- 浏览: 3506866 次
- 性别:
- 来自: 北京
文章分类
最新评论
-
wanglf1207:
EJB的确是个不错的产品,只是因为用起来有点门槛,招来太多人吐 ...
weblogic-ejb-jar.xml的元素解析 -
qwfys200:
总结的不错。
Spring Web Flow 2.0 入门 -
u011577913:
u011577913 写道也能给我发一份翻译文档? 邮件437 ...
Hazelcast 参考文档-4 -
u011577913:
也能给我发一份翻译文档?
Hazelcast 参考文档-4 -
songzj001:
DbUnit入门实战
Formerly called ACEGI Security for Spring, the re-branded Spring Security 2.0 has delivered on its promises of making it simpler to use and improving developer productivity. Already considered as the Java platform's most widely used enterprise security framework with over 250,000 downloads from SourceForge, Spring Security 2.0 provides a host of new features.
This article outlines how to convert your existing ACEGI based Spring application to use Spring Security 2.0.
What is Spring Security 2.0
Spring Security 2.0 has recently been released as a replacement to ACEGI and it provides a host of new security features:
- Substantially simplified configuration.
- OpenID integration, single sign on standard.
- Windows NTLM support, single sign on against Windows corporate networks.
- Support for JSR 250 ("EJB 3") security annotations.
- AspectJ pointcut expression language support.
- Comprehensive support for RESTful web request authorization.
- Long-requested support for groups, hierarchical roles and a user management API.
- An improved, database-backed "remember me" implementation.
- New support for web state and flow transition authorization through the Spring Web Flow 2.0 release.
- Enhanced WSS (formerly WS-Security) support through the Spring Web Services 1.5 release.
- A whole lot more...
Goal
Currently
I work on a Spring web application that uses ACEGI to control access to
the secure resources. Users are stored in a database and as such we
have configured ACEGI to use a JDBC based UserDetails Service.
Likewise, all of our web resources are stored in the database and ACEGI
is configure to use a custom AbstractFilterInvocationDefinitionSource
to check authorization details for each request.
With
the release of Spring Security 2.0 I would like to see if I can replace
ACEGI and keep the current ability to use the database as our source of
authentication and authorization instead of the XML configuration files
(as most examples demonstrate).
Here are the steps that I took...
Steps
- The first (and trickiest) step was to download
the new Spring Security 2.0 Framework and make sure that the jar files are deployed to the correct location. (/WEB-INF/lib/
)
There are 22 jar files that come with the Spring Security 2.0 download. I did not need to use all of them (especially not the *sources packages). For this exercise I only had to include:
- spring-security-acl-2.0.0.jar
- spring-security-core-2.0.0.jar
- spring-security-core-tiger-2.0.0.jar
- spring-security-taglibs-2.0.0.jar
- Configure a DelegatingFilterProxy
in the web.xml file.
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
- Configuration
of Spring Security 2.0 is far more concise than ACEGI, so instead of
changing my current ACEGI based configuration file, I found it easier
to start from a empty file. If you do want to change your existing
configuration file, I am sure that you will be deleting more lines than
adding.
The first part of the configuration is to specifiy the details for the secure resource filter, this is to allow secure resources to be read from the database and not from the actual configuration file. This is an example of what you will see in most of the examples:
<http auto-config="true" access-denied-page="/403.jsp"> <intercept-url pattern="/index.jsp" access="ROLE_ADMINISTRATOR,ROLE_USER"/> <intercept-url pattern="/securePage.jsp" access="ROLE_ADMINISTRATOR"/> <intercept-url pattern="/**" access="ROLE_ANONYMOUS" /> </http>
Replace this with:
<authentication-manager alias="authenticationManager"/> <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"> <beans:property name="allowIfAllAbstainDecisions" value="false"/> <beans:property name="decisionVoters"> <beans:list> <beans:bean class="org.springframework.security.vote.RoleVoter"/> <beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/> </beans:list> </beans:property> </beans:bean> <beans:bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="accessDecisionManager" ref="accessDecisionManager"/> <beans:property name="objectDefinitionSource" ref="secureResourceFilter" /> </beans:bean> <beans:bean id="secureResourceFilter" class="org.security.SecureFilter.MySecureResourceFilter" /> <http auto-config="true" access-denied-page="/403.jsp"> <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp" default-target-url="/index.jsp" /> <logout logout-success-url="/login.jsp"/> </http>
The main part of this piece of configuration is the secureResourceFilter , this is a class that implements FilterInvocationDefinitionSource and is called when Spring Security needs to check the Authorities for a requested page.
