2010-02-04传智播客——教育办公系统 (六)

spring-security最后一天,今天的主要内容是将需要指定权限才可以访问的资源放到数据库中,脱离applicationContext.xml配置文件。然后我们将近两天学习的srping-security整合到教育办公系统中。


我们继续昨天的内容,将资源文件信息保存到数据库中。



1.applicationContext.xml

将昨天applicationContext.xml“配置SpringSecurityhttp安全服务”部分的内容替换为:

<sec:http auto-config="true" session-fixation-protection="none" />

<bean

class="org.springframework.security.intercept.web.FilterSecurityInterceptor"

autowire="byType">

<sec:custom-filter before="AUTHENTICATION_PROCESSING_FILTER"/>

<property name="objectDefinitionSource" ref="objectDefinitionSource"/>

</bean>

这里的objectDefinitionSource是下边的类,cutom-filter是在调用AUTHENTICATION_PROCESSING_FILTER过滤器之前调用FilterSecurityInterceptor


2.添加数据表

resc表与role表是多对多关系。


1).resc

image

2).resc_role

image

3.相关类

要让spring-security可以从数据库中获取相关资源信息,我们必须编写一个实现FactoryBean接口的类。

package cn.itcast.cc.spring.security;


import java.util.LinkedHashMap;

import java.util.Map;

import javax.annotation.Resource;

import org.springframework.beans.factory.FactoryBean;

import org.springframework.security.ConfigAttributeDefinition;

import org.springframework.security.ConfigAttributeEditor;

import org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource;

import org.springframework.security.intercept.web.RequestKey;

import org.springframework.security.util.AntUrlPathMatcher;

import org.springframework.security.util.UrlMatcher;

import org.springframework.stereotype.Component;


@Component("objectDefinitionSource")

public class DefaultFilterInvocationDefinitionSourceImpl implements FactoryBean {


@Resource

ResourceDetailsService resourceDetailsService;


private UrlMatcher getUrlMatcher() {

UrlMatcher urlMatcher = new AntUrlPathMatcher();

return urlMatcher;

}


@Override

public Object getObject() throws Exception {

UrlMatcher urlMatcher = this.getUrlMatcher();

// 获取数据Map

Map<String, String> srcMap = resourceDetailsService.buildRequestMap();

LinkedHashMap<RequestKey, Object> requestMap = new LinkedHashMap<RequestKey, Object>();

ConfigAttributeEditor editor = new ConfigAttributeEditor();

// 转换数据Map

for (Map.Entry<String, String> entry : srcMap.entrySet()) {

String url = entry.getKey();

String roles = entry.getValue();

if (roles != null) {

editor.setAsText(roles);

requestMap.put(new RequestKey(url), editor.getValue());

} else {

requestMap.put(new RequestKey(url), ConfigAttributeDefinition.NO_ATTRIBUTES);

}

}

// 生成并返回对象

return new DefaultFilterInvocationDefinitionSource(urlMatcher,

requestMap);

}


@Override

public Class getObjectType() {

return null;

}


@Override

public boolean isSingleton() {

return false;

}


}


其中ResourceDetailsService接口的实现类如下:

package cn.itcast.cc.spring.security;


import java.util.HashMap;

import java.util.List;

import java.util.Map;

import javax.annotation.Resource;

import org.springframework.jdbc.core.simple.SimpleJdbcTemplate;

import org.springframework.stereotype.Component;


@Component("userDetailsService")

public class ResourceDetailsServiceImpl implements ResourceDetailsService {


@Resource

private SimpleJdbcTemplate jdbcTemplate;

@Override

public Map<String, String> buildRequestMap() {

// 注意:这里需要使用左外连接查询,是因为有些页面没有指定role。

// 即,任何权限都不可以访问的页面!

String sql = "SELECT res_string as url,r.name as role " +

"FROME resc LEFT JOIN resc_role rr ON rr.resc_id = resc.id " +

"LEFT JOIN role r ON rr.role_id = r.id";

List<Map<String, Object>> results = this.jdbcTemplate.queryForList(sql);

Map<String, String> srcMap = new HashMap<String, String>();

// 将查询后的数据拼接并放入到Map中

for(Map<String,Object> val:results){

String url = (String) val.get("url");

String role = (String) val.get("role");

if(srcMap.containsKey(url)){

role = srcMap.get(url) + "," + role;

}

srcMap.put(url, role);

}

return srcMap;

}

}


Spring-security还为我们提供了其他实用的辅助功能,具体的google一下吧!

你可能感兴趣的:(2010-02-04传智播客——教育办公系统 (六))