摘要:實(shí)現(xiàn)了接口,用于存放用戶信息與權(quán)限在身份認(rèn)證中的作用中進(jìn)行身份驗(yàn)證的是接口���,是它的一個(gè)默認(rèn)實(shí)現(xiàn)�,但它并不用來(lái)處理身份認(rèn)證���,而是委托給配置好的����,每個(gè)會(huì)輪流檢查身份認(rèn)證。檢查后或者返回對(duì)象或者拋出異常���。另外自定義接口�����,實(shí)現(xiàn)類為�����。
Srping Security網(wǎng)上也有很多例子���,但基本都是所資源直接配置在XML文件里,限制太大�����,不夠靈活���。我們需要的是可以在后臺(tái)修改資源訪問權(quán)限�����,實(shí)時(shí)生效�,才能符合現(xiàn)在大多數(shù)系統(tǒng)的需求�����。
需要引入的依賴
org.springframework.security
spring-security-web
4.2.2.RELEASE
org.springframework.security
spring-security-config
4.2.2.RELEASE
用戶身份認(rèn)證
我們自定義一個(gè)實(shí)現(xiàn)類MUserDetailsService 來(lái)實(shí)現(xiàn)UserDetailsService接口��。
其中需要實(shí)現(xiàn)一個(gè)loadUserByUsername方法���,用來(lái)讀取用戶的角色�����。
在這里需要從數(shù)據(jù)庫(kù)中通過(guò)用戶名來(lái)查詢用戶的信息和用戶所屬的角色
其中MGrantedAuthority實(shí)現(xiàn)了GrantedAuthority接口�,用于構(gòu)建用戶權(quán)限���。
MUserDeatils實(shí)現(xiàn)了UserDeatils接口��,用于存放用戶信息與權(quán)限
UserDetailsService在身份認(rèn)證中的作用
Spring Security中進(jìn)行身份驗(yàn)證的是AuthenticationManager接口�����,ProviderManager是它的一個(gè)默認(rèn)實(shí)現(xiàn)�,但它并不用來(lái)處理身份認(rèn)證,而是委托給配置好的AuthenticationProvider�����,每個(gè)AuthenticationProvider會(huì)輪流檢查身份認(rèn)證���。檢查后或者返回Authentication對(duì)象或者拋出異常��。驗(yàn)證身份就是加載響應(yīng)的UserDetails����,看看是否和用戶輸入的賬號(hào)����、密碼、權(quán)限等信息匹配���。此步驟由實(shí)現(xiàn)AuthenticationProvider的DaoAuthenticationProvider(它利用UserDetailsService驗(yàn)證用戶名���、密碼和授權(quán))處理。包含 GrantedAuthority 的 UserDetails對(duì)象在構(gòu)建 Authentication對(duì)象時(shí)填入數(shù)據(jù)�����。
MUserDetailsService.class中的loadUserByUsername方法
/**
* 根據(jù)用戶名加載用戶密碼與權(quán)限信息
* @param username
* @return
* @throws UsernameNotFoundException
*/
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
//查詢用戶信息
User user = userMapper.selectByName(username);
List roleList = null;
MUserDeatils userDeatils = null;
if (user != null){
//查詢用戶的角色
roleList = roleMapper.queryByUser(user.getId());
System.out.println("user" + user.getUsername() + "----" + user.getPassword());
// 構(gòu)建權(quán)限
Set authorities = new HashSet();
if (roleList.size() != 0){
for (Role role: roleList){
authorities.add(new MGrantedAuthority(role.getName()));
System.out.println(role.getName());
}
userDeatils = new MUserDeatils(user.getUsername(),user.getPassword(),authorities);
}
}
return userDeatils;
}
MGrantedAuthority.class
public class MGrantedAuthority implements GrantedAuthority {
private String authority;
public MGrantedAuthority(String authority){
this.authority = authority;
}
@Override
public String getAuthority() {
return authority;
}
}
MUserDeatils.class
實(shí)現(xiàn)UserDetails接口定義好變量即可
讀取資源與所屬角色
需要自定義實(shí)現(xiàn)類實(shí)現(xiàn)FilterInvocationSecurityMetadataSource接口��。通過(guò)loadResourceDefine方法可以實(shí)現(xiàn)資源與權(quán)限的對(duì)應(yīng)關(guān)系�。
要使我們自定義的MFilterInvocationSecurityMetadataSource生效,我們還需要定義一個(gè)MyFilterSecurityInterceptor類�����。
這里的數(shù)據(jù)需要從數(shù)據(jù)庫(kù)中取得�����。另外自定義接口UrlMatcher����,實(shí)現(xiàn)類為AntUrlPathMatcher。
坑
網(wǎng)上有教程是把loadResourceDefine方法放在了構(gòu)造函數(shù)里�。但我經(jīng)過(guò)多次試驗(yàn)均出現(xiàn)service,mapper無(wú)法注入的問題,然后就會(huì)報(bào)一個(gè)空指針的導(dǎo)異常���,經(jīng)debug發(fā)現(xiàn)是service沒有注入���。經(jīng)多次查詢得知:原因是構(gòu)造方法會(huì)先于注入執(zhí)行��,所以loadResourceDefine方法放入構(gòu)造中執(zhí)行時(shí)函數(shù)內(nèi)的service與mapper還未執(zhí)行注入����,因此報(bào) java.lang.NullPointerException的異常�����。解決方法是將loadResourceDefine方法放在getAttributes方法中執(zhí)行�����。
MFilterInvocationSecurityMetadataSource.class
@Component
public class MFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
@Autowired
public IRescAndRoleService iRescAndRoleService ;
@Autowired
private IUserService iUserService ;
private UrlMatcher urlMatcher = new AntUrlPathMatcher();
// 資源權(quán)限集合
private static Map> resourceMap = null;
public void loadResourceDefine(){
resourceMap = new HashMap>();
//取得用戶信息
List userList = iUserService.query();
//取得資源與角色列表
List resourceList = iRescAndRoleService.query();
System.out.println(resourceList);
for (RescAndRole resource : resourceList) {
Collection atts = new ArrayList();
atts.add(new SecurityConfig(resource.getRoleName() ));
resourceMap.put(resource.getResString(), atts);
}
}
@Override
public Collection getAttributes(Object o) throws IllegalArgumentException {
loadResourceDefine();//防止無(wú)法注入問題
// guess object is a URL.
