pengfeifei26
- 浏览: 248103 次
- 性别:
- 来自: 北京
-
文章分类
- 全部博客 (281)
- hibernate (16)
- sql工具 (2)
- eclipse (15)
- tomcat (13)
- 项目部署 (4)
- java (62)
- spring (15)
- EL (1)
- javascript (8)
- 正则表达式 (1)
- jQuery (4)
- mysql (15)
- jstl (1)
- jsp (1)
- eclipse,eclipse插件 (1)
- svn (4)
- java,resin (1)
- jdbc (1)
- jdk (2)
- android (21)
- resin (3)
- php (3)
- 其他 (2)
- 数据库 (2)
- cas单点登录 (2)
- 邮箱激活 (1)
- jad (1)
- 支付 (1)
- struts (1)
- jpa (1)
- struts2 (4)
- json (3)
- oracle (2)
- velocity (1)
- sina微博登陆 (2)
- qq账户登录 (1)
- spring security (1)
- java图片处理 (1)
- http请求 (1)
- cas springsecurity (1)
- freemarker (1)
- cas (6)
- java oauth2 (2)
- oauth2.0 (6)
- springsecurity oauth2 (1)
- sms (1)
- springmvc (2)
- spring aop (1)
- luaeclipse (1)
- cocos2d (1)
- hibernate缓存 (1)
- ibatis (1)
- linux (7)
- 技术网站 (1)
- python (2)
- hadoop (1)
- war3 (0)
- elasticsearch (2)
- jboss (1)
- spring data jpa (2)
- java json (1)
- jsonp (1)
- webservice (4)
- java多线程 (1)
- java加密解密 (1)
- spring task (1)
- java session and cookie (1)
- java nio (1)
- 缓存 (1)
- java大数据 (1)
- cygwin (1)
- 设计模式 (1)
- mybatis (2)
- jquery插件 (2)
- jvm内存溢出 (1)
- drools (1)
- cookie and session (1)
- jvm内存设置 (1)
- nginx (1)
- 微信 (1)
- extjs (1)
- redis (7)
- memcached (1)
- js闭包 (1)
- js (0)
- mongodb (3)
- dubbo (2)
- jdk版本问题 (1)
- opnfire (1)
- git (1)
- jsp视频播放 (1)
- 国际化 (1)
- 后台管理 (1)
- yum (1)
- k (1)
- 算法 (0)
- jvm优化 (1)
- java检测 (1)
- maven操作 (0)
- ios打包 (1)
- 网络通信 (1)
- node.js (1)
- maven (4)
- 消息队列 (2)
- springcloud (6)
- mq (2)
- idea (3)
- log4j (1)
- docker (4)
- editplus (1)
- springboot (1)
- Kubernetes (1)
- jenkins (1)
- websocket (1)
- thirft (1)
- strom (1)
- postman (1)
- kafka (1)
- 线程池 (1)
- JVisualVM (1)
- java反射 (1)
- shell (1)
- java8 (2)
- i18 (1)
- jvm (0)
- nio (1)
- nodejs (1)
- idea java (1)
最新评论
-
pengfeifei26:
wbzhaohl 写道这个有解决方案没有时间长了,貌似有点忘了 ...
A redirect is required to get the users approval -
wbzhaohl:
这个有解决方案没有
A redirect is required to get the users approval -
somebody:
恩。好吧。这个只有在 还没发布的 2.0 版本才有。
oauth2.0设置自动授权
http://blog.csdn.net/k10509806/article/details/6436987
http://www.iteye.com/topic/1129965
http://dreamzhong.iteye.com/blog/1722285
http://www.open-open.com/doc/list/153?pn=2
https://github.com/spring-projects/spring-security/tree/3.1.x/web/src/main/java/org/springframework/security/web 源码下载
http://repo1.maven.org/maven2/org/springframework/security/spring-security-taglibs/3.2.0.RELEASE/
release 下载
http://www.open-open.com/doc/list/153?pn=0
http://dead-knight.iteye.com/category/220917 spring security 源码分析
这里有一个比较关键的问题,就是封装他们的过滤器(或者仅仅是知道他们到底是哪些过滤器在起作用):
表1
Alias Filter Class Namespace Element or Attribute
CHANNEL_FILTER ChannelProcessingFilter http/intercept-url@requires-channel
CONCURRENT_SESSION_FILTER ConcurrentSessionFilter session-management/concurrency-control
SECURITY_CONTEXT_FILTER SecurityContextPersistenceFilter http
LOGOUT_FILTER LogoutFilter http/logout
X509_FILTER X509AuthenticationFilter http/x509
PRE_AUTH_FILTER AstractPreAuthenticatedProcessingFilter Subclasses N/A
CAS_FILTER CasAuthenticationFilter N/A
FORM_LOGIN_FILTER UsernamePasswordAuthenticationFilter http/form-login
BASIC_AUTH_FILTER BasicAuthenticationFilter http/http-basic
SERVLET_API_SUPPORT_FILTER SecurityContextHolderAwareFilter http/@servlet-api-provision
REMEMBER_ME_FILTER RememberMeAuthenticationFilter http/remember-me
ANONYMOUS_FILTER AnonymousAuthenticationFilter http/anonymous
SESSION_MANAGEMENT_FILTER SessionManagementFilter session-management
EXCEPTION_TRANSLATION_FILTER ExceptionTranslationFilter http
FILTER_SECURITY_INTERCEPTOR FilterSecurityInterceptor http
SWITCH_USER_FILTER SwitchUserFilter N/A
(最开始看的时候,把这个表格忽略了,现在看来这些就是我们想要的!)
