Java后台框架篇--Springsecurity(二)
剩下的页面代码
本来想给这个demo的源码出来的,但是笔者觉得,通过这个教程一步一步读下来,并自己敲一遍代码,会比直接运行一遍demo印象更深刻,并且更容易理解里面的原理。
而且我的源码其实都公布出来了:
login.jsp:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
<%@pagelanguage="java"import="java.util.*"pageEncoding="UTF-8"%>
<!DOCTYPEhtmlPUBLIC"-//W3C//DTD
HTML 4.01 Transitional//EN">
<html>
<head>
<title>登录</title>
</head>
<body>
<form
action ="j_spring_security_check"method="POST">
<table>
<tr>
<td>用户:</td>
<td><input
type ='text'name='j_username'></td>
</tr>
<tr>
<td>密码:</td>
<td><input
type ='password'name='j_password'></td>
</tr>
<tr>
<td><input
name ="reset"type="reset"></td>
<td><input
name ="submit"type="submit"></td>
</tr>
</table>
</form>
</body>
</html>
|
index.jsp:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
<%@pagelanguage="java"import="java.util.*"pageEncoding="UTF-8"%>
<%@taglibprefix="sec"uri="http://www.springframework.org/security/tags"%>
<!DOCTYPEHTMLPUBLIC"-//W3C//DTD
HTML 4.01 Transitional//EN">
<html>
<head>
<title>My
JSP 'index.jsp'starting
page</title>
</head>
<body>
<h3>这是首页</h3>欢迎
<sec:authentication
property ="name"/>
!
<a
href="admin.jsp">进入admin页面</a>
<a
href="other.jsp">进入其它页面</a>
</body>
</html>
|
admin.jsp:
|
1
2
3
4
5
6
7
8
9
10
11
|
<%@pagelanguage="java"import="java.util.*"pageEncoding="utf-8"%>
<!DOCTYPEHTMLPUBLIC"-//W3C//DTD
HTML 4.01 Transitional//EN">
<html>
<head>
<title>My
JSP 'admin.jsp'starting
page</title>
</head>
<body>
欢迎来到管理员页面.
</body>
</html>
|
accessDenied.jsp:
|
1
2
3
4
5
6
7
8
9
10
11
|
<%@page
language="java" import="java.util.*" pageEncoding="utf-8"%>
<!DOCTYPEHTMLPUBLIC"-//W3C//DTD
HTML 4.01 Transitional//EN">
<html>
<head>
<title>My
JSP 'admin.jsp' starting page</title>
</head>
<body>
欢迎来到管理员页面.
</body>
</html>
|
other.jsp:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
<%@
page language="java" import="java.util.*" pageEncoding="UTF-8"%>
<%
String
path = request.getContextPath();
String
basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
%>
<!DOCTYPE
HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<basehref="<%=basePath%>">
<title>My
JSP 'other.jsp' starting page</title>
<metahttp-equiv="pragma"content="no-cache">
<metahttp-equiv="cache-control"content="no-cache">
<metahttp-equiv="expires"content="0">
<metahttp-equiv="keywords"content="keyword1,keyword2,keyword3">
<metahttp-equiv="description"content="This
is my page">
<!--
<link
rel="stylesheet" type="text/css" href="styles.css">
--> </head>
<body>
<h3>这里是Other页面</h3>
</body>
</html>
|
项目图:
最后的话:
虽然笔者没给读者们demo,但是所有源码和jar包都在这个教程里面,为什么不直接给?笔者的目的是让读者跟着教程敲一遍代码,使印象深刻(相信做这行的都知道,同样一段代码,看过和敲过的区别是多么的大),所以不惜如此来强迫大家了。
由于笔者有经常上csdn博客的习惯,所以读者有什么不懂的(或者指教的),笔者尽力解答。
转载请标注本文链接:http://blog.csdn.net/u012367513/article/details/38866465
补充:
(2014年11月21日第一次补充):
第一点:
MyUserDetailService这个类负责的是只是获取登陆用户的详细信息(包括密码、角色等),不负责和前端传过来的密码对比,只需返回User对象,后会有其他类根据User对象对比密码的正确性(框架帮我们做)。
第二点:
记得MyInvocationSecurityMetadataSource这个类是负责的是获取角色与url资源的所有对应关系,并根据url查询对应的所有角色。
今天为一个项目搭安全架构时,第一,发现上面MyInvocationSecurityMetadataSource这个类的代码有个bug:
上面的代码中,将所有的对应关系缓存到resourceMap,key是url,value是这个url对应所有角色。
getAttributes方法中,只要匹配到一个url就返回这个url对应所有角色,不再匹配后面的url,问题来了,当url有交集时,就有可能漏掉一些角色了:如有两个 url ,第一个是 /** ,第二个是 /role1/index.jsp ,第一个当然需要很高的权限了(因为能匹配所有 url ,即可以访问所有 url ),假设它需要的角色是 ROLE_ADMIN (不是一般人拥有的),第二个所需的角色是 ROLE_1 。 当我用 ROLE_1 这个角色访问 /role1/index.jsp 时,在getAttributes方法中,当先迭代了 /** 这个url,它就能匹配 /role1/index.jsp 这个url,并直接返回 /** 这个url对应的所有角色(在这,也就ROLE_ADMIN)给MyAccessDecisionManager这个投票类, MyAccessDecisionManager这个类中再对比 用户的角色 ROLE_1 ,就会发现不匹配。 最后,明明可以有权访问的 url ,却不能访问了。