String url = ((FilterInvocation) o).getRequestUrl();
Iterator ite = resourceMap.keySet().iterator();
while (ite.hasNext()) {
String resURL = ite.next();
if (urlMatcher.pathMatchesUrl(resURL, url)) {
return resourceMap.get(resURL);
}
}
return null;
}
@Override
public Collection getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class aClass) {
return true;
}
}
AntUrlPathMatcher.class
public class AntUrlPathMatcher implements UrlMatcher {
private boolean requiresLowerCaseUrl;
private PathMatcher pathMatcher;
public AntUrlPathMatcher() {
this(true);
}
public AntUrlPathMatcher(boolean requiresLowerCaseUrl) {
this.requiresLowerCaseUrl = true;
this.pathMatcher = new AntPathMatcher();
this.requiresLowerCaseUrl = requiresLowerCaseUrl;
}
public Object compile(String path) {
if (this.requiresLowerCaseUrl) {
return path.toLowerCase();
}
return path;
}
public void setRequiresLowerCaseUrl(boolean requiresLowerCaseUrl) {
this.requiresLowerCaseUrl = requiresLowerCaseUrl;
}
public boolean pathMatchesUrl(Object path, String url) {
if (("/**".equals(path)) || ("**".equals(path))) {
return true;
}
return this.pathMatcher.match((String) path, url);
}
public String getUniversalMatchPattern() {
return "/**";
}
public boolean requiresLowerCaseUrl() {
return this.requiresLowerCaseUrl;
}
public String toString() {
return super.getClass().getName() + "[requiresLowerCase=""
+ this.requiresLowerCaseUrl + ""]";
}
}
MyFilterSecurityInterceptor.class
public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor
implements Filter {
private FilterInvocationSecurityMetadataSource securityMetadataSource;
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
invoke(fi);
}
public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
return this.securityMetadataSource;
}
public Class getSecureObjectClass() {
return FilterInvocation.class;
}
public void invoke(FilterInvocation fi) throws IOException,
ServletException {
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
}
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this.securityMetadataSource;
}
public void setSecurityMetadataSource(
FilterInvocationSecurityMetadataSource newSource) {
this.securityMetadataSource = newSource;
}
public void destroy() {
}
public void init(FilterConfig arg0) throws ServletException {
}
}
決策管理器
自定義一個(gè)決策管理器MyAccessDecisionManager實(shí)現(xiàn)AccessDecisionManager接口���。其中的decide方法���,決定某一個(gè)用戶是否有權(quán)限訪問某個(gè)url
/* (non-Javadoc)
* @see org.springframework.security.access.AccessDecisionManager#decide(org.springframework.security.core.Authentication, java.lang.Object, java.util.Collection)
* 該方法決定該權(quán)限是否有權(quán)限訪問該資源,其實(shí)object就是一個(gè)資源的地址����,authentication是當(dāng)前用戶的
* 對(duì)應(yīng)權(quán)限,如果沒登陸就為游客��,登陸了就是該用戶對(duì)應(yīng)的權(quán)限
*/
@Override
public void decide(Authentication authentication, Object object,
Collection configAttributes)
throws AccessDeniedException, InsufficientAuthenticationException {
if(configAttributes == null) {
return;
}
System.out.println(object.toString()); // object is a URL.
//所請(qǐng)求的資源擁有的權(quán)限(一個(gè)資源對(duì)多個(gè)權(quán)限)
Iterator iterator = configAttributes.iterator();
while(iterator.hasNext()) {
ConfigAttribute configAttribute = iterator.next();
//訪問所請(qǐng)求資源所需要的權(quán)限
String needPermission = configAttribute.getAttribute();
System.out.println("訪問"+object.toString()+"需要的權(quán)限是:" + needPermission);
//用戶所擁有的權(quán)限authentication
Collection authorities = authentication.getAuthorities();
for(GrantedAuthority ga : authorities) {
if(needPermission.equals(ga.getAuthority())) {
return;
}
}
}
//沒有權(quán)限
throw new AccessDeniedException(" 沒有權(quán)限訪問! ");
}
@Override
public boolean supports(ConfigAttribute attribute) {
// TODO Auto-generated method stub
return true;
}
@Override
public boolean supports(Class clazz) {
// TODO Auto-generated method stub
return true;
}
配置XML
web.xml
添加Seucrity的過(guò)濾器��,將攔截所有資源訪問
注意
只能配置成 /*
contextConfigLocation
WEB-INF/config/security.xml
WEB-INF/config/spring-mybatis.xml
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*
spring-security.xml
文章版權(quán)歸作者所有,未經(jīng)允許請(qǐng)勿轉(zhuǎn)載,若此文章存在違規(guī)行為��,您可以聯(lián)系管理員刪除��。
轉(zhuǎn)載請(qǐng)注明本文地址:http://systransis.cn/yun/67422.html
