applicationContext-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:s="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"
default-autowire="byType" default-lazy-init="true">
<description>使用SpringSecurity的安全配置文件</description>
<!-- http安全配置 -->
<s:http auto-config="true" access-decision-manager-ref="accessDecisionManager">
<s:form-login login-page="/pages/Login/login.do" />
<s:logout logout-success-url="/" />
<s:remember-me key="ssss" />
</s:http>
<!-- 自定义成功和失败处理器,AppSessionSuccessHandler中设置了session -->
<bean id="appSessionProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationProcessingFilter">
<s:custom-filter before="AUTHENTICATION_PROCESSING_FILTER" />
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/pages/Login/login.do?error=true"/>
</bean>
</property>
<property name="authenticationSuccessHandler">
<bean class="javacommon.base.AppSessionSuccessHandler">
<property name="defaultTargetUrl" value="/"/>
</bean>
</property>
</bean>
<!-- 认证配置 -->
<s:authentication-provider user-service-ref="userDetailsService">
<!-- 可设置hash使用sha1或md5散列密码后再存入数据库 -->
<s:password-encoder hash="plaintext" />
</s:authentication-provider>
<!-- 项目实现的用户查询服务 -->
<bean id="userDetailsService" class="com.awd.service.UserDetailServiceImpl" />
<!-- 重新定义的FilterSecurityInterceptor,使用databaseDefinitionSource提供的url-授权关系定义 -->
<bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<s:custom-filter before="FILTER_SECURITY_INTERCEPTOR" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="objectDefinitionSource" ref="databaseDefinitionSource" />
</bean>
<!-- DefinitionSource工厂,使用resourceDetailService提供的URL-授权关系. -->
<bean id="databaseDefinitionSource" class="javacommon.base.DefinitionSourceFactoryBean">
<property name="resourceDetailService" ref="resourceDetailService" />
</bean>
<!-- 项目实现的URL-授权查询服务 -->
<bean id="resourceDetailService" class="com.awd.service.ResourceDetailServiceImpl" />
<!-- 授权判断配置, 将授权名称的默认前缀由ROLE_改为A_. -->
<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="A_" />
</bean>
<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
</list>
</property>
</bean>
</beans>
AppSessionSuccessHandler:
package javacommon.base;
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.security.web.util.RedirectUtils;
import org.springframework.transaction.annotation.Transactional;
import org.springframework.util.StringUtils;
import com.awd.dao.UsersDao;
import com.awd.model.Users;
@Transactional(readOnly = true)
public class AppSessionSuccessHandler extends
SavedRequestAwareAuthenticationSuccessHandler {
@Autowired
private UsersDao usersDao;
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws ServletException, IOException {
SavedRequest savedRequest = getSavedRequest(request);
if (savedRequest == null) {
super.onAuthenticationSuccess(request, response, authentication);
return;
}
if (isAlwaysUseDefaultTargetUrl()
|| StringUtils.hasText(request
.getParameter(getTargetUrlParameter()))) {
removeSavedRequest(request);
super.onAuthenticationSuccess(request, response, authentication);
return;
}
// 参考Lingo 的Spring security 3.0文档 附录 C. Spring Security-3.0.0.M1
HttpSession session = request.getSession();
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
Users currentUser = usersDao.findByUnique("loginname", userDetails.getUsername().toString());
session.setAttribute("currentUser", currentUser);
// Use the SavedRequest URL
String targetUrl = savedRequest.getFullRequestUrl();
logger.debug("Redirecting to SavedRequest Url: " + targetUrl);
RedirectUtils.sendRedirect(request, response, targetUrl,
isUseRelativeContext());
}
private SavedRequest getSavedRequest(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session != null) {
return (SavedRequest) session
.getAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY);
}
return null;
}
private void removeSavedRequest(HttpServletRequest request) {
HttpSession session = request.getSession(false);
if (session != null) {
logger.debug("Removing SavedRequest from session if present");
session
.removeAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY);
}
}
}
UserDetailServiceImpl.java
package com.awd.service;
import java.util.HashSet;
import java.util.Set;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.transaction.annotation.Transactional;
import com.awd.dao.UsersDao;
import com.awd.model.Authorities;
import com.awd.model.Roles;
import com.awd.model.Users;
/**
* 实现SpringSecurity的UserDetailsService接口,实现获取用户Detail信息的回调函�数.
