至90年代初是程序员们进行软件开发的重要选择。标题中的“dos下的pathway开发包”指的是专为DOS系统设计的一套开发环境,它包含了编译器、链接器、...

    pathway系统设计

    ### Pathway系统设计:多路数据源的整合与分析 #### 概述 在生物学领域,Pathway(通路)是指一系列与特定代谢过程相关的连锁反应,它在细胞的生理和代谢过程中扮演着至关重要的角色。通过对Pathway的深入研究,...

    A Pathway Into Number Theory

    R. P. Burn的数论入门,非常好的一本数论指导书,影印版

    PyPI 官网下载 | pathway2cyjs-0.0.3-py3-none-any.whl

    from pathway2cyjs import Pathway2CyJS # 加载生物通路数据 pathway_data = ... # 创建转换器对象 converter = Pathway2CyJS() # 转换数据并获取JSON cyjs_json = converter.convert(pathway_data) # 将JSON...

    获取KEGG数据库中的癌症Pathway的基因集

    为了获取KEGG数据库中的癌症Pathway的基因集,首先需要了解KEGG(Kyoto Encyclopedia of Genes and Genomes)数据库的基本概念。KEGG是一个全面整合了基因、化学物质以及生物系统路径信息的数据库,它包含了生物体内...

Global site tag (gtag.js) - Google Analytics