我们的验证过程,就是按照这样的顺序进行的。自上而下进行。
如果我们要自己定制相应的验证处理方法(在过滤器里面),我们就可以对照上面的过滤器,覆盖相应的接口方法。
根据我的处理过程,主要是用户名密码的验证过程,我大体描述一下自己的配置和处理过程:
1.配置namespace的标签:
<http use-expressions="true" ><!-- This is not the default value -->
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter"/> <!--This is my own filter which just extends AbstractAuthenticationProcessingFilter as what UsernamePasswordAuthenticationFilter does.-->
<intercept-url pattern="/test/**" access="hasRole('ROLE_MY')"/><!-- I tested that what is role,and how I can use it.So ROLE_MY is just a role name I defined.-->
<intercept-url pattern="/login.jsp*" access="permitAll" />
<logout />
<anonymous />
<http-basic />
</http>
这里的问题是,要定制自己的过滤器,就要通过<custom-filter/>,然后对照 表1 中指定的position,覆盖默认的filter。
2.我的form-login filter配置(这些配置都是在application-security.xml文件中)为:
<beans:bean id="myFilter"
class="com.saveworld.authentication.filters.MyUsernamePasswordAuthenticationFilter">
<beans:property name="defaultTargetUrl" value="/default.jsp" />
<beans:property name="defaultFailureUrl" value="/error.jsp" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="continueChainBeforeSuccessfulAuthentication" value="false" />
</beans:bean>
NOTE:
在这里有个问题就是: filter position conflicts!
如果使用这样的配置
<http auto-config='true'>
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter"/>
</http>
自定义的filter对应的position是FORM_LOGIN_FILTER
但是因为使用了auto-config='true',所以默认有<form-login />,which is on the position FORM_LOGIN_FILTER!
这时就会出现position conflicts问题了。当然,如果你没有设置auto-config='true',但是却自己设置了<form-login />,呵呵,这个情况就是自己大意了,还是有了position conflicts的异常,所以,好好看看上面的表格是相当必要的,看清楚每个position默认都对应那些namespace,都是对应的哪些filter!
控制一个帐号多次登录方法
:
http://www.iteye.com/topic/1129965
http://dreamzhong.iteye.com/blog/1722285
http://www.open-open.com/doc/list/153?pn=2
https://github.com/spring-projects/spring-security/tree/3.1.x/web/src/main/java/org/springframework/security/web 源码下载
http://repo1.maven.org/maven2/org/springframework/security/spring-security-taglibs/3.2.0.RELEASE/
release 下载
http://www.open-open.com/doc/list/153?pn=0
http://dead-knight.iteye.com/category/220917 spring security 源码分析
这里有一个比较关键的问题,就是封装他们的过滤器(或者仅仅是知道他们到底是哪些过滤器在起作用):
表1
Alias Filter Class Namespace Element or Attribute
CHANNEL_FILTER ChannelProcessingFilter http/intercept-url@requires-channel
CONCURRENT_SESSION_FILTER ConcurrentSessionFilter session-management/concurrency-control
SECURITY_CONTEXT_FILTER SecurityContextPersistenceFilter http
LOGOUT_FILTER LogoutFilter http/logout
X509_FILTER X509AuthenticationFilter http/x509
PRE_AUTH_FILTER AstractPreAuthenticatedProcessingFilter Subclasses N/A
CAS_FILTER CasAuthenticationFilter N/A
FORM_LOGIN_FILTER UsernamePasswordAuthenticationFilter http/form-login
BASIC_AUTH_FILTER BasicAuthenticationFilter http/http-basic
SERVLET_API_SUPPORT_FILTER SecurityContextHolderAwareFilter http/@servlet-api-provision
REMEMBER_ME_FILTER RememberMeAuthenticationFilter http/remember-me
ANONYMOUS_FILTER AnonymousAuthenticationFilter http/anonymous
SESSION_MANAGEMENT_FILTER SessionManagementFilter session-management
EXCEPTION_TRANSLATION_FILTER ExceptionTranslationFilter http
FILTER_SECURITY_INTERCEPTOR FilterSecurityInterceptor http
SWITCH_USER_FILTER SwitchUserFilter N/A
(最开始看的时候,把这个表格忽略了,现在看来这些就是我们想要的!)