第二,之前不是说缓存所有对应关系,需要读者自己写sessionFactory(因为在实例化这个类时,配置的sessionFactory可能还没实例化或dao还没加载好),既然这样,那笔者可以不在构造方法中加载对应关系,可以在第一次调用getAttributes方法时再加载(用静态变量缓存起来,第二次就不用再加载了, 注:其实这样不是很严谨,不过笔者这里的对应关系是不变的,单例性不需很强,更严谨的请参考笔者另一篇博文设计模式之单件模式)。
修改过的MyInvocationSecurityMetadataSource类:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
packagecom.lcy.bookcrossing.springSecurity;
importjava.util.ArrayList;
importjava.util.Collection;
importjava.util.HashMap;
importjava.util.HashSet;
importjava.util.Iterator;
importjava.util.List;
importjava.util.Map;
importjava.util.Set;
importjavax.annotation.Resource;
importorg.springframework.security.access.ConfigAttribute;
importorg.springframework.security.access.SecurityConfig;
importorg.springframework.security.web.FilterInvocation;
importorg.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
importcom.lcy.bookcrossing.bean.RoleUrlResource;
importcom.lcy.bookcrossing.dao.IRoleUrlResourceDao;
importcom.lcy.bookcrossing.springSecurity.tool.AntUrlPathMatcher;
importcom.lcy.bookcrossing.springSecurity.tool.UrlMatcher;
publicclass
MyInvocationSecurityMetadataSource implementsFilterInvocationSecurityMetadataSource
{
privateUrlMatcher
urlMatcher = newAntUrlPathMatcher();
//
private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
//将所有的角色和url的对应关系缓存起来
privatestatic
List<RoleUrlResource> rus = null;
@Resource privateIRoleUrlResourceDao
roleUrlDao;
//tomcat启动时实例化一次
publicMyInvocationSecurityMetadataSource()
{
//
loadResourceDefine();
}
//tomcat开启时加载一次,加载所有url和权限(或角色)的对应关系
/*private
void loadResourceDefine() {
resourceMap
= new HashMap<String, Collection<ConfigAttribute>>();
Collection<ConfigAttribute>
atts = new ArrayList<ConfigAttribute>();
ConfigAttribute
ca = new SecurityConfig("ROLE_USER");
atts.add(ca);
resourceMap.put("/index.jsp",
atts);
Collection<ConfigAttribute>
attsno =new ArrayList<ConfigAttribute>();
ConfigAttribute
cano = new SecurityConfig("ROLE_NO");
attsno.add(cano);
resourceMap.put("/other.jsp",
attsno);
}
*/
//参数是要访问的url,返回这个url对于的所有权限(或角色)
public
Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
//
将参数转为url
String
url = ((FilterInvocation)object).getRequestUrl();
//查询所有的url和角色的对应关系
if(rus
== null){
rus
= roleUrlDao.findAll();
}
//匹配所有的url,并对角色去重
Set<String>
roles = new HashSet<String>();
for(RoleUrlResource
ru : rus){
if
(urlMatcher.pathMatchesUrl(ru.getUrlResource().getUrl(), url)) {
roles.add(ru.getRole().getRoleName());
}
}
Collection<ConfigAttribute>
cas = new ArrayList<ConfigAttribute>();
for(String
role : roles){
ConfigAttribute
ca = new SecurityConfig(role);
cas.add(ca);
}
return
cas;
/*Iterator<String>
ite = resourceMap.keySet().iterator();
while
(ite.hasNext()) {
String
resURL = ite.next();
if
(urlMatcher.pathMatchesUrl(resURL, url)) {
return
resourceMap.get(resURL);
}
}
return
null; */ }
publicboolean
supports(Class<?>clazz) {
returntrue;
}
publicCollection<ConfigAttribute>
getAllConfigAttributes() {
returnnull;
}
}
|
以上代码,在getAttributes方法中缓存起所有的对应关系(可以使用依赖注入了),并匹配所有 url ,对角色进行去重(因为多个url可能有重复的角色),这样就能修复那个bug了。
转载请标注本文链接:http://blog.csdn.net/u012367513/article/details/38866465
(2014年12月10日第二次补充):
这次补充不是修上面的bug,而是添加新功能。
我们知道,上面的实现的登陆界面只能传递两个参数(j_username,j_password),而且是固定的。
