Spring Security 4.X xml配置,草稿记录


"org.springframework.security:spring-security-web:4.1.0.RELEASE",
"org.springframework.security:spring-security-taglibs:4.1.0.RELEASE",
"org.springframework.security:spring-security-config:4.1.0.RELEASE"


配置framework-spring-security.xml

在framework-spring-mvc.xml引用其它依赖的配置文件

<!--数据库 xml -->

<import resource="dbcp-spring-framework.xml"></import>

<!--spring-security xml -->

 <import resource="framework-spring-security.xml"></import>

<beans:beans
        xmlns="http://www.springframework.org/schema/security"
        xmlns:beans="http://www.springframework.org/schema/beans"
        xmlns:p="http://www.springframework.org/schema/p"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xmlns:context="http://www.springframework.org/schema/context"
        xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans.xsd
          http://www.springframework.org/schema/context
          http://www.springframework.org/schema/context/spring-context.xsd
          http://www.springframework.org/schema/security
              http://www.springframework.org/schema/security/spring-security.xsd">


    <context:component-scan base-package="com.framework.security"/>


    <!--<http pattern="/pm/**" security="none" />-->
    <http pattern="/login.jsp" security="none" />
    <http pattern="/common/**" security="none" />
    <http pattern="/*.ico" security="none" />


    <http  use-expressions="false" >
        <!-- IS_AUTHENTICATED_ANONYMOUSLY 匿名登录 -->
        <intercept-url pattern="/login" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <intercept-url pattern="/pm/**/*.jsp" access="ROLE_STATIC" />
        <form-login login-page="/login"    authentication-failure-url="/login?error=1" authentication-success-forward-url="/main.to" />
        <logout invalidate-session="true" logout-url="/logout"  logout-success-url="/"  />
        <http-basic/>
        <headers >
            <frame-options disabled="true"></frame-options>
        </headers>


        <csrf token-repository-ref="csrfTokenRepository" />


        <session-management session-authentication-error-url="/frame.expired" >
            <!-- max-sessions只容许一个账号登录,error-if-maximum-exceeded 后面账号登录后踢出前一个账号,expired-url session过期跳转界面 -->
            <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/frame.expired" session-registry-ref="sessionRegistry" />
        </session-management>


        <expression-handler ref="webexpressionHandler" ></expression-handler>
    </http>


    <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />


    <beans:bean id="userDetailsService" class="com.framework.security.UserDetailsServiceImpl" />


    <!--配置web端使用权限控制-->
    <beans:bean id="webexpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler" />


    <authentication-manager >
        <authentication-provider ref="authenticationProvider" />
    </authentication-manager>


    <!-- 自定义userDetailsService, 盐值加密 -->
    <beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
        <beans:property name="hideUserNotFoundExceptions" value="true" />
        <beans:property name="userDetailsService" ref="userDetailsService" />
        <beans:property name="passwordEncoder" ref="passwordEncoder" />
        <beans:property name="saltSource" ref="saltSource" />
    </beans:bean>


    <!-- Md5加密 -->
    <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />


    <!-- 盐值加密 salt对应数据库字段-->
    <beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource">
        <beans:property name="userPropertyToUse" value="salt"/>
    </beans:bean>


    <beans:bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository" />
</beans:beans>

3.编写自定义UserDetailsService
package com.framework.security;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.SpringSecurityMessageSource;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import javax.annotation.Resource;
import java.util.*;
/****
 * @author tzz
 * @功能描述
 * @date 2016/5/3
 * 修改人    修改时间   修改说明
 ****/
@Service
@Transactional(rollbackFor=Exception.class)
public class UserDetailsServiceImpl  implements UserDetailsService {
    @Resource
    CustomUserDao customUserDao;
    JdbcUserDetailsManager k;
    private Map<String, UserInfo> userMap = null;
    protected final Log logger = LogFactory.getLog(getClass());
    protected final MessageSourceAccessor messages = SpringSecurityMessageSource
            .getAccessor();
    private String usersByUsernameQuery = "SELECT account,pwd,stat,salt,id,company_id,name,login_stat,login_date ,login_ip FROM USER_ACCOUNT WHERE ACCOUNT = ?";
    private String authoritiesByUsernameQuery ="SELECT NAME,POWER_CODE FROM VW_USER_POWER WHERE ACCOUNT_ID = ?";
    public UserDetailsServiceImpl() {
        userMap = new HashMap<>();
    }
    
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException, DataAccessException {
        /*SecurityContextHolder.getContext()
                .getAuthentication().getName();*/
        List<UserDetails> users = loadUsersByUsername(username);
        if (users.size() == 0) {
            logger.debug("Query returned no results for user '" + username + "'");
            throw new UsernameNotFoundException(messages.getMessage(
                    "JdbcDaoImpl.notFound", new Object[] { username },
                    "Username {0} not found"));
        }
        UserInfo user = (UserInfo)users.get(0);
       Set<GrantedAuthority> dbAuthsSet = new HashSet<>();

        dbAuthsSet.addAll(loadUserAuthorities(user.getId()));
        dbAuthsSet.add(new SimpleGrantedAuthority("ROLE_STATIC"));
        List<GrantedAuthority> dbAuths = new ArrayList<>(dbAuthsSet);

        if (dbAuths.size() == 0) {
            logger.debug("User '" + username
                    + "' has no authorities and will be treated as 'not found'");

            throw new UsernameNotFoundException(messages.getMessage(
                    "JdbcDaoImpl.noAuthority", new Object[] { username },
                    "User {0} has no GrantedAuthority"));
        }
        return createUserDetails(username,user,dbAuths);
        //return user;
    }

