spring-security 学习笔记

security:http是整个spring security框架的入口,把filter按顺序组装成一个链条
auto-config="true"相当于配置了基本的一些组件:form-login、anonymous、http-basic、logout、remember-me
    <security:http auto-config="true"
        entry-point-ref="formAuthenticationEntryPoint"  指定登录的入口点,可以切换成CAS
        session-fixation-protection="none"
        access-decision-manager-ref="accessDecisionManager">
        <security:intercept-url pattern="/*/.jpg" filters="none" />为了性能,忽略图片、js等无需保护的资源
        <security:intercept-url pattern="/*/.gif" filters="none" />
        <security:intercept-url pattern="/*/.js" filters="none" />
        <security:intercept-url pattern="/*/.css" filters="none" />
        <security:intercept-url pattern="/*/.png" filters="none" />
        <security:intercept-url pattern="/j_spring_security_check*"  requires-channel="https" />登录url和页面强制采用https协议
        <security:intercept-url pattern="/login.jsp*" requires-channel="https" />
        <security:intercept-url pattern="/loginError.jsp*" requires-channel="https" />
        <security:intercept-url pattern="/**" requires-channel="http" />非敏感资源采用http协议即可,以免影响性能
        <security:port-mappings>
            <security:port-mapping http="8080" https="8443" />指定https和http协议如何切换端口
            <security:port-mapping http="80" https="443" />
        </security:port-mappings>
        <security:form-login login-processing-url="${acegi.login_url}"
            default-target-url="${acegi.login_success_url}"  authentication-failure-url="${acegi.login_failure_url}" />
        <security:remember-me  key="e37f4b31-0c45-11dd-bd0b-0800200c9a66" />
        <security:logout logout-success-url="/index.bms" />
    </security:http>
    <bean id="formAuthenticationEntryPoint"  表单登录的入口
        class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
        <property name="loginFormUrl" value="${acegi.login_page}" />
        <property name="forceHttps" value="true" />
    </bean>
    <security:authentication-manager alias="authenticationManager" />把authentication-manager声明为一个bean,供后面复用
    <security:authentication-provider  user-service-ref="userDetailsService">
        <security:password-encoder hash="md5" />
    </security:authentication-provider>
    <bean id="roleVoter"  class="org.springframework.security.vote.RoleVoter">
        <property name="rolePrefix" value="ROLE_" />角色需要加前缀
    </bean>
    <!- =================CAS CAS================== ->
    <bean id="serviceProperties"  class="org.springframework.security.ui.cas.ServiceProperties">
        <property name="service" value="${cas.securityContext.serviceProperties.service}" />从cas返回后验证serviceTicket的URL
        <property name="sendRenew" value="false" />
    </bean>
    <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter">CAS serviceTicket 处理器
        <!-- Uncomment to integrate CAS
            <security:custom-filter position="CAS_PROCESSING_FILTER" />将其加入处理器链
        -->
        <property name="authenticationManager"  ref="authenticationManager" />
        <property name="authenticationFailureUrl"  value="${acegi.login_failure_url}" />
        <property name="alwaysUseDefaultTargetUrl" value="false" />
        <property name="defaultTargetUrl"  value="${acegi.login_success_url}" />
        <property name="filterProcessesUrl" value="${acegi.login_url}" />
    </bean>
    <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint">CAS登录的入口
        <property name="loginUrl" value="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}" />
        <property name="serviceProperties" ref="serviceProperties" />
    </bean>
    CAS认证提供者:通过HTTPS与CAS通信,认证serviceTicket
    <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider">
        <security:custom-authentication-provider />只有这样声明才能使casAuthenticationProvider注册到authenticationManager并生效
        <property name="userDetailsService" ref="userDetailsService" />
        <property name="serviceProperties" ref="serviceProperties" />
        <property name="ticketValidator">
            <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator">
                <constructor-arg index="0"
                    value="${cas.securityContext.casProxyTicketValidator.casValidate}"/> CAS认证入口------https://ingrid:8443/cas
            </bean>
        </property>
        <property name="key" value="an_id_for_this_auth_provider_only" />
    </bean>
    <bean id="accessDecisionManager"  class="org.springframework.security.vote.AffirmativeBased">
        <property name="decisionVoters">
            <list>
                <ref bean="roleVoter" />
                <bean class="org.springframework.security.vote.AuthenticatedVoter" />
            </list>
        </property>
    </bean>
    <!- ================= UAAS Extends ================== ->
    <bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">拦截、保护URL资源
        <security:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
        <property name="authenticationManager"  ref="authenticationManager" />
        <property name="accessDecisionManager"  ref="accessDecisionManager" />
        <property name="objectDefinitionSource"  ref="filterDefinitionSource" />
    </bean>
    <bean id="filterDefinitionSource"
        class="com.ema.uaas.springsecurity.resource.UrlDefinitionSourceHbmImpl">从数据库获取URL资源及其相关角色
        <property name="convertUrlToLowercaseBeforeComparison"  value="true" />
        <property name="useAntPath" value="true" />
        <property name="protectAllResource" value="false" />
        <property name="userDetailsService" ref="userDetailsService" />
    </bean>
  <!--   从数据库获取method资源及其相关角色 -->
    <bean id="objectDefinitionSource" class="com.ema.uaas.springsecurity.resource.MethodDefinitionSourceHbmImpl">
        <property name="userDetailsService" ref="userDetailsService" />
        <property name="protectAllResource" value="false" />
    </bean>
    <bean id="authenticationUtil"
        class="com.ema.uaas.springsecurity.util.AuthenticationUtil">鉴权工具类:getCurrentUser()、isAccessableTo(String accessPattern)
        <property name="accessDecisionVoter" ref="roleVoter" />
        <property name="filterInvocationDefinitionSource" ref="filterDefinitionSource" />
    </bean>
    <bean id="userDetailsService" parent="baseTransactionProxy">
        <property name="proxyTargetClass" value="true" />
        <property name="target">
            <bean class="com.ema.uaas.springsecurity.service.UserDetailsServiceHbmImpl">
                <property name="subSystemKey" value="${acegi.uaas.subSystemKey}" />子系统的标识
                <property name="orgManager" ref="orgManagerImpl" />
                <property name="privilegeManager" ref="privilegeManagerImpl" />
            </bean>
        </property>
    </bean>
    <bean id="orgManagerImpl" class="com.ema.uaas.manager.OrgManager">
        <property name="dao" ref="dao" />
    </bean>
    <bean id="privilegeManagerImpl"    class="com.ema.uaas.manager.PrivilegeManager">
        <property name="dao" ref="dao" />
    </bean>