Here is the code for MySecureResourceFilter :
package org.security.SecureFilter; import java.util.Collection; import java.util.List; import org.springframework.security.ConfigAttributeDefinition; import org.springframework.security.ConfigAttributeEditor; import org.springframework.security.intercept.web.FilterInvocation; import org.springframework.security.intercept.web.FilterInvocationDefinitionSource; public class MySecureResourceFilter implements FilterInvocationDefinitionSource { public ConfigAttributeDefinition getAttributes(Object filter) throws IllegalArgumentException { FilterInvocation filterInvocation = (FilterInvocation) filter; String url = filterInvocation.getRequestUrl(); // create a resource object that represents this Url object Resource resource = new Resource(url); if (resource == null) return null; else{ ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor(); // get the Roles that can access this Url List<Role> roles = resource.getRoles(); StringBuffer rolesList = new StringBuffer(); for (Role role : roles){ rolesList.append(role.getName()); rolesList.append(","); } // don't want to end with a "," so remove the last "," if (rolesList.length() > 0) rolesList.replace(rolesList.length()-1, rolesList.length()+1, ""); configAttrEditor.setAsText(rolesList.toString()); return (ConfigAttributeDefinition) configAttrEditor.getValue(); } } public Collection getConfigAttributeDefinitions() { return null; } public boolean supports(Class arg0) { return true; } }
This getAttributes() method above essentially returns the name of Authorities (which I call Roles) that are allowed access to the current Url. - OK, so now we have setup the database based resources
and now the next step is to get Spring Security to read the user
details from the database. The examples that come with Spring Security
2.0 shows you how to keep a list of users and authorities in the
configuration file like this:
<authentication-provider> <user-service> <user name="rod" password="password" authorities="ROLE_SUPERVISOR, ROLE_USER" /> <user name="dianne" password="password" authorities="ROLE_USER,ROLE_TELLER" /> <user name="scott" password="password" authorities="ROLE_USER" /> <user name="peter" password="password" authorities="ROLE_USER" /> </user-service> </authentication-provider>
You could replace these examples with this configuration so that you can read the user details straight from the database like this:
<authentication-provider> <jdbc-user-service data-source-ref="dataSource" /> </authentication-provider>
While this is a very fast and easy way to configure database based security it does mean that you have to conform to a default databases schema. By default, the <jdbc-user-service> requires the following tables: user, authorities, groups, group_members and group_authorities.
In my case this was not going to work as my security schema it not the same as what the <jdbc-user-service> requires, so I was forced to change the <authentication-provider> :
<authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="SELECT U.username, U.password, U.accountEnabled AS 'enabled' FROM User U where U.username=?" authorities-by-username-query="SELECT U.username, R.name as 'authority' FROM User U JOIN Authority A ON u.id = A.userId JOIN Role R ON R.id = A.roleId WHERE U.username=?"/> </authentication-provider>
By adding the users-by-username-query and authorities-by-username-query properties you are able to override the default SQL statements with your own. As in ACEGI security you must make sure that the columns that your SQL statement returns is the same as what Spring Security expects. There is a another property group-authorities-by-username-query which I am not using and have therefore left it out of this example, but it works in exactly the same manner as the other two SQL statements.
This feature of the <jdbc-user-service> has only been included in the past month or so and was not available in the pre-release versions of Spring Security. Luckily it has been added as it does make life a lot easier. You can read about this here and here .
The dataSource bean instructs which database to connect to, it is not included in my configuration file as it's not specific to security. Here is an example of a dataSource bean for those who are not sure:
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="com.mysql.jdbc.Driver"/> <property name="url" value="jdbc:mysql://localhost/db_name?useUnicode=true&characterEncoding=utf-8"/> <property name="username" value="root"/> <property name="password" value="pwd"/> </bean>
- And
that is all for the configuration of Spring Security. My last task was
to change my current logon screen. In ACEGI you could create your own
logon <form>
by making sure that
you POSTED the correctly named HTML input elements to the correct URL.
While you can still do this in Spring Security 2.0, some of the names
have changed.
You can still call your username field j_username and your password field j_password as before.
<input type="text" name="j_username" id="j_username"/> <input type="password" name="j_password" id="j_password"/>
However you must set the action property of your <form> to point to j_spring_security_check and not j_acegi_security_check .
<form method="post" id="loginForm" action="<c:url value='j_spring_security_check'/>"
There are a few places in our application where the user can logout, this is a link that redirects the logout request to the security framework so that it can be handled accordingly. This needs to be changed from j_acegi_logout to j_spring_security_logout .