总是有一个项目需求,我们的角色(ROLE_)不是很多,只需在登陆界面选择一种角色就行了,那么如何将角色类型传递到spring security呢,现在笔者对配置文件再修改修改:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
<?xmlversion="1.0"encoding="UTF-8"?>
<b:beansxmlns="http://www.springframework.org/schema/security" xmlns:b="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!--
配置不需要安全管理的界面 --> <httppattern="/jsp/css/**"security="none"></http>
<httppattern="/jsp/js/**"security="none"></http>
<httppattern="/jsp/images/**"security="none"></http>
<httppattern="/login.jsp"security="none"/>
<httppattern="/accessDenied.jsp"security="none"/>
<httppattern="/index.jsp"security="none"/>
<httpuse-expressions='true'entry-point-ref="myAuthenticationEntryPoint"access-denied-page="/accessDenied.jsp">
<!--
使用自己自定义的登陆认证过滤器 --><!--
这里一定要注释掉,因为我们需要重写它的过滤器 --> <!--
<form-login login-page="/login.jsp"
authentication-failure-url="/accessDenied.jsp"
default-target-url="/index.jsp"
/>
--> <!--访问/admin.jsp资源的用户必须具有ROLE_ADMIN的权限
--> <!--
<intercept-url pattern="/admin.jsp" access="ROLE_ADMIN" /> --> <!--访问/**资源的用户必须具有ROLE_USER的权限
--> <!--
<intercept-url pattern="/**" access="ROLE_USER" /> --> <session-management>
<concurrency-controlmax-sessions="1" error-if-maximum-exceeded="false"/>
</session-management>
<!--
认证和授权 --><!--
重写登陆认证的过滤器,使我们可以拿到任何参数 --> <custom-filterref="myAuthenticationFilter"position="FORM_LOGIN_FILTER" />
<custom-filterref="myFilter"before="FILTER_SECURITY_INTERCEPTOR"/>
<!--
登出管理 --> <logoutinvalidate-session="true"logout-url="/j_spring_security_logout"/>
</http>
<!--
未登录的切入点 --><!--
需要有个切入点 --> <b:beanid="myAuthenticationEntryPoint"class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<b:propertyname="loginFormUrl"value="/login.jsp"></b:property>
</b:bean>
<!--
登录验证器:用户有没有登录的资格 --><!--
这个就是重写的认证过滤器 --> <b:beanid="myAuthenticationFilter"class="com.lcy.springSecurity.MyAuthenticationFilter">
<b:propertyname="authenticationManager"ref="authenticationManager"/>
<b:propertyname="filterProcessesUrl"value="/j_spring_security_check"/>
<b:propertyname="authenticationSuccessHandler">
<b:beanclass="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<b:propertyname="defaultTargetUrl"value="/index.jsp"/>
</b:bean>
</b:property>
<b:propertyname="authenticationFailureHandler">
<b:beanclass="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<b:propertyname="defaultFailureUrl"value="/accessDenied.jsp"/>
</b:bean>
</b:property>
</b:bean>
<!--一个自定义的filter,必须包含
authenticationManager,accessDecisionManager,securityMetadataSource三个属性,我们的所有控制将在这三个类中实现,解释详见具体配置 --> <b:beanid="myFilter" class="com.lcy.springSecurity.MyFilterSecurityInterceptor">
<b:propertyname="authenticationManager"ref="authenticationManager"/>
<b:propertyname="accessDecisionManager"ref="myAccessDecisionManagerBean"/>
<b:propertyname="securityMetadataSource"ref="securityMetadataSource"/>
</b:bean>
<!--验证配置,认证管理器,实现用户认证的入口,主要实现UserDetailsService接口即可
--> <authentication-manageralias="authenticationManager">
<authentication-provideruser-service-ref="myUserDetailService">
<!--如果用户的密码采用加密的话
<password-encoder hash="md5" /> --> <!--
<password-encoder hash="md5" /> --> </authentication-provider>
</authentication-manager>
<!--在这个类中,你就可以从数据库中读入用户的密码,角色信息,是否锁定,账号是否过期等
--> <b:beanid="myUserDetailService"class="com.lcy.springSecurity.MyUserDetailService"/>
<!--访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源
--> <b:beanid="myAccessDecisionManagerBean" class="com.lcy.springSecurity.MyAccessDecisionManager">
