spring security 2.0 命名空间配置（转载）

ootabc

浏览: 109727 次
性别:
来自: 湖南

最近访客更多访客>>

zlalalal

jjc39805

我们快跑

sunhaok

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

spring

Security Spring 配置管理 Web Struts

spring security 2.0 命名空间配置(带例子)
spring security已经成为企业软件中应用最为广泛的Java安全框架之一，它可以在Spring应用上下文中配置的Bean，充分利用了Spring IoC（依赖注入，也称控制反转）和AOP（面向切面编程）功能，为应用系统提供声明式的安全访问控制功能，减少了为企业系统安全控制编写大量重复代码的工作。它提供了全面的认证、授权、基于实例的访问控制、channel安全及人类用户检验能力。
Spring Security 2.0构建在Acegi Security坚实的基础之上，并在此基础上增加了许多新特性，现在本文的重点是要讲spring security简化的基于命名空间的配置，旧式配置可能需要上百行的XML.
通过下面的例子，你会了解到基于命名空间的配置是如何的简单。

spring security 2.0 例子：

开发环境：MyEclipse 6.0
服务器：tomcat 6.x
开发架构：struts 1.2 spring 2.5
spring security 版本：2.0

1.首先要搭好应用的款架，struts和spring（省略）
2.在web.xml里把spring-security 的配置文件路径添加进来
3.在web.xml中添加过spring的过滤器代理
4.添加相关的监听器，以便spring的监听管理
具体web.xml文件如下：

<?xml version="1.0" encoding="UTF-8"?>

<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"

 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

 <!-- 装载spring配置文件 -->

 <context-param>

  <param-name>contextConfigLocation</param-name>

  <param-value>

  	/WEB-INF/spring-security-ns.xml 

    /WEB-INF/applicationContext.xml

   </param-value>

 </context-param>

 <context-param>

  <param-name>log4jConfigLocation</param-name>

  <param-value>/WEB-INF/classes/log4j.properties</param-value>

 </context-param>

 <filter>

  <filter-name>springSecurityFilterChain</filter-name>

  <!--bean的名字是springSecurityFilterChain，这是由命名空间创建的用于处理web安全的一个内部机制 -->

  <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

 </filter>



 <filter-mapping>

  <filter-name>springSecurityFilterChain</filter-name>

  <url-pattern>/*</url-pattern>

 </filter-mapping>

 <!--

	  - Loads the root application context of this web app at startup.

	  - The application context is then available via

	  - WebApplicationContextUtils.getWebApplicationContext(servletContext).

    -->

 <listener>

  <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

 </listener>

 <!--

	  - Publishes events for session creation and destruction through the application

	  - context. Optional unless concurrent session control is being used.

      -->

 <listener>

  <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class>

 </listener>

 <servlet>

  <servlet-name>action</servlet-name>

  <servlet-class>org.apache.struts.action.ActionServlet</servlet-class>

  <init-param>

   <param-name>config</param-name>

   <param-value>/WEB-INF/struts-config.xml</param-value>

  </init-param>

  <init-param>

   <param-name>debug</param-name>

   <param-value>3</param-value>

  </init-param>

  <init-param>

   <param-name>detail</param-name>

   <param-value>3</param-value>

  </init-param>

  <load-on-startup>0</load-on-startup>

 </servlet>

 <servlet-mapping>

  <servlet-name>action</servlet-name>

  <url-pattern>*.do</url-pattern>

 </servlet-mapping>

 <welcome-file-list>

  <welcome-file>login.jsp</welcome-file>

 </welcome-file-list>

 <error-page>

  <error-code>403</error-code>

  <location>/error.html</location>

 </error-page>

 <login-config>

  <auth-method>BASIC</auth-method>

 </login-config>

</web-app>

5.创建spring-security-ns.xml配置文件（具体看配置文件）：

<?xml version="1.0" encoding="UTF-8"?>

<!--

  - 基于名称空间配置

  -->

<beans:beans xmlns="http://www.springframework.org/schema/security"

    xmlns:beans="http://www.springframework.org/schema/beans"

    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd

                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">



	<global-method-security secured-annotations="enabled" >

		<!-- AspectJ pointcut expression that locates our "post" method and applies security that way

		<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>

		-->

	</global-method-security>

											

    <http access-denied-page="/error.jsp" access-decision-manager-ref="accessDecisionManager" 

    	session-fixation-protection="newSession" auto-config="true" path-type="ant" ><!--session-fixation-protection属性可以防止session固定攻击  -->

       <!-- 权限入口的顺序十分重要，注意必须把特殊的URL权限写在一般的URL权限之前。 -->        

		<intercept-url pattern="/acegiTest.do" access="ROLE_SUPERVISOR"/>        

        <intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_REMEMBERED" />

        <intercept-url pattern="/roleA/**.jsp" access="ROLE_A"/>

        <intercept-url pattern="/roleB/**.jsp" access="ROLE_B"/>

        <intercept-url pattern="/roleC/**.jsp" access="ROLE_C"/>

        <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>

		<!--

    	x509认证

        <x509 /> 

		-->

        <!-- All of this is unnecessary if auto-config="true"

        <form-login />

        <anonymous />

        <http-basic />

        <logout />

        <remember-me />

         -->

        <form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?login_error=1" />

        <anonymous key="cookie_key" username="ananoymous" granted-authority="IS_AUTHENTICATED_ANONYMOUSLY"/>        

        <logout invalidate-session="true" />

        <!-- session并发控制 -->				

		<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /><!-- exception-if-maximum-exceeded="true" 第二次登入失效 -->

   		

    </http>   

    

    <!-- 访问决策管理 -->

	<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">

		<beans:property name="allowIfAllAbstainDecisions" value="true"/>

		<beans:property name="decisionVoters"><!-- 投票者列表 -->

			<beans:list>

				<beans:bean class="org.springframework.security.vote.RoleVoter"/>

				<beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/>

			</beans:list>

		</beans:property>

	</beans:bean>

  

    <authentication-provider><!-- user-service-ref="userDetailsService" -->    

     	 <!-- 基于内存存储用户 -->

    	<user-service>

    		<user name="admin" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B, ROLE_C, ROLE_SUPERVISOR"/>

    		<user name="userab" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B"/>

    		<user name="usera" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A"/>

    		<user name="userb" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_B"/>

    	</user-service>    	 

    	 <!--密码md5加密--> 

        <password-encoder hash="md5"/>  

        <!--

	    <jdbc-user-service data-source-ref="f3CenterDS" 

	    		users-by-username-query="select name as 'username',password`,'true' as 'enabled' from users where name = ?" 

	    		authorities-by-username-query="select name as 'username',authorities as 'authority' from authentication where name = ?" 

	    		 />     

	 	--> 

	</authentication-provider>	

	<!--用户信息存在在数据库的验证-->

	<!--  

	<beans:bean id="userDetailsService"

		class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">

		<beans:property name="dataSource" ref="f3CenterDS" />

		<beans:property name="usersByUsernameQuery">

			<beans:value>

				select name as 'username',password,'true' as 'enabled' from users where name = ?

			</beans:value>

		</beans:property>

		<beans:property name="authoritiesByUsernameQuery">

			<beans:value>

				select name as 'username',authorities as 'authority' from authentication where name = ?

			</beans:value>

		</beans:property>

	</beans:bean>		

	-->

	

	

</beans:beans>

分享到：

javascript 操作 json 转载 | js 读写文件转载

2010-07-30 11:58
浏览 1165
评论(0)
分类:企业架构
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论