*
* @author calvin edit by meetrice
*/
@Transactional(readOnly = true)
public class UserDetailServiceImpl implements UserDetailsService {
@Autowired
private UsersDao usersDao;
/**
* 获取用户Detail信息的回调函�数.
*/
public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException, DataAccessException {
Users users = usersDao.findByUnique("loginname", userName);
if (users == null)
throw new UsernameNotFoundException("用户" + userName + " 不存在");
GrantedAuthority[] grantedAuths = obtainGrantedAuthorities(users);
// 无以下属性,暂时全部设为true.
boolean enabled = true;
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
boolean accountNonLocked = true;
org.springframework.security.core.userdetails.User userdetail = new org.springframework.security.core.userdetails.User(
users.getLoginname(), users.getPassword(), enabled, accountNonExpired, credentialsNonExpired,
accountNonLocked, grantedAuths);
return userdetail;
}
/**
* 获得用户所有角色的权限.
*/
private GrantedAuthority[] obtainGrantedAuthorities(Users user) {
Set<GrantedAuthority> authSet = new HashSet<GrantedAuthority>();
for (Roles role : user.getRoles()) {
for (Authorities authority : role.getAuthorities()) {
authSet.add(new GrantedAuthorityImpl(authority.getName()));
}
}
return authSet.toArray(new GrantedAuthority[authSet.size()]);
}
}
分享到:
相关推荐
早一段时间学习了springsecurity3.0 框架,在开始阶段不知道导入那些必需jar包,经过摸索,总结出来最精简的jar包
spring security3.0权限控制方面的文档
SpringSecurity3.0相对比较稳定。本实例包含SpringSecurity3.0的基本配置,包含所需的Jar包和mysql数据库文件,直接导入myeclipes中并导入数据库即可运行,配置文件简单易懂,适合SpringSecurity初学者配置入门。...
SpringSecurity3.0 教程 价值不错哦!
教你使用 SpringSecurity 3.0 一步一步教你使用SpringSecurity,从保护web应用到保护业务方法调用
spring-security-web-3.0 spring-security-taglibs-3.0 spring-security-openid-3.0 spring-security-core-3.0 spring-security-config-3.0 spring-security-aspects-3.0 spring-security-acl-3.0
SpringSecurity3.0实现
介绍一个基于Spring Boot 3.0、Spring Cloud 2022 & Alibaba的微服务RBAC权限管理系统。该系统可以实现微服务RBAC权限管理,通过RBAC权限管理机制对用户访问系统的权限进行限制,从而提高系统的安全性和可用性。同时...
Spring Security 3.0 权限管理精通,该系统是spring提供的企业级权限系统解决方案,因其优越的特性被广泛应用
英文版本,主要对spring security 3.0.x 进行了介绍, 以及如何使用spring 的 安全架构来进行 web 开发.
超级详细的spring security3.0教程,包含spring security安全框架的历史和来源,一步一步的教你如何实现项目的安全实现
SpringSecurity3.0.x官方参考文档(英文+中文双解版)
Spring Security 的前身是 Acegi Security ,是 Spring 项目组中用来提供安全认证服务的框架。
spring security3.0所有最新开发包及源码及文档 欢迎大家下载,祝大家学习愉快!。
Spring-Security3.0自定义表结构
简单springsecurity3.0的例子 做了详细注释,另外集成了tiles 和conversion插件,希望对你有帮助,里面有不对的地方请给我留言,我加你QQ一起讨论..注:我是通过maven管理的,如果你不是的话可能无法运行起来,只能看代码
Spring Security 3.0 安全权限管理手册(最新),可以作为公司权限管理资料用,权限管理将是系统中的非常重要的一个模块,权限的设计也是参考相关资料进行整理和补充。系统将通过数据库进行管理用户权限
一步一步教你使用spring Security3
spring3.0中文帮助文档,CHM版,中文离线版,以及spring security3.1.4帮助文档
让你更好理解spring security开发流程,更好应用spring security!!