    protected UserDetails createUserDetails(String username,
                                            UserInfo userFromUserQuery, List<GrantedAuthority> combinedAuthorities) {
        String returnUsername = userFromUserQuery.getUsername();
        UserInfo user = new UserInfo(returnUsername,userFromUserQuery.getPassword(), userFromUserQuery.isEnabled(), true, true, true,
                combinedAuthorities);
        user.setId(userFromUserQuery.getId());
        user.setCompanyId(userFromUserQuery.getCompanyId());
        user.setName(userFromUserQuery.getName());
        user.setLoginStat(userFromUserQuery.getLoginStat());
        user.setLoginDate(userFromUserQuery.getLoginDate());
        user.setLoginIP(userFromUserQuery.getLoginIP());
        user.setSalt(userFromUserQuery.getSalt());
        return user;
    }
    /**
     * Loads authorities by executing the SQL from
     * <tt>groupAuthoritiesByUsernameQuery</tt>.
     *
     * @return a list of GrantedAuthority objects for the user
     */
    protected List<GrantedAuthority> loadUserAuthorities(int userId) {
        try {
           return customUserDao.queryForList(this.authoritiesByUsernameQuery,
                    new Object[] { userId },(rs,rowNum)-> {
                            String roleName = getRolePrefix() + rs.getString(2);
                            return new SimpleGrantedAuthority(roleName);
                    });
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }
    public String getRolePrefix() {
        return "ROLE_";
    }
    /**
     * Loads authorities by executing the SQL from <tt>authoritiesByUsernameQuery</tt>.
     *
     * @return a list of GrantedAuthority objects for the user
     */
    protected List<UserDetails> loadUsersByUsername(String username)  {
        try {

           return customUserDao.queryForList(this.usersByUsernameQuery, new Object[] { username},
                    (rs, rowNum) -> {
                        String username1 = rs.getString(1);
                        String password = rs.getString(2);
                        boolean enabled = rs.getBoolean(3);
                        UserInfo user = new UserInfo(username1, password, enabled, true, true, true,
                                AuthorityUtils.NO_AUTHORITIES);
                        user.setSalt(rs.getString(4));
                        user.setId(rs.getInt(5));
                        user.setCompanyId(rs.getInt(6));
                        user.setName(rs.getString(7));
                        user.setLoginStat(rs.getInt(8));
                        user.setLoginDate(rs.getLong(9));
                        user.setLoginIP(rs.getString(10));
                        return user;
                    }
            );
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }

}
spring Security 调试的时候用到
BasicAuthenticationFilter
UsernamePasswordAuthenticationFilter
BasicAuthenticationFilter
MessageDigestPasswordEncoder.isPasswordValid

package com.framework.security;
import com.framework.db.BaseDao;
import org.springframework.stereotype.Repository;
@Repository("customUserDao")
public class CustomUserDao extends BaseDao {
	public CustomUserDao() {
		super(Object.class);
	}
}
基于框架的BaseDao 

 
 
@Repository("baseDao")
public class BaseDao<T> implements BaseDaoImp<T> {
	Logger log1 = LoggerFactory.getLogger(BaseDao.class);
	@Resource(name="jdbcTemplate")
	private JdbcTemplate jdbcTemplate;
	
	public JdbcTemplate getJdbcTemplate(){
		return this.jdbcTemplate;
	}
	private Class<T> entityClass;  
	
	public BaseDao(){}
	
	public BaseDao(Class<T> entityClass) {
        this.entityClass = entityClass;  
	}
	@Override
<span style="white-space:pre">	</span>public <T1> List<T1> queryForList(String sql, Object[] args, RowMapper<T1> rowMapper) throws DataAccessException {
 <span style="white-space:pre">		</span>return jdbcTemplate.query(sql, args,rowMapper);
 <span style="white-space:pre">	</span>}
}

自定义UserInfo对象

package com.framework.security;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;

import java.util.Collection;

/****
 * @author tzz
 * @功能描述
 * @date 2016/5/3
 * 修改人    修改时间   修改说明
 ****/
public class UserInfo extends User {
    private int id;
    private int companyId;//所属公司
    private int loginSystemId = 0;//当前登录系统ID
    private String name;//用户名称
    private int loginStat;//登录状态 1:登录 2:未登陆
    private String loginIP;//登录IP
    private long loginDate;//登录时间
    private String salt;//盐值字段
    public UserInfo(String username, String password, Collection<? extends GrantedAuthority> authorities) {
        super(username, password, authorities);
    }

    public UserInfo(String username, String password, boolean enabled, boolean accountNonExpired, 
boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities) {
        super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);

    }

    public String getSalt() {
        return salt;
    }

    public void setSalt(String salt) {
        this.salt = salt;
    }

    public int getId() {
        return id;
    }

    public void setId(int id) {
        this.id = id;
    }

    public int getCompanyId() {
        return companyId;
    }

    public void setCompanyId(int companyId) {
        this.companyId = companyId;
    }

    public int getLoginSystemId() {
        return loginSystemId;
    }

    public void setLoginSystemId(int loginSystemId) {
        this.loginSystemId = loginSystemId;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }

    public int getLoginStat() {
        return loginStat;
    }

    public void setLoginStat(int loginStat) {
        this.loginStat = loginStat;
    }

    public String getLoginIP() {
        return loginIP;
    }

    public void setLoginIP(String loginIP) {
        this.loginIP = loginIP;
    }

    public long getLoginDate() {
        return loginDate;
    }

    public void setLoginDate(long loginDate) {
        this.loginDate = loginDate;
    }

}


你可能感兴趣的:(spring,Security,4)