基于acegi1.0.5 新的权限模型实现行级细粒度权限控制

jusescn

浏览: 124872 次
性别:
来自: 北京

最近访客更多访客>>

tianfeng701

afu

sakurakann

windelk

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

acegi

Bean Acegi JDBC Spring Security

实现效果图如下：
acegi1.05的新的权限模型针对 hsqldb 数据库，移植到到sqlserver/mysql 需要修改如下文件：
org.acegisecurity.acls.jdbc.BasicLookupStrategy ；
org.acegisecurity.acls.jdbc.JdbcMutableAclService；

JdbcMutableAclService 是最主要的类，对acl和ace的操作都集中在该类；
BasicLookupStrategy 只有一个方法readAclsById 获得实例对象的acl。

要点：
1、搭建基础代码可以参考ss2中的acegi实现（完全拷贝），在roleManager中需要特别注意是，如果采用getHibernateTemplate().saveOrUpdate(o);对对象进行保存或者更新的话，在修改角色对于用户或者角色对应资源的保存角色前，应该将缓存中的role对于的用户和资源的authorities清除rolename，然后更新角色实例，保存角色到cache中。
2、采用ss1中对对象保护的方法，新建com.at21.pm.core.security.acl.domain.AclDomainAware标示接口或者需要实现public long getId()方法。
3、编辑applicationContext-acegi-acl.xml（可以拷贝acegi中contact例子中的文件）。
4、解析acl中几个表对象
ACL_SID：用以保存sid的实例 PrincipalSid 用户实例，GrantedAuthoritySid 角色实例。
ACL_OBJECT_IDENTITY：用户需要保存的实例。字段ENTRIES_INHERITING表示是否继承父级权限。
ACL_ENTRY：用户实例对应sid的权限(read/create/delete/admin) 字段MASK标示权限（具体标示参考org.acegisecurity.acls.domain.BasePermission类）字段GRANTING表示是是否授予某用户/角色该实例的某权限

介绍开发树形实例：
1、保存树形到数据库对应表时，保存该对象到acl模型中调用updateAcl()方法。

java 代码

/**
* @param clazz 需要保护的对象类
* @param id 实例对象id
* @param sid 角色名/用户名
* @param permission 权限
* @param granting 授予/拒绝
* @param entriesInheriting 是否从父类继承权限
* @param parentid 父类实例
*/
public void updateAcl(Class clazz,Serializable id,Sid sid,Permission permission,boolean granting,boolean entriesInheriting,Serializable parentid){
MutableAcl acl;
ObjectIdentity oid = new ObjectIdentityImpl(clazz,id);
try {
acl = (MutableAcl) mutableAclService.readAclById(oid);
} catch (NotFoundException nfe) {
acl = mutableAclService.createAcl(oid);
}
if ( parentid != null){
MutableAcl parentacl;
ObjectIdentity parentoi = new ObjectIdentityImpl(clazz,parentid);
try {
parentacl = (MutableAcl) mutableAclService.readAclById(parentoi);
} catch (NotFoundException nfe) {
parentacl = mutableAclService.createAcl(parentoi);
}
acl.setParent(parentacl);
}
AccessControlEntry sameAce = null;
AccessControlEntry[] aces = acl.getEntries();
if ( aces != null && aces.length >0 ){
for (int i = 0; i < aces.length; i++) {
AccessControlEntry ace = aces[i];
if ( ace.getPermission().getMask() == permission.getMask() && sid.equals(ace.getSid())){
sameAce = ace;
break;
}
}
}
if ( sameAce != null){
acl.deleteAce(sameAce.getId());
}
acl.insertAce(null, permission, sid, granting);
acl.setEntriesInheriting(entriesInheriting);
mutableAclService.updateAcl(acl);
}

