安全管理四

本篇主要讲动态资源配置

 

通过安全管理一，二，三,这3讲，我们实现了自定义数据库表结构，以及自定义用户认证与授权实现用户权限管理，但我们的资源配置还是写死在配置文件中，而且以后会越来越多，造成了资源配置的不灵活与臃肿，所以在本篇文章中，我们讲实现资源的动态配置

如下：这是目前我们写死的资源配置

 

<ss:intercept-url pattern="/login.action" access="IS_AUTHENTICATED_ANONYMOUSLY"/>  
<ss:intercept-url pattern="/company/company.action" access="ROLE_ADMIN"/>
<ss:intercept-url pattern="/dept/dept.action" access="ROLE_USER"/>
<ss:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>

  

 

第一步：新增一张资源表与一张资源与角色关系表

create table TEST_RESOURCE
(
  ID    NUMBER(22) not null,
  VALUE VARCHAR2(100),
  TYPE  VARCHAR2(5) default 'url',
  FLAG  CHAR(1) default '1',
  SEQ   NUMBER(22)
)

 

create table TEST_ROLE_RESOURCE
(
  ROLE_ID     NUMBER(22),
  RESOURCE_ID NUMBER(22)
)

 

 

 

 

对比

<ss:intercept-url pattern="/login.action" access="IS_AUTHENTICATED_ANONYMOUSLY"/>  
<ss:intercept-url pattern="/company/company.action" access="ROLE_ADMIN"/>
<ss:intercept-url pattern="/dept/dept.action" access="ROLE_USER"/>
<ss:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>

  

一目了然，将资源从配置文件转移到了数据库

 

第二步：在安全管理三中提到的Security中 ，添加2个属性

private String roleName;
	
private String resourceValue;

 

第三步：编写DefinitionSourceFactoryBean

package com.longzhun.fpm.security;

import java.util.LinkedHashMap;
import java.util.List;

import org.springframework.beans.factory.FactoryBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.ConfigAttributeDefinition;
import org.springframework.security.ConfigAttributeEditor;
import org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.RequestKey;
import org.springframework.security.util.AntUrlPathMatcher;
import org.springframework.security.util.UrlMatcher;
import org.springframework.stereotype.Component;

import com.longzhun.fpm.security.service.SecurityService;

public class DefinitionSourceFactoryBean implements FactoryBean{
	
	@Autowired
	@Qualifier("securityService")
	private SecurityService securityService;

	public Object getObject() throws Exception {
		return new DefaultFilterInvocationDefinitionSource(getUrlMatcher(), buildRequestMap());
	}

	@SuppressWarnings("unchecked")
	public Class getObjectType() {
		return FilterInvocationDefinitionSource.class;
	}

	public boolean isSingleton() {
		return true;
	}
	protected UrlMatcher getUrlMatcher(){
		return new AntUrlPathMatcher();
	}

	protected LinkedHashMap<RequestKey, ConfigAttributeDefinition> buildRequestMap(){
		
		List<Security> resources = securityService.getResources();
		
		LinkedHashMap<RequestKey, ConfigAttributeDefinition> distMap = new LinkedHashMap<RequestKey, ConfigAttributeDefinition>();
		
		ConfigAttributeEditor edit = null;
		for(Security security : resources){
			System.out.println(security.getRoleName()+" : "+security.getResourceValue());
			if(security.getRoleName() != null){
				
				edit = new ConfigAttributeEditor();
				RequestKey key = new RequestKey(security.getResourceValue(), null);
				edit.setAsText(security.getRoleName());
				
				distMap.put(key, (ConfigAttributeDefinition)edit.getValue());
			}
		}
		return distMap;
	}
}

 

 

securityService方法我就不写出来了，就一个方法getResources()

我将getResources()的sql查询语句写给大家

select r.role_name roleName,res.value resourceValue from test_role r,test_role_resource rr,test_resource res
            where r.id = rr.role_id and res.id = rr.resource_id order by res.seq 

 

第四步：修改applicationContext-security.xml，最后配置如下

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:ss="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd"
                         default-autowire="byType">

	<ss:http auto-config="true">
		<ss:intercept-url pattern="/common/**" filters="none"/>
		<ss:intercept-url pattern="/css/**" filters="none"/>
		<ss:intercept-url pattern="/images/**" filters="none"/>
		<ss:intercept-url pattern="/js/**" filters="none"/>
		
		
		
		
		
		<ss:form-login
			login-page="/login.action"
			authentication-failure-url="/login.action?error=true"
			default-target-url="/"  
			always-use-default-target="true"      
		/>                                  <!-- default-target-url登录成功页  /代表系统默认路径        
												always-use-default-target="true" session过期,跳回登录页面，再次登录时，不让跳转至之前操作的地址-->
		
	</ss:http>

	<ss:authentication-provider user-service-ref="userDetailsService"/>
	
	<bean id="definitionSource" class="com.longzhun.fpm.security.DefinitionSourceFactoryBean"/>
	
	<bean id="filterSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
		<ss:custom-filter before="FILTER_SECURITY_INTERCEPTOR"/>
		<property name="objectDefinitionSource" ref="definitionSource"/>
	</bean>
	
	 
</beans>

 

评论

1 楼 take 2011-12-26  

一模一样的配置,但是重启后,项目还是会有问题.. 不过有区别的在于你的SecurityService有注入. 我的没有.. 是不是这个问题.. 我想得回去试试..
这个是fpm吧?嘿.