spring security 2.0相对1.0配置的简化
spring security 2.0的配置文件可以使用spring2.0的命名空间配置,大大减少了配置量,最显著的一点就是省掉了那个长长的filter串。
1.0时需要先配置一个filter代理,由filter代理来执行acegi其他的功能filter:
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <!--所有需要用的acegi的filter都必须按顺序在这排列好--> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,basicProcessingFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor </value> </property> </bean>
web.xml里配置filter代理:
<filter> <filter-name>AcegiFilterChainProxy</filter-name> <filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class> <init-param> <param-name>targetClass</param-name> <param-value>org.acegisecurity.util.FilterChainProxy</param-value> </init-param> </filter> <filter-mapping> <filter-name>AcegiFilterChainProxy</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
然后再一个一个配置相应的功能filter,相当繁琐。
2.0只需要
<security:http auto-config="true">
</security:http>
web.xml里:
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
ss就会自动代理几个基本的功能filter(如AuthenticationProcessingFilter),filter也有了默认配置,不必在一个个去配置。
使用security命名空间需要将spring配置文件的头上加上security命名空间的xsd:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
。。。
</beans>
security:http标签内还可以包含其他的功能标签,如:
<security:http auto-config="true">
<security:anonymous
granted-authority="${security.anonymous.authorities}" />
</security:http>
可以提供匿名访问支持,相当于1.0时的非基本的功能filter,remember-me等也可以这样实现。
不过事实上ss的默认实现是很简陋的,提供的demo里都是使用内存数据库,权限配置也都是写死到配置文件里,根本无法在项目中应用,进行相应的扩展是不可避免的。
ss也提供了覆盖默认配置的方法:<security:custom-filter position="alias"/>,position为相应filter的别名。
对应关系:
| CHANNEL_FILTER | ChannelProcessingFilter |
| CONCURRENT_SESSION_FILTER | ConcurrentSessionFilter |
| SESSION_CONTEXT_INTEGRATION_FILTER | HttpSessionContextIntegrationFilter |
| LOGOUT_FILTER | LogoutFilter |
| X509_FILTER | X509PreAuthenticatedProcessigFilter |
| PRE_AUTH_FILTER | Subclass of AstractPreAuthenticatedProcessingFilter |
| CAS_PROCESSING_FILTER | CasProcessingFilter |
| AUTHENTICATION_PROCESSING_FILTER | AuthenticationProcessingFilter |
| BASIC_PROCESSING_FILTER | BasicProcessingFilter |
| SERVLET_API_SUPPORT_FILTER | classname |
| REMEMBER_ME_FILTER | RememberMeProcessingFilter |
| ANONYMOUS_FILTER | AnonymousProcessingFilter |
| EXCEPTION_TRANSLATION_FILTER | ExceptionTranslationFilter |
| NTLM_FILTER | NtlmProcessingFilter |
| FILTER_SECURITY_INTERCEPTOR | FilterSecurityInterceptor |
| SWITCH_USER_FILTER | SwitchUserProcessingFilter |
比如:
<bean id="logoutFilter"
class="org.springframework.security.ui.logout.LogoutFilter">
<security:custom-filter position="LOGOUT_FILTER" />
<!-- 退出后指向的 URL -->
<constructor-arg value="${security.logout_success_url}" />
<constructor-arg>
<list>
<bean
class="org.springframework.security.ui.logout.SecurityContextLogoutHandler" />\
</list>
</constructor-arg>
<property name="filterProcessesUrl"
value="${security.logout_processes_url}" />
</bean>
这个filter将覆盖默认的logoutFilter