spring-security3.2.5实现中国式安全管理
最近公司要做开发平台,对安全要求比较高;SPRING SECURTIY框架刚好对所有安全问题都有涉及,框架的作者最近还做了spring-session项目实现分布式会话管理,还有他的另一个开源项目spring-security-oauth2。
关于spring-security的配置方法,网上有非常多的介绍,大都是基于XML配置,配置项目非常多,阅读和扩展都不方便。其实spring-security也有基于java的配置方式,今天就讲讲如何通过java配置方式,扩展spring-security实现权限配置全部从表中读取。
直接上代码:
application.properties配置文件
javaconfig
1.读取数据库中的URL资源对应的权限列表
2.读取登录用户拥有的权限列表
测试数据及案例见
http://note.youdao.com/share/?id=c20e348d9a08504cd3ac1c7c58d1026e&type=note
spring-security-oauth2
http://www.mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2
Maven Repository: org.springframework.session » spring-session
http://www.mvnrepository.com/artifact/org.springframework.session/spring-session
关于spring-security的配置方法,网上有非常多的介绍,大都是基于XML配置,配置项目非常多,阅读和扩展都不方便。其实spring-security也有基于java的配置方式,今天就讲讲如何通过java配置方式,扩展spring-security实现权限配置全部从表中读取。
直接上代码:
application.properties配置文件
privilesByUsernameQuery= select authority from user_authorities where username = ? allUrlAuthoritiesQuery=SELECT authority_id , url FROM Url_Authorities
javaconfig
/**
*
*/
package com.sivalabs.springapp.config;
import java.util.List;
import javax.annotation.Resource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
//import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.util.StringUtils;
import com.sivalabs.springapp.entities.UrlAuthority;
import com.sivalabs.springapp.repositories.UserRepository;
/**
* @author tony
*
*/
@Configuration
@EnableWebSecurity(debug = true)
// @EnableGlobalMethodSecurity(prePostEnabled = true)
// @ImportResource("classpath:applicationContext-security.xml")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
JdbcTemplate jdbcTemplate ;
@Autowired
private Environment env;
@Bean
CustomUserDetailsService customUserDetailsService() {
//==================application.properties文件中配置2个SQL=============
//privilesByUsernameQuery= select authority from user_authorities where username = ?
//allUrlAuthoritiesQuery=SELECT authority_id , url FROM Url_Authorities
String privilesByUsernameQuery = env.getProperty("privilesByUsernameQuery");
String allUrlAuthoritiesQuery = env.getProperty("allUrlAuthoritiesQuery");
CustomUserDetailsService customUserDetailsService = new CustomUserDetailsService();
customUserDetailsService.setJdbcTemplate(jdbcTemplate);
customUserDetailsService.setEnableGroups(false);
//根据登录ID,查登录用户的所有权限
if(StringUtils.hasLength(privilesByUsernameQuery))
customUserDetailsService.setAuthoritiesByUsernameQuery(privilesByUsernameQuery);
//所有URL与权限的对应关系
if(StringUtils.hasLength(privilesByUsernameQuery))
customUserDetailsService.setAllUrlAuthoritiesQuery(allUrlAuthoritiesQuery);
return customUserDetailsService;
}
@Resource(name = "userRepository")
private UserRepository userRepository;
@Override
protected void configure(AuthenticationManagerBuilder registry)
throws Exception {
/*
* registry .inMemoryAuthentication() .withUser("siva") // #1
* .password("siva") .roles("USER") .and() .withUser("admin") // #2
* .password("admin") .roles("ADMIN","USER");
*/
// registry.jdbcAuthentication().dataSource(dataSource);
registry.userDetailsService(customUserDetailsService());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**"); // #3web
}
// AntPathRequestMatcher --> AntPathRequestMatcher --->AntPathMatcher
@Override
protected void configure(HttpSecurity http) throws Exception {
//1.登录注册等URL不要身份验证
http.csrf().disable().authorizeRequests()
.antMatchers("/login", "/login/form**", "/register", "/logout")
.permitAll() // #4
.antMatchers("/admin", "/admin/**").hasRole("ADMIN"); // #6
//2. 从数据库中读取所有需要权限控制的URL资源,注意当新增URL控制时,需要重启服务
List<UrlAuthority> urlAuthorities = customUserDetailsService().loadUrlAuthorities();
for (UrlAuthority urlAuthority : urlAuthorities) {
http.authorizeRequests().antMatchers(urlAuthority.getUrl()).hasAuthority(String.valueOf(urlAuthority.getId()));
}
//3. 除1,2两个步骤验证之外的URL资源,只要身份认证即可访问
http.authorizeRequests().anyRequest().authenticated() // 7
.and().formLogin() // #8
.loginPage("/login/form") // #9
.loginProcessingUrl("/login").defaultSuccessUrl("/welcome") // #defaultSuccessUrl
.failureUrl("/login/form?error").permitAll(); // #5
}
}
1.读取数据库中的URL资源对应的权限列表
2.读取登录用户拥有的权限列表
/**
*
*/
package com.sivalabs.springapp.config;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.List;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
import com.sivalabs.springapp.entities.UrlAuthority;
/**
* @author tony
*
*/
public class CustomUserDetailsService extends JdbcDaoImpl{
private String allUrlAuthoritiesQuery ;
/**
* 从数据库中读取所有需要权限控制的URL资源,注意当新增URL控制时,需要重启服务
*/
public List<UrlAuthority> loadUrlAuthorities( ) {
return getJdbcTemplate().query(allUrlAuthoritiesQuery, new RowMapper<UrlAuthority>() {
public UrlAuthority mapRow(ResultSet rs, int rowNum) throws SQLException {
return new UrlAuthority (rs.getInt(1),rs.getString(2));
}
});
}
/**
* 从数据库中读取用户权限
* Loads authorities by executing the SQL from <tt>authoritiesByUsernameQuery</tt>.
* @return a list of GrantedAuthority objects for the user
*/
protected List<GrantedAuthority> loadUserAuthorities(String username) {
return getJdbcTemplate().query(super.getAuthoritiesByUsernameQuery(), new String[] {username}, new RowMapper<GrantedAuthority>() {
public GrantedAuthority mapRow(ResultSet rs, int rowNum) throws SQLException {
String roleName = rs.getString(1);
return new SimpleGrantedAuthority(roleName);
}
});
}
public void setAllUrlAuthoritiesQuery(String allUrlAuthoritiesQuery) {
this.allUrlAuthoritiesQuery = allUrlAuthoritiesQuery;
}
}
测试数据及案例见
http://note.youdao.com/share/?id=c20e348d9a08504cd3ac1c7c58d1026e&type=note
spring-security-oauth2
http://www.mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2
Maven Repository: org.springframework.session » spring-session
http://www.mvnrepository.com/artifact/org.springframework.session/spring-session