<?xml version="1.0" encoding="UTF-8"?>
<beans 
    xmlns="http://www.springframework.org/schema/beans"
   	xmlns:security="http://www.springframework.org/schema/security"	
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"   
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
    					http://www.springframework.org/schema/beans/spring-beans-2.0.xsd    
               			http://www.springframework.org/schema/security
               			http://www.springframework.org/schema/security/spring-security-2.0.xsd">

    <bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener" />

    <security:http auto-config='true' access-denied-page="/access.jsp">
		<!-- 
			ROLE_SUPERVISOR:			超级管理员<超级用户,拥有所有权限>
			ROLE_USER:					普通管理员<只能浏览的用户> 
		--> 
		<security:intercept-url pattern="/*/.jpg" filters="none"/><!--为了性能,忽略图片,js等无需保护的资源 -->
		<security:intercept-url pattern="/*/.gif" filters="none"/>
		<security:intercept-url pattern="/*/.png" filters="none"/>
		<security:intercept-url pattern="/*/.wmv" filters="none"/>
		<security:intercept-url pattern="/*/.css" filters="none"/>
		<security:intercept-url pattern="/*/.js" filters="none"/>
		<security:intercept-url pattern="/layout/*" access="ROLE_ADMIN"/>
		<security:intercept-url pattern="/manage/*" access="ROLE_ADMIN"/>
		<security:intercept-url pattern="/source/*" access="ROLE_ADMIN"/>
		<security:intercept-url pattern="/generalmanage/*" access="ROLE_ADMIN"/>
		<security:intercept-url pattern="/supermanage/*" access="ROLE_SUPERADMIN"/>
  		
  		<security:port-mappings>
  			<security:port-mapping http="8080" https="8443"/>
  			<security:port-mapping http="80" https="443"/>
  		</security:port-mappings>
  		 
        <security:form-login 
        			login-page="/index.jsp"
                	authentication-failure-url="/index.jsp?flag=error"
                	default-target-url="/generalmanage/login.do?method=login" 
                	login-processing-url="/j_spring_security_check" />
         