如果是从后台直接保存树形（比如采用线程定时更新树形的话），没有web层的请求的话，需要用户后台登陆
保存前添加如下代码

java 代码

Authentication authRequest = new UsernamePasswordAuthenticationToken(admin,admin,new GrantedAuthority[]{new GrantedAuthorityImpl(role_admin)});
SecurityContextHolder.getContext().setAuthentication(authRequest);

2、对某用户授予read的权限。

java 代码

String nodeid = request.getParameter("nodeid");
String rolename = request.getParameter("rolename");
String mark = request.getParameter("mark");
String granted = request.getParameter("granted");
Permission p = mutableAclService.buildFromMask(Integer.parseInt(mark));
updateAcl(Vssdoc.class, Long.parseLong(nodeid), new GrantedAuthoritySid(rolename), p, Boolean.parseBoolean(granted), true, null);

3、完成了。

分享到：

1人30天44587行代码，分享舍得网开发经验 ... | [ext2.0d5]刚从ext.js上下载的ext2.0d5，呵 ...

2007-09-28 17:00
浏览 2247
评论(1)
论坛回复 / 浏览 (1 / 4332)
查看更多

1 楼 jusescn 2007-09-28

<div class='code_title'>xml 代码</div>
<div class='dp-highlighter'>
<div class='bar'/>
<ol class='dp-xml'>
 <li class='alt'><?xml version="1.0" encoding="UTF-8"?> </li>
 <li class=''><!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> </li>
 <li class='alt'> </li>
 <li class=''><beans> </li>
 <li class='alt'> </li>
 <li class=''> <bean id="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION" </li>
 <li class='alt'> class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"> </li>
 <li class=''> <property name="staticField" value="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/> </li>
 <li class='alt'> </bean> </li>
 <li class=''> <bean id="org.acegisecurity.acls.domain.BasePermission.READ" </li>
 <li class='alt'> class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"> </li>
 <li class=''> <property name="staticField" value="org.acegisecurity.acls.domain.BasePermission.READ"/> </li>
 <li class='alt'> </bean> </li>
 <li class=''> <bean id="org.acegisecurity.acls.domain.BasePermission.DELETE" </li>
 <li class='alt'> class="org.springframework.beans.factory.config.FieldRetrievingFactoryBean"> </li>
 <li class=''> <property name="staticField" value="org.acegisecurity.acls.domain.BasePermission.DELETE"/> </li>
 <li class='alt'> </bean> </li>
 <li class=''> </li>
 <li class='alt'>  </li>
 <li class=''> <bean id="aclReadVoter" class="org.acegisecurity.vote.AclEntryVoter"> </li>
 <li class='alt'> <constructor-arg ref="aclService"/> </li>
 <li class=''> <constructor-arg value="ACL_READ"/> </li>
 <li class='alt'> <constructor-arg> </li>
 <li class=''> <list> </li>
 <li class='alt'> <ref local="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/> </li>
 <li class=''> <ref local="org.acegisecurity.acls.domain.BasePermission.READ"/> </li>
 <li class='alt'> </list> </li>
 <li class=''> </constructor-arg> </li>
 <li class='alt'> <property name="processDomainObjectClass" value="com.at21.pm.core.security.acl.domain.AclDomainAware"/> </li>
 <li class=''> </bean> </li>
 <li class='alt'> </li>
 <li class=''>  </li>
 <li class='alt'> <bean id="aclDeleteVoter" class="org.acegisecurity.vote.AclEntryVoter"> </li>
 <li class=''> <constructor-arg ref="aclService"/> </li>
 <li class='alt'> <constructor-arg value="ACL_DELETE"/> </li>
 <li class=''> <constructor-arg> </li>
 <li class='alt'> <list> </li>
 <li class=''> <ref local="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/> </li>
 <li class='alt'> <ref local="org.acegisecurity.acls.domain.BasePermission.DELETE"/> </li>
