spring security

项目中用到了security，用到的功能比较简单，是自己研究的，如下：

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xmlns:security="http://www.springframework.org/schema/security"
	xsi:schemaLocation="http://www.springframework.org/schema/beans 
	   		http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			http://www.springframework.org/schema/security 
			http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<security:global-method-security pre-post-annotations="enabled" /> 

	<security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" >
        <!-- 下面的过滤器会覆盖该标签，所以该行不用写了。-->
		<security:form-login
				login-page="/auth/login"
				authentication-failure-url="/auth/login?error=true" 
				default-target-url="/auth/common"/>
        <!-- 自定义过滤器，FORM_LOGIN_FILTER 别名 对应类 UsernamePasswordAuthenticationFilter ；
        	该过滤器会覆盖掉 http/form-login 中的 authentication-failure-url 和 default-target-url 这两个属性 -->
        <security:custom-filter ref="appSessionProcessingFilter" before="FORM_LOGIN_FILTER" />

        <security:logout
                invalidate-session="true"
                logout-success-url="/auth/login"
                logout-url="/auth/logout"/>

        <!-- session 超时后的跳转地址，如果使用该配置，则不能记住上一次的url。 -->
        <!--<security:session-management invalid-session-url="/auth/login"/>-->
    </security:http>

    <!-- Declare an authentication-manager to use a custom userDetailsService -->
    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider user-service-ref="myUserDetailsService"/>
    </security:authentication-manager>
    <bean id="myUserDetailsService" class="com.vmware.sop.service.security.UserDetailsService"/>

	<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
	<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>

    <!-- 成功和失败处理自定义过滤器，该过滤器会令 form-login 标签的部分属性 失效，所以要重新赋值，注意：该filter的3个property必须全部赋值。 -->
    <bean id="appSessionProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="authenticationSuccessHandler">
            <bean class="com.vmware.sop.service.security.AppSessionSuccessHandler">
                <property name="defaultTargetUrl" value="/" />
            </bean>
        </property>
        <property name="authenticationFailureHandler">
            <bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
                <property name="defaultFailureUrl" value="/auth/login?error=true"/>
            </bean>
        </property>
    </bean>

</beans>

权限的核心类，用于获取用户的权限列表。

package com.vmware.sop.service.security;

import java.util.ArrayList;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.util.CollectionUtils;

import com.vmware.sop.dao.management.IUserDao;
import com.vmware.sop.entity.Privilege;
import com.vmware.sop.entity.User;

/**
 * 自定义的服务，处理用户的权限
 *
 * @author 张国明 [email protected]
 * @version 2012-5-24 下午2:29:03
 * 
 */
public class UserDetailsService implements
		org.springframework.security.core.userdetails.UserDetailsService {
	@Autowired
	private IUserDao userDao;

	/*
	 * (non-Javadoc)
	 * 
	 * @see org.springframework.security.core.userdetails.UserDetailsService#
	 * loadUserByUsername(java.lang.String)
	 */
	public UserDetails loadUserByUsername(String username)
			throws UsernameNotFoundException, DataAccessException {
		User user = userDao.queryByName(username);
		if (!hasUserPrivilege(user)) {
			return null;
		}

		List<GrantedAuthority> grantedAuthorityList = assembleGrantedAuthorityList(user);

		return new org.springframework.security.core.userdetails.User(
				user.getName(), user.getPassword(), true, true, true, true,
				grantedAuthorityList);
	}

	/** 组装用户的权限
	 * @param user 当前的登录用户
	 * @return 当前用户的权限列表
	 */
	private List<GrantedAuthority> assembleGrantedAuthorityList(User user) {
		List<GrantedAuthority> grantedAuthorityList = new ArrayList<GrantedAuthority>();

		List<Privilege> privilegeList = user.getUserGroup().getPrivileges();
		for (Privilege privilege : privilegeList) {
            String privilegeId = String.valueOf(privilege.getPrivilegeid());
            grantedAuthorityList.add(new GrantedAuthorityImpl(privilegeId));
		}

		return grantedAuthorityList;
	}

	/**
	 * @param sopUser
	 *            登录的用户
	 * 
	 * @return 是否有权限
	 */
	private boolean hasUserPrivilege(User sopUser) {
		if (sopUser == null) {
			return false;
		}
		if (sopUser.getUserGroup() == null) {
			return false;
		}
		if (CollectionUtils.isEmpty(sopUser.getUserGroup().getPrivileges())) {
			return false;
		}

		return true;
	}
}

用户登录成功后的过滤器，我用它来处理session。

package com.vmware.sop.service.security;

import com.vmware.sop.dao.management.IUserDao;
import com.vmware.sop.entity.User;
import com.vmware.sop.utils.SessionUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;

/**
 * 验证成功处理，处理应用中的session信息。
 *
 * @author 张国明 [email protected]
 * @version 2012-6-5 下午2:11
 */
public class AppSessionSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    @Autowired
    private IUserDao userDao;

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
        HttpSession session = request.getSession();
        UserDetails userDetails = (UserDetails) authentication.getPrincipal();
        User user = userDao.queryByName(userDetails.getUsername());
        session.setAttribute(SessionUtil.USER, user);

        super.onAuthenticationSuccess(request, response, authentication);
    }
}