</b:bean>
<!--资源源数据定义,将所有的资源和权限对应关系建立起来,即定义某一资源可以被哪些角色访问
--> <b:beanid="securityMetadataSource" class="com.lcy.springSecurity.MyInvocationSecurityMetadataSource"/>
</b:beans>
|
我现在的项目需要的是,角色只要管理员、教师、学生,所以MyAuthenticationFilter(重写的认证过滤器):
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
|
packagecom.lcy.springSecurity;
importjavax.annotation.Resource;
importjavax.servlet.http.HttpServletRequest;
importjavax.servlet.http.HttpServletResponse;
importorg.springframework.security.authentication.AuthenticationServiceException;
importorg.springframework.security.authentication.BadCredentialsException;
importorg.springframework.security.authentication.UsernamePasswordAuthenticationToken;
importorg.springframework.security.core.Authentication;
importorg.springframework.security.core.AuthenticationException;
importorg.springframework.security.core.context.SecurityContextHolder;
importorg.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
importcom.lcy.dao.IAdminDao;
importcom.lcy.dao.IStudentDao;
importcom.lcy.dao.ITeacherDao;
importcom.lcy.entity.Admin;
importcom.lcy.entity.Student;
importcom.lcy.entity.Teacher;
publicclass
MyAuthenticationFilter extendsUsernamePasswordAuthenticationFilter
{
privatestatic
final
String USERNAME = "username";
privatestatic
final
String PASSWORD = "password";
@Resource privateIStudentDao
studentdao;
@Resource privateITeacherDao
teacherdao;
@Resource privateIAdminDao
admindao;
@Override publicAuthentication
attemptAuthentication(HttpServletRequest request, HttpServletResponse response)throwsAuthenticationException
{
if(!request.getMethod().equals("POST"))
{
thrownew
AuthenticationServiceException("Authentication
method not supported: "
+ request.getMethod());
}
String
username = obtainUsername(request);
String
password = obtainPassword(request);
String
roletype = request.getParameter("roletype");
username
= username.trim();
UsernamePasswordAuthenticationToken
authRequest = null;
if(!"".equals(roletype)
|| roletype != null){
if("student".equals(roletype)){
Student
stu = studentdao.findById(username);
//通过session把用户对象设置到session中
request.getSession().setAttribute("session_user",
stu);
//将角色标志在username上
username
= "stu"+username;
try{
if(stu
== null||
!stu.getPassword().equals(password)) {
BadCredentialsException
exception = newBadCredentialsException("用户名或密码不匹配");
throwexception;
}
}catch(Exception
e) {
BadCredentialsException
exception = newBadCredentialsException("没有此用户");
throwexception;
}
}elseif("teacher".equals(roletype)){
Teacher
tea = teacherdao.findById(username);
//通过session把用户对象设置到session中
request.getSession().setAttribute("session_user",
tea);
//将角色标志在username上
username
= "tea"+username;
try{
if(tea
== null||
!tea.getPassword().equals(password)) {
BadCredentialsException
exception = newBadCredentialsException("用户名或密码不匹配");
throwexception;
}
}catch(Exception
e) {
BadCredentialsException
exception = newBadCredentialsException("没有此用户");
throwexception;
}
}elseif("admin".equals(roletype)){
Admin
adm = admindao.findById(username);
//通过session把用户对象设置到session中
request.getSession().setAttribute("session_user",
adm);
//将角色标志在username上
username
= "adm"+username;
try{
if(adm
== null||
!password.equals(adm.getPassword())) {
BadCredentialsException
exception = newBadCredentialsException("用户名或密码不匹配");
throwexception;
}
}catch(Exception
e) {
BadCredentialsException