我们的验证过程,就是按照这样的顺序进行的。自上而下进行。
如果我们要自己定制相应的验证处理方法(在过滤器里面),我们就可以对照上面的过滤器,覆盖相应的接口方法。
根据我的处理过程,主要是用户名密码的验证过程,我大体描述一下自己的配置和处理过程:
1.配置namespace的标签:
<http use-expressions="true" ><!-- This is not the default value -->
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter"/> <!--This is my own filter which just extends AbstractAuthenticationProcessingFilter as what UsernamePasswordAuthenticationFilter does.-->
<intercept-url pattern="/test/**" access="hasRole('ROLE_MY')"/><!-- I tested that what is role,and how I can use it.So ROLE_MY is just a role name I defined.-->
<intercept-url pattern="/login.jsp*" access="permitAll" />
<logout />
<anonymous />
<http-basic />
</http>
这里的问题是,要定制自己的过滤器,就要通过<custom-filter/>,然后对照 表1 中指定的position,覆盖默认的filter。
2.我的form-login filter配置(这些配置都是在application-security.xml文件中)为:
<beans:bean id="myFilter"
class="com.saveworld.authentication.filters.MyUsernamePasswordAuthenticationFilter">
<beans:property name="defaultTargetUrl" value="/default.jsp" />
<beans:property name="defaultFailureUrl" value="/error.jsp" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<beans:property name="continueChainBeforeSuccessfulAuthentication" value="false" />
</beans:bean>
NOTE:
在这里有个问题就是: filter position conflicts!
如果使用这样的配置
<http auto-config='true'>
<custom-filter position="FORM_LOGIN_FILTER" ref="myFilter"/>
</http>
自定义的filter对应的position是FORM_LOGIN_FILTER
但是因为使用了auto-config='true',所以默认有<form-login />,which is on the position FORM_LOGIN_FILTER!
这时就会出现position conflicts问题了。当然,如果你没有设置auto-config='true',但是却自己设置了<form-login />,呵呵,这个情况就是自己大意了,还是有了position conflicts的异常,所以,好好看看上面的表格是相当必要的,看清楚每个position默认都对应那些namespace,都是对应的哪些filter!
控制一个帐号多次登录方法
:
<!-- 检测失效的sessionId, 超时时定位到另外一个URL -->
<session-management invalid-session-url="/framework/security/none/login.jsp" session-authentication-strategy-ref="sas">
<!-- <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" /> -->
</session-management>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:property name="maximumSessions" value="1"></beans:property>
<beans:property name="exceptionIfMaximumExceeded" value="false"></beans:property>
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry"></beans:constructor-arg>
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"></beans:bean>
<!-- 登录验证器 -->
<beans:bean id="usernamePasswordValidateCodeAuthenticationFilter" class="com.cpp.framework.security.web.authentication.UsernamePasswordValidateCodeAuthenticationFilter">
<!-- 处理登录的action -->
<beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
<!-- 验证成功后的处理 -->
<beans:property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
<!-- 验证失败后的处理 -->
<beans:property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="sessionAuthenticationStrategy" ref="sas"></beans:property>
</beans:bean>
- SpringSecurity使用记录.rar (1 MB)
- 下载次数: 1
分享到:
发表评论
相关推荐
Spring Security 实践指南 Spring Security 是一个基于 Java 的安全框架,旨在提供身份验证、授权和访问控制等功能。下面是 Spring Security 的主要知识点: 一、身份验证(Authentication) 身份验证是指对用户...
SpringSecurity是Java领域中一款强大的安全框架,主要用于Web应用程序的安全管理。它提供了全面的身份验证、授权、会话管理以及安全相关的功能,可以帮助开发者构建安全的Web应用。在本笔记中,我们将深入探讨Spring...
Spring Security 是一个强大的安全框架,主要用于Java应用的安全管理,它为Web应用和企业级应用提供了全面的安全服务。这个框架能够处理认证、授权以及各种安全相关的功能,帮助开发者构建安全、可扩展的应用。以下...
Spring Security是一个功能强大、高度定制的安全框架,它专门用于为基于Spring的应用程序提供安全性解决方案。Spring Security架构的设计初衷是为了解决认证和授权的需求,确保应用程序的安全性。它提供了全面的安全...
Spring Security 是一个强大的安全框架,用于为Java应用提供身份验证和授权服务。在这个完整的项目实例中,我们将深入探讨Spring Security的核心概念以及如何将其应用于实际的Web应用程序开发。 首先,我们从用户、...
在压缩包文件`spring_gateway_security_webflux`中,可能包含了示例代码或配置文件,用于演示如何在Spring Cloud Gateway中集成Spring Security,实现统一登录认证鉴权。这些资源可以帮助开发者更快地理解和实践上述...