 <li class=''> </list> </li>
 <li class='alt'> </constructor-arg> </li>
 <li class=''> <property name="processDomainObjectClass" value="com.at21.pm.core.security.acl.domain.AclDomainAware"/> </li>
 <li class='alt'> </bean> </li>
 <li class=''> </li>
 <li class='alt'>  </li>
 <li class=''> <bean id="aclAdminVoter" class="org.acegisecurity.vote.AclEntryVoter"> </li>
 <li class='alt'> <constructor-arg ref="aclService"/> </li>
 <li class=''> <constructor-arg value="ACL_ADMIN"/> </li>
 <li class='alt'> <constructor-arg> </li>
 <li class=''> <list> </li>
 <li class='alt'> <ref local="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/> </li>
 <li class=''> </list> </li>
 <li class='alt'> </constructor-arg> </li>
 <li class=''> <property name="processDomainObjectClass" value="com.at21.pm.core.security.acl.domain.AclDomainAware"/> </li>
 <li class='alt'> </bean> </li>
 <li class=''> </li>
 <li class='alt'>  </li>
 <li class=''> <bean id="ACLaccessDecisionManager" class="org.acegisecurity.vote.AffirmativeBased"> </li>
 <li class='alt'> <property name="allowIfAllAbstainDecisions" value="false"/> </li>
 <li class=''> <property name="decisionVoters"> </li>
 <li class='alt'> <list> </li>
 <li class=''> <ref bean="roleVoter"/> </li>
 <li class='alt'> <ref local="aclReadVoter"/> </li>
 <li class=''> <ref local="aclDeleteVoter"/> </li>
 <li class='alt'> <ref local="aclAdminVoter"/> </li>
 <li class=''> </list> </li>
 <li class='alt'> </property> </li>
 <li class=''> </bean> </li>
 <li class='alt'> </li>
 <li class=''> </li>
 <li class='alt'> </li>
 <li class=''> <bean id="aclCache" class="org.acegisecurity.acls.jdbc.EhCacheBasedAclCache"> </li>
 <li class='alt'> <constructor-arg> </li>
 <li class=''> <bean class="org.springframework.cache.ehcache.EhCacheFactoryBean"> </li>
 <li class='alt'> <property name="cacheManager"> </li>
 <li class=''> <bean class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean"/> </li>
 <li class='alt'> </property> </li>
 <li class=''> <property name="cacheName" value="aclCache"/> </li>
 <li class='alt'> </bean> </li>
 <li class=''> </constructor-arg> </li>
 <li class='alt'> </bean> </li>
 <li class=''> </li>
 <li class='alt'> <bean id="lookupStrategy" class="org.acegisecurity.acls.jdbc.BasicLookupStrategy"> </li>
 <li class=''> <constructor-arg ref="dataSource"/> </li>
 <li class='alt'> <constructor-arg ref="aclCache"/> </li>
 <li class=''> <constructor-arg ref="aclAuthorizationStrategy"/> </li>
 <li class='alt'> <constructor-arg> </li>
 <li class=''> <bean class="org.acegisecurity.acls.domain.ConsoleAuditLogger"/> </li>
 <li class='alt'> </constructor-arg> </li>
 <li class=''> </bean> </li>
 <li class='alt'> </li>
 <li class=''> <bean id="aclAuthorizationStrategy" class="org.acegisecurity.acls.domain.AclAuthorizationStrategyImpl"> </li>
 <li class='alt'> <constructor-arg> </li>
 <li class=''> <list> </li>
 <li class='alt'> <bean class="org.acegisecurity.GrantedAuthorityImpl"> </li>
 <li class=''> <constructor-arg value="ROLE_ADMINISTRATOR"/> </li>
 <li class='alt'> </bean> </li>
 <li class=''> <bean class="org.acegisecurity.GrantedAuthorityImpl"> </li>
 <li class='alt'> <constructor-arg value="ROLE_ADMINISTRATOR"/> </li>
 <li class=''> </bean> </li>
 <li class='alt'> <bean class="org.acegisecurity.GrantedAuthorityImpl"> </li>
 <li class=''> <constructor-arg value="ROLE_ADMINISTRATOR"/> </li>
