这篇主要的内容
Spring Security 保护业务代码的执行
准备工作 .
1.创建HelloService接口
package zyk.service; //import org.springframework.security.access.annotation.Secured; public interface HelloService { //@Secured({ "ROLE_USER", "ROLE_ADMIN" }) public String sayHi(String userName); //@Secured({"ROLE_ADMIN"}) public String sayBye(String userName); }
2.实现类HelloServiceImpl
package zyk.service.impl; import zyk.service.HelloService; public class HelloServiceImpl implements HelloService { public String sayHi(String userName) { return "大家好!我是:" + userName; } public String sayBye(String userName) { return userName + " 跟大家说再见!"; } }
3.配置applicationContext.xml 使HelloService 交给Spring 管理.
<bean id="helloService" class="zyk.service.impl.HelloServiceImpl" />
4.创建 HelloServlet
package zyk.servlet; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.context.ApplicationContext; import org.springframework.web.context.support.WebApplicationContextUtils; import zyk.service.HelloService; public class HelloServlet extends HttpServlet { /** * */ private static final long serialVersionUID = 1L; /** * Constructor of the object. */ public HelloServlet() { super(); } /** * Destruction of the servlet. <br> */ public void destroy() { super.destroy(); // Just puts "destroy" string in log // Put your code here } /** * The doGet method of the servlet. <br> * * This method is called when a form has its tag value method equals to get. * * @param request * the request send by the client to the server * @param response * the response send by the server to the client * @throws ServletException * if an error occurred * @throws IOException * if an error occurred */ public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { response.setContentType("text/html;charset=UTF-8"); response.setCharacterEncoding("UTF-8"); String userName = request.getParameter("userName"); String method = request.getParameter("method"); ApplicationContext ctx = WebApplicationContextUtils .getWebApplicationContext(this.getServletContext()); HelloService helloService = ctx.getBean("helloService", HelloService.class); PrintWriter out = response.getWriter(); out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">"); out.println("<HTML>"); out.println(" <HEAD><TITLE></TITLE></HEAD>"); out.println(" <BODY>"); if (method.equals("sayHi")) { out.println(helloService.sayHi(userName)); } else { out.println(helloService.sayBye(userName)); } out.println(" </BODY>"); out.println("</HTML>"); out.flush(); out.close(); } /** * The doPost method of the servlet. <br> * * This method is called when a form has its tag value method equals to * post. * * @param request * the request send by the client to the server * @param response * the response send by the server to the client * @throws ServletException * if an error occurred * @throws IOException * if an error occurred */ public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doGet(request, response); } /** * Initialization of the servlet. <br> * * @throws ServletException * if an error occurs */ public void init() throws ServletException { // Put your code here } }
5.在web.xml 中配置 HelloServlet 的映射路径.
<servlet> <description>This is the description of my J2EE component</description> <display-name>This is the display name of my J2EE component</display-name> <servlet-name>HelloServlet</servlet-name> <servlet-class>zyk.servlet.HelloServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloServlet</servlet-name> <url-pattern>/hello.action</url-pattern> </servlet-mapping>
6.在Index.jsp 中添加链接.
<a href="${pageContext.request.contextPath}/hello.action?method=sayHi&userName=<sec:authentication property="name" />">SayHi!</a> <br /> <a href="${pageContext.request.contextPath}/hello.action?method=sayBye&userName=<sec:authentication property="name" />">SayBye!</a>
第一次测试 User 和 admin 均可以调用 SayHi 和 SayBye 方法.
接下来 要实现的是
admin 可以 调用 SayHi 和 SayBye 方法.
user 只能 调用 SayHi 方法..
A)使用XML的方式
1.在applicationContext.xml 中 配置
<!-- XML 的方式 --> <security:global-method-security> <!-- 拥有ROLE_USER或者ROLE_ADMIN 权限的用户 可以访问 包 zyk.service 下的任意个类 里 返回值类型为任意类型 并 方法名为sayHi 的方法--> <security:protect-pointcut access="ROLE_USER,ROLE_ADMIN" expression="execution(* zyk.service.*.sayHi(..))"/> <!-- 第一个* :表示返回任意类型 第二个 * :表示任意的类 第三个* : 以say开头的任意方法 名 对应的是 : 拥有ROLE_ADMIN 权限的用户 可以访问 包 zyk.service 下的任意个类 里 返回值类型为任意类型 并以say开头的方法 (例如 sayHi 和 sayBye) --> <security:protect-pointcut access="ROLE_ADMIN" expression="execution(* zyk.service.*.say*(..))"/> </security:global-method-security>
第二次测试 Ok 。将上面的配置注释掉.换用Annotation 的方式 .
B)使用Annotation的方式
1.启用Annotation 配置applicationContext.xml
<!-- 启用annotation --> <security:global-method-security secured-annotations="enabled" jsr250-annotations="enabled" />
2.给HelloService接口里的方法加上 SpringSecurity的注解.用法很明显.
package zyk.service; import org.springframework.security.access.annotation.Secured; public interface HelloService { @Secured({ "ROLE_USER", "ROLE_ADMIN" }) public String sayHi(String userName); @Secured({"ROLE_ADMIN"}) public String sayBye(String userName); }
再次测试 Ok。
到此学习的资料 全部来自第一篇下的附件.《一步一步教你使用SpringSecurity》