<a href='<c:url value="j_spring_security_logout"/>'>Logout</a>
Conclusion
This
short guide on how to configure Spring Security 2.0 with access to
resources stored in a database does not come close to illustrating the
host of new features that are available in Spring Security 2.0, however
I think that it does show some of the most commonly used abilities of
the framework and I hope that you will find it useful.
One of
the benefits of Spring Security 2.0 over ACEGI is the ability to write
more consice configuration files, this is clearly shown when I compare
my old ACEGI configration (172
lines) file to my new one (42
lines).
Here is my complete securityContext.xml file:
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans,http://www.springframework.org/schema/beans/spring-beans-2.0.xsd,http://www.springframework.org/schema/security,http://www.springframework.org/schema/security/spring-security-2.0.xsd"> <authentication-manager alias="authenticationManager"/> <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"> <beans:property name="allowIfAllAbstainDecisions" value="false"/> <beans:property name="decisionVoters"> <beans:list> <beans:bean class="org.springframework.security.vote.RoleVoter"/> <beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/> </beans:list> </beans:property> </beans:bean> <beans:bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <beans:property name="authenticationManager" ref="authenticationManager"/> <beans:property name="accessDecisionManager" ref="accessDecisionManager"/> <beans:property name="objectDefinitionSource" ref="secureResourceFilter" /> </beans:bean> <beans:bean id="secureResourceFilter" class="org.security.SecureFilter.MySecureResourceFilter" /> <http auto-config="true" access-denied-page="/403.jsp"> <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /> <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp" default-target-url="/index.jsp" /> <logout logout-success-url="/login.jsp"/> </http> <beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener"/> <authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="SELECT U.username, U.password, U.accountEnabled AS 'enabled' FROM User U where U.username=?" authorities-by-username-query="SELECT U.username, R.name as 'authority' FROM User U JOIN Authority A ON u.id = A.userId JOIN Role R ON R.id = A.roleId WHERE U.username=?" /> </authentication-provider> </beans:beans>
As I said in step 1, downloading Spring Security was the trickiest step of all. From there on it was plain sailing...
发表评论
-
说明SOA监管(SOA Governance)实例(收录备查)
2012-12-19 11:35 1756SOA 已经不是单纯技术问 ... -
Injecting Spring Beans into Java Servlets
2012-11-01 10:21 1942If you are working in a Java ... -
用 HttpServletResponseWrapper 实现 Etag 过滤器
2012-07-09 16:58 3764原文出处:http://blog.chenlb.com/200 ... -
Eclipse Indigo - Cannot install Android ADT Plugin
2012-02-29 01:17 3888When I try to install the And ... -
Eclipse Indigo - Cannot install Android ADT Plugin
2012-02-29 01:13 1994When I try to install the And ... -
[转]mybatis下的分页,支持所有的数据库
2011-07-21 13:21 14844大 家都知道,mybatis的自带分页方法只是逻 ... -
Java framework for text- & console-based forms?
2011-07-21 01:06 1714charva jcurses JNA , ... -
JNA(Java Native Access)学习入门
2011-07-21 01:04 22656Java Native Access 项目 在 ... -
使用IntrospectorCleanupListener 解决quartz引起的内存泄漏
2011-04-20 11:59 13378"在服务器运行过程中,Spring不停的运行的计划任 ... -
DBCP代码研读以及就数据库连接失效的解决
2011-03-31 11:03 3772问题 网上很多评论说DBCP有很多BUG,但是都没有指明是什 ... -
ContextLoaderListener
2010-12-06 15:58 8473(1) org.springframework.web.c ... -
Servlet3.0新功能: 异步处理
2010-12-06 15:22 3188J2EE 6和Glassfish 3V正式发 ... -
Servlet3.0引入的新特性
2010-12-06 15:20 3063Servlet3.0规范的新特性主要是为了3个目的: ... -
100個節點上運行群集亞馬遜EC2上Hazelcast
2010-12-03 23:59 3322本文的目的,適是给妳湮示的細節集群的100個節點。此湮示記錄, ... -
Spring Properties Reloaded
2010-12-02 14:54 4378Spring Properties Reloaded Som ... -
为spring2.5中的jpetstore增加perf4j监控
2010-09-02 13:51 2654perf4j是一款类似于log4j的性能检测工具. 它 ... -
语义网的学习资源大汇集(备忘)
2010-06-23 22:48 1761网上资源 http:/ ... -
使用 JOLAP 实现复杂分析查询
2010-06-06 13:42 1972Shashank Tiwari 在本文中对 ... -
HTML5 Canvas for Internet Explorer
2010-06-04 21:16 1859Canvascape http://www.benjoff ... -
大型网站架构演变和知识体系
2010-06-01 23:47 1982架构演变第一步:物 ...