exception = newBadCredentialsException("没有此用户");
throwexception;
}
}else{
BadCredentialsException
exception = newBadCredentialsException("系统错误:没有对应的角色!");
throwexception;
}
}
//实现验证
authRequest
= newUsernamePasswordAuthenticationToken(username,
password);
//允许设置用户详细属性
setDetails(request,
authRequest);
//运行
returnthis.getAuthenticationManager().authenticate(authRequest);
}
@Override protectedString
obtainUsername(HttpServletRequest request) {
Object
obj = request.getParameter(USERNAME);
returnnull
== obj ? "":
obj.toString();
}
@Override protectedString
obtainPassword(HttpServletRequest request) {
Object
obj = request.getParameter(PASSWORD);
returnnull
== obj ? "":
obj.toString();
}
@Override protectedvoid
setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
super.setDetails(request,
authRequest);
}
}
|
笔者自己断点可知,执行完上面那个认证过滤器,才会执行MyUserDetailService。
注:因为 MyUserDetailService类中的loadUserByUsername(String username) 方法只能接收一个参数username,而且这个username是从认证过滤器那里传过来的,所以笔者就通过username顺带传递角色类型过来,如上面认证过滤器,将角色类型拼在username中。到MyUserDetailService类在解开。(如有更好的方法,请评论告知,谢谢)
MyUserDetailService:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
packagecom.lcy.springSecurity;
importjava.util.ArrayList;
importjava.util.Collection;
importjavax.annotation.Resource;
importorg.springframework.dao.DataAccessException;
importorg.springframework.security.core.GrantedAuthority;
importorg.springframework.security.core.authority.SimpleGrantedAuthority;
importorg.springframework.security.core.userdetails.User;
importorg.springframework.security.core.userdetails.UserDetails;
importorg.springframework.security.core.userdetails.UserDetailsService;
importorg.springframework.security.core.userdetails.UsernameNotFoundException;
importcom.lcy.dao.IAdminDao;
importcom.lcy.dao.IStudentDao;
importcom.lcy.dao.ITeacherDao;
importcom.lcy.entity.Admin;
importcom.lcy.entity.Student;
importcom.lcy.entity.Teacher;
publicclass
MyUserDetailService implementsUserDetailsService
{
@Resource privateIStudentDao
studentdao;
@Resource privateITeacherDao
teacherdao;
@Resource privateIAdminDao
admindao;
//登陆验证时,通过username获取用户的所有权限信息,
//并返回User放到spring的全局缓存SecurityContextHolder中,以供授权器使用
publicUserDetails
loadUserByUsername(String username)
throwsUsernameNotFoundException,
DataAccessException {
Collection<GrantedAuthority>
auths= newArrayList<GrantedAuthority>();
//获取角色标志
String
roletype = username.substring(0,3);
username
= username.substring(3);
String
password = "";
if("stu".equals(roletype)){
Student
stu = studentdao.findById(username);
password
= stu.getPassword();
auths.add(newSimpleGrantedAuthority("ROLE_STU"));
}elseif("tea".equals(roletype)){
Teacher
tea = teacherdao.findById(username);
password
= tea.getPassword();
auths.add(newSimpleGrantedAuthority("ROLE_TEA"));
}elseif("adm".equals(roletype)){
Admin
adm = admindao.findById(username);
password
= adm.getPassword();
auths.add(newSimpleGrantedAuthority("ROLE_ADM"));
}
User
user = newUser(username,
password, true,true,true,true,
auths);
returnuser;
}
}
|
相关推荐
- rabbitMQ第二篇:java简单的实现RabbitMQ
- 关于jsPlumbToolkit的一些代码 (第二篇java篇) (嘻嘻!!!)
- Java实现简易RPC框架(二)
- 自定义Java web框架(二)
- JAVA_WEB Hibernate框架学习 第二章(Hibernate中对象的状态、缓存、事务、查询及批量查询)
- Hello Java8 快速上手第二篇
- 30分钟零基础入门Java后台SSM框架
- [Java面试]二:常见面试题之框架篇Spring MVC
- JAVA消息(第二篇)AMQP-RabbitMQ实战
- Java集合框架篇-38-集合的由来和集合继承体系图
- 【消息队列】:如何保证消息队列的高可用?
- Python的九个面试考题知识点和Python学习资料分享