        <security:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false" expired-url="/expired.jsp"/>
        <security:logout logout-success-url="/login.do?method=exit" invalidate-session="true" logout-url="/j_spring_security_logout"/>
        <security:http-basic />
    </security:http>
    
    
    <security:authentication-manager alias="authenticationManager" />	

    <security:authentication-provider user-service-ref="authManager" >
		<security:password-encoder hash="md5">
	  		<security:salt-source user-property="username"/>
		</security:password-encoder>
    </security:authentication-provider>
    
    <bean id="authManager" class="cn.com.sohocat.security.AdminLogin" />
 
	<bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
		<property name="allowIfAllAbstainDecisions" value="false"/>
		<property name="decisionVoters">
			<list>  
		    	<bean class="org.springframework.security.vote.RoleVoter" />  
		    	<bean class="org.springframework.security.vote.AuthenticatedVoter" />  
	   		</list>
   		</property>
	</bean>

	<bean id="exceptionTranslationFilter" class="org.springframework.security.ui.ExceptionTranslationFilter">
		<property name="accessDeniedHandler" ref="accessDeniedHandler"/>
		<property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
	</bean>
	
	<bean id="accessDeniedHandler" class="org.springframework.security.ui.AccessDeniedHandlerImpl">
		<property name="errorPage" value="/access.jsp"/>
	</bean>
	
	<bean id="authenticationEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
		<property name="loginFormUrl" value="/index.jsp"/>
	</bean>
	

	</beans>


/**
 * @此方法描述的是:
 * @Dec 8, 2009
 */
package cn.com.sohocat.security;

import org.springframework.dao.DataAccessException;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;
import org.springframework.security.userdetails.UsernameNotFoundException;

import cn.com.sohocat.api.IHoAdmin;
import cn.com.sohocat.pojo.HoAdministrator;
import cn.com.sohocat.util.BeanHelp;
import cn.com.sohocat.util.LogClass;

public class AdminLogin extends LogClass implements UserDetailsService {

	public UserDetails loadUserByUsername(String userName)
			throws UsernameNotFoundException, DataAccessException {
		HoAdministrator admin = ScurityUserHolder.getCurrentUser();
		if(null==admin){
			IHoAdmin iHoAdmin = (IHoAdmin) BeanHelp.getBean("iHoAdmin");	
			admin = iHoAdmin.queryHoAdministratorByAdminName(userName);
		}
		if(null==admin){										
			this.log.debug("***"+userName+"*** 用户名不从在或是用户名密码不匹配");
			throw new UsernameNotFoundException("User " + userName + " has no GrantedAuthority");
		} else {												
			this.log.debug("新用户登陆:***"+userName+"***");
			String auth = "";
			for(GrantedAuthority authority : admin.getAuthorities()) {   
				auth = auth + ","+ authority.getAuthority().toString();
			}
			this.log.debug("***"+userName+"***拥有权限:"+auth);
			return admin;									
		}
	}

}

<%@ page language="java" contentType="text/html; charset=UTF-8"%>
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %>
<sec:authorize ifAllGranted="ROLE_ADMIN"><div class='unit'><h5>Admin管理</h5><ul><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/linkAdmin.jsp'>账户管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/linkGroup.jsp'>组管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/linkRole.jsp'>角色管理</a></li></sec:authorize></ul></div></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><div class='unit'><h5>User管理</h5><ul><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>账户管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>组管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>角色管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>积分管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>货币管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>群发功能</a></li></sec:authorize></ul></div></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><div class='unit'><h5>基础数据管理</h5><ul><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/importcorpus.jsp'>语料批量导入</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/importterminology.jsp'>术语批量导入</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/corpus.jsp'>语料单条操作</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/terminology.jsp'>术语单条操作</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/category.jsp'>术语类别操作</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>CAT统计</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/menu.jsp'>菜单管理</a></li></sec:authorize></ul></div></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><div class='unit'><h5>系统参数管理</h5><ul><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/fault_tolerance.jsp'>语料插入容错</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='/supermanage/corpora_host_map.do?method=query'>语料数据映射</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/glossary_fault_tolerance.jsp'>术语插入容错</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/glossary_host_map.jsp'>术语数据映射</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/host_data.jsp'>主机档案</a></li></sec:authorize></ul></div></sec:authorize>

你可能感兴趣的:(DAO,spring,bean,Security,配置管理)