相关推荐
`z-pathway-acegi-spring-security.html`可能涉及Acegi安全系统的过渡信息,因为Spring Security最初是作为Acegi的后续项目发展起来的。这部分内容可能帮助那些从Acegi迁移到Spring Security的开发者理解两者之间的...
"Portable Pathway Builder Tool 2.0"版本在前一版本的基础上进行了优化升级,可能包括更丰富的图形库、增强的编辑功能、以及更好的兼容性。用户可以预设或自定义各种通路元素的形状、颜色和大小,以适应不同的展示...
利用基因芯片分析TuMV侵染对白菜分泌途径基因的影响,李彦肖,张昌伟,前人研究发现病毒的复制复合体(viral RNP complex)和病毒RNA通过分泌途径移动到胞间连丝。本研究通过拟南芥基因芯片鉴定病原物侵染引�
IPA(Ingenuity Pathway Analysis)是一款在生物信息学领域广泛应用的通路分析工具,它专为研究人员提供了一整套分析方案,以理解基因表达数据、蛋白质组学数据或其他分子交互数据背后的生物学意义。这款软件的强大...
软件名字叫做 pathway builder tool 官网是http: www proteinlounge com PathwayBuilder aspx(官网可以7天试用) 软件自带几乎所有分子生物学会用到的元素 如不同的细胞 细胞器 分子 老鼠模型 另外 这个软件自带...
标题“Notch1 signaling pathway”(Notch1信号通道)直接指出了本文研究的核心对象——Notch1信号通路。Notch信号通路是一种高度保守的细胞间通讯系统,在多种生物体中发挥着重要作用,特别是在发育过程中调控细胞...
这款软件基于Pathway/Genome Database (PGDB) 数据库,提供了丰富的生物信息分析功能,包括基因功能注释、通路分析、基因集富集分析以及差异表达基因的可视化。 PathwayTool的核心功能: 1. **通路分析**:...
通过这种方式,Student pathway 可以学习到 Teacher pathway 的知识和经验,从而实现对单图像前景对象的检测。 4. 无监督对象发现 无监督对象发现是指在没有标记数据的情况下,检测和识别图像中的对象的方法。这种...
《蛋白质网络与途径分析》(Protein Networks and Pathway Analysis)是分子生物学方法系列书籍中的一部,由尤里·尼科尔斯基(Yuri Nikolsky)和朱莉·布莱恩特(Julie Bryant)编辑,专注于蛋白质网络和生物途径的...
在Portable_Pathway_Builder_Tool_2.0这个压缩包文件中,很可能包含的是这款工艺流程绘图软件的便携版本。便携版软件的一大优点是无需安装,可以直接运行,不会在用户的电脑上留下任何痕迹,方便在不同设备间切换...
The AOX pathway is thought to act as a safety valve, preventing overreduction of the ETC and protecting cells from oxidative damage. 3. Mesophyll Protoplasts and Their Isolation Mesophyll ...
A histone methylation-dependent DNA methylation pathway is uniquely impaired by deficiency in S-adenosylhomocysteine hydrolase
Pathway是一款在DOS操作系统环境下使用的开发工具,它在80年代末至90年代初是程序员们进行软件开发的重要选择。标题中的“dos下的pathway开发包”指的是专为DOS系统设计的一套开发环境,它包含了编译器、链接器、...
### Pathway系统设计:多路数据源的整合与分析 #### 概述 在生物学领域,Pathway(通路)是指一系列与特定代谢过程相关的连锁反应,它在细胞的生理和代谢过程中扮演着至关重要的角色。通过对Pathway的深入研究,...
R. P. Burn的数论入门,非常好的一本数论指导书,影印版
from pathway2cyjs import Pathway2CyJS # 加载生物通路数据 pathway_data = ... # 创建转换器对象 converter = Pathway2CyJS() # 转换数据并获取JSON cyjs_json = converter.convert(pathway_data) # 将JSON...
为了获取KEGG数据库中的癌症Pathway的基因集,首先需要了解KEGG(Kyoto Encyclopedia of Genes and Genomes)数据库的基本概念。KEGG是一个全面整合了基因、化学物质以及生物系统路径信息的数据库,它包含了生物体内...