spring-security3（一）配置详解及API扩展(包含ajax返回)

程序员文章站 2024-03-14 13:46:28

...

最近对spring-security3做了一些初步了解，搜集了一些配置资料，整理如下：

1、在spring-security官网下载最新jar然后拷贝jar到项目的lib下。

2、然后在web.xml中添加配置,内容如下:

	<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>
			org.springframework.web.filter.DelegatingFilterProxy
		</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

3、xml配置,配置内容如下:

<?xml version="1.0" encoding="UTF-8"?>

<b:beans xmlns="http://www.springframework.org/schema/security"
	xmlns:b="http://www.springframework.org/schema/beans" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="
		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
		http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

	<!-- auto-config = true 则使用from-login. 如果不使用该属性 则默认为http-basic(没有session).access-denied-page:出错后跳转到的错误页面;-->

	<!-- intercept-url:拦截器,可以设定哪些路径需要哪些权限来访问. filters=none 不使用过滤,也可以理解为忽略 -->  
	<http realm="Contacts Realm" auto-config="true">
		<anonymous granted-authority="IS_AUTHENTICATED_ANONYMOUSLY"/>
		<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/favicon.ico" filters="none" />
		<intercept-url pattern="/images/**" filters="none" />
		<intercept-url pattern="/css/**" filters="none" />
		<intercept-url pattern="/js/**" filters="none" />
		<intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/sysmanage/ug/useradd/loginSys" access="IS_AUTHENTICATED_ANONYMOUSLY" />
		<intercept-url pattern="/debug*" access="ROLE_ADMINISTRATOR" />

		<!-- 
			session-management是针对session的管理. 这里可以不配置. 如有需求可以配置.
			id登陆唯一.后登陆的账号会挤掉第一次登陆的账号 error-if-maximum-exceeded="true"禁止2次登陆;
			session-fixation-protection="none" 防止伪造sessionid攻击.用户登录成功后会销毁用户当前的session.
			创建新的session,并把用户信息复制到新session中.        
	        <session-management session-fixation-protection="none"><concurrency-control/></session-management>  
        --> 

		<!-- login-page:默认指定的登录页面.authentication-failure-url:出错后跳转页面.default-target-url:成功登陆后跳转页面 -->  
		<form-login login-page="/login" login-processing-url="/j_spring_security_check" authentication-success-handler-ref="logAuthenticationSuccessHandler"
			default-target-url="/manage" authentication-failure-url="/login?login_error=1" />
		<http-basic />
		<!-- logout-success-url:成功注销后跳转到的页面; -->
		<logout logout-success-url="/manage" />
		<remember-me />
		<!-- 自定义权限过滤器链 需要实例化过滤器 --> 
		<!-- 可选、自定义用户退出-->
		<custom-filter ref="ajaxLogoutFilter" before="LOGOUT_FILTER" />
		<!-- 可选、自定义表单验证 ajax返回，带参数-->
		<custom-filter ref="ajaxUsernamePasswordAuthenticationFilter" before="FORM_LOGIN_FILTER" />
		<!-- 地址拦截 -->
		<custom-filter ref="dbFilterSecurityInterceptor" before="FILTER_SECURITY_INTERCEPTOR" />
	</http>

	<!-- 可选、日志 需要继承 SavedRequestAwareAuthenticationSuccessHandler-->
    <b:bean id="logAuthenticationSuccessHandler" class="com.demo.security.LogAuthenticationSuccessHandler"/>

    <!-- 权限管理器，全局唯一 -->
	<authentication-manager alias="authenticationManager">
		<!--userManageService为自定义bean注入需要自定义实现UserDetailsService接口重写loadUserByUsername方法 -->
		<authentication-provider user-service-ref="userManageService">
			<password-encoder hash="md5" >
				<salt-source user-property="username"/>
			</password-encoder>
		</authentication-provider>
	</authentication-manager>

	<!-- Automatically receives AuthenticationEvent messages -->
	<b:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener" />