 <li class='alt'> </bean> </li>
 <li class=''> </list> </li>
 <li class='alt'> </constructor-arg> </li>
 <li class=''> </bean> </li>
 <li class='alt'> </li>
 <li class=''> <bean id="aclService" class="org.acegisecurity.acls.jdbc.JdbcMutableAclService"> </li>
 <li class='alt'> <constructor-arg ref="dataSource"/> </li>
 <li class=''> <constructor-arg ref="lookupStrategy"/> </li>
 <li class='alt'> <constructor-arg ref="aclCache"/> </li>
 <li class=''> </bean> </li>
 <li class='alt'> </li>
 <li class=''> </li>
 <li class='alt'> </li>
 <li class=''> <bean id="afterInvocationManager" class="org.acegisecurity.afterinvocation.AfterInvocationProviderManager"> </li>
 <li class='alt'> <property name="providers"> </li>
 <li class=''> <list> </li>
 <li class='alt'> <ref local="afterAclRead"/> </li>
 <li class=''> <ref local="afterAclCollectionRead"/> </li>
 <li class='alt'> </list> </li>
 <li class=''> </property> </li>
 <li class='alt'> </bean> </li>
 <li class=''> </li>
 <li class='alt'>  </li>
 <li class=''> <bean id="afterAclCollectionRead" </li>
 <li class='alt'> class="org.acegisecurity.afterinvocation.AclEntryAfterInvocationCollectionFilteringProvider"> </li>
 <li class=''> <constructor-arg> </li>
 <li class='alt'> <ref bean="aclService"/> </li>
 <li class=''> </constructor-arg> </li>
 <li class='alt'> <constructor-arg> </li>
 <li class=''> <list> </li>
 <li class='alt'> <ref local="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/> </li>
 <li class=''> <ref local="org.acegisecurity.acls.domain.BasePermission.READ"/> </li>
 <li class='alt'> </list> </li>
 <li class=''> </constructor-arg> </li>
 <li class='alt'> </bean> </li>
 <li class=''> </li>
 <li class='alt'>  </li>
 <li class=''> <bean id="afterAclRead" class="org.acegisecurity.afterinvocation.AclEntryAfterInvocationProvider"> </li>
 <li class='alt'> <constructor-arg> </li>
 <li class=''> <ref bean="aclService"/> </li>
 <li class='alt'> </constructor-arg> </li>
 <li class=''> <constructor-arg> </li>
 <li class='alt'> <list> </li>
 <li class=''> <ref local="org.acegisecurity.acls.domain.BasePermission.ADMINISTRATION"/> </li>
 <li class='alt'> <ref local="org.acegisecurity.acls.domain.BasePermission.READ"/> </li>
 <li class=''> </list> </li>
 <li class='alt'> </constructor-arg> </li>
 <li class=''> </bean> </li>
 <li class='alt'> </li>
 <li class=''> </li>
 <li class='alt'> <bean id="securityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"> </li>
 <li class=''> </li>
 <li class='alt'> <property name="validateConfigAttributes"><value>false</value></property> </li>
 <li class=''> <property name="authenticationManager" ref="authenticationManager"/> </li>
 <li class='alt'> <property name="accessDecisionManager"> </li>
 <li class=''> <ref local="ACLaccessDecisionManager"/> </li>
 <li class='alt'> </property> </li>
 <li class=''> <property name="afterInvocationManager"> </li>
 <li class='alt'> <ref local="afterInvocationManager"/> </li>
 <li class=''> </property> </li>
 <li class='alt'> <property name="objectDefinitionSource"> </li>
 <li class=''> </li>
 <li class='alt'> <ref bean="objectDefinitionSource"/> </li>
 <li class=''> </li>
 <li class='alt'> </property> </li>
 <li class=''> </bean> </li>
 <li class='alt'> </li>
 <li class=''></beans> </li>
</ol>
</div>
applicationContext-acegi-acl.xml

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论