	<!-- 可选、ajax 登录验证器，通过自定义地址拦截，进行验证，需继承UsernamePasswordAuthenticationFilter，重写attemptAuthentication方法 -->
	<b:bean id="ajaxUsernamePasswordAuthenticationFilter" class="com.demo.security.AjaxUsernamePasswordAuthenticationFilter">
		<b:property name="filterProcessesUrl" value="/j_ajax_security_check"/> <!-- 自定义表单提交地址，和JSP页面表单地址对应 -->
		<b:property name="authenticationManager" ref="authenticationManager"/>
        <b:property name="authenticationSuccessHandler" ref="ajaxSuccessHandler"/>
		<b:property name="authenticationFailureHandler" ref="ajaxFailureHandler"/>
	</b:bean>

	<!-- 可选、ajax 用户退出，通过自定义地址拦截，需继承LogoutFilter，重写AjaxLogoutFilter，doFilter方法 -->
	<b:bean id="ajaxLogoutFilter" class="com.berheley.bi.grp.security.AjaxLogoutFilter">
		<b:constructor-arg ref="ajaxLogoutSuccessHandler"/>
		<b:constructor-arg>  
            <b:list>  
            	<b:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/><!-- 默认类，清空session数据 -->
            </b:list>  
        </b:constructor-arg>
		<b:property name="filterProcessesUrl" value="/j_ajax_security_logout"/> <!-- 自定义退出地址，和JSP页面地址对应 -->
	</b:bean>

	<!-- 可选、扩展成功返回方式，需实现LogoutSuccessHandler -->
	<b:bean id="ajaxLogoutSuccessHandler" class="com.berheley.bi.grp.security.AjaxLogoutSuccessHandler"/> 
	<!-- 可选、扩展成功返回方式，需实现AuthenticationSuccessHandler或继承SimpleUrlAuthenticationSuccessHandler -->
	<b:bean id="ajaxSuccessHandler" class="com.demo.security.AjaxAuthenticationSuccessHandler"/>  
    <!-- 可选、扩展失败返回方式，需实现AuthenticationFailureHandler或继承SimpleUrlAuthenticationFailureHandler -->
    <b:bean id="ajaxFailureHandler" class="com.demo.security.AjaxAuthenticationFailureHandler"/>  

	<!-- 需要实现FilterInvocationSecurityMetadataSource 或继承 DefaultFilterInvocationSecurityMetadataSource 实现资源和角色的匹配验证 -->
	<b:bean id="dbSecurityMetadataSource" class="com.demo.security.DbSecurityMetadataSource">
		<b:property name="userService" ref="userManageService"/>
	</b:bean>

	<!-- 访问控制验证器Authority -->
	<b:bean id="dbFilterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
		<b:property name="authenticationManager" ref="authenticationManager"/>
     	<b:property name="accessDecisionManager" ref="accessDecisionManager"/>
     	<b:property name="objectDefinitionSource" ref="dbSecurityMetadataSource"/>
     	<b:property name="observeOncePerRequest" value="false"/>
     	<b:property name="alwaysReauthenticate" value="false"/>
	</b:bean>

	<!-- 
		httpRequestAccessDecisionManager（投票通过策略管理器）用于管理投票通过策略。Acegi提供三种投票通过策略的实现：
		 AffirmativeBased（至少一个投票者同意方可通过），ConsensusBased（多数投票者同意方可通过），UnanimousBased（所有投
		 票者同意方可通过） 
		 allowIfAllAbstainDecisions : 设定是否允许：“没人反对就通过”的投票策略
		 decisionVoters : 投票者
	-->
	<b:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
		<b:property name="allowIfAllAbstainDecisions" value="false"/>
		<b:property name="decisionVoters">
			<b:list>
				<!--必须是以rolePrefix设定的ROLE_开头的才会进行投票,否则为弃权-->
				<b:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
				<b:bean class="org.springframework.security.access.vote.RoleVoter">
					<b:property name="rolePrefix" value="HY_"/>
				</b:bean>
				<!--扩展投票器，继承RoleVoter-->
				<b:bean class="com.demo.security.AnyRoleVote">
					<b:property name="rolePrefix" value="AUTH_"/>
				</b:bean>
			</b:list>
		</b:property>
	</b:bean>
</b:beans>

j_spring_security_check : 验证管理器拦截地址默认值;
j_username: 验证用户名;
j_password: 验证密码;
_spring_security_remember_me:记住密码

需了解原理请参阅security源码分析：[url]http://mengqingyu.iteye.com/blog/1477561[/url]