Spring Security 三 证书登录

Spring Security 3 证书登录

默认情况下ss3的<x509>标签只会取证书主题作为验证条件，如果想要自己指定证书的某一部分作为验证条件需要手动实现X509PrincipalExtractor接口：

import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;public class MyX509PrincipalExtractor implements X509PrincipalExtractor{Logger logger = LoggerFactory.getLogger(this.getClass());/** * 获取证书序列号 * @param cert x509证书对象 */@Overridepublic Object extractPrincipal(X509Certificate cert) {String serialNumber = cert.getSerialNumber().toString(16);//取证书序列号作为判断条件return serialNumber;}}

?实现用户描述接口：

public class MyUserAuthority implements UserDetails{……}

?

载入用户信息：

import org.slf4j.Logger;import org.slf4j.LoggerFactory;import org.springframework.beans.factory.annotation.Autowired;import org.springframework.security.core.Authentication;import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UsernameNotFoundException;/** *  * Company: xxx公司 <br> * * Description:  用户信息载入服务 * * <br>Copyright: Copyright (c) 2010 - 2015 * * <br>Author: JLCON  * <br>Created:2010-9-17 * * <br>Modified:2010-9-17 * * <br>version：V1.0 */public class MyUserDetailService implements AuthenticationUserDetailsService{Logger logger = LoggerFactory.getLogger(this.getClass());    //载入用户信息@Autowiredprivate UserAuthorityInfo userinfo;/** * 用户信息载入 * @param token 认证token */@Overridepublic UserDetails loadUserDetails(Authentication token)throws UsernameNotFoundException {//这里得到的就是刚才返回的证书IDreturn userinfo.getUserDetails(token.getPrincipal().toString());}}

?通过URL获取该URL具有的访问属性：

public class X509securityMetadataSource implements FilterInvocationSecurityMetadataSource{import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;…………@Overridepublic Collection<ConfigAttribute> getAttributes(Object object)throws IllegalArgumentException {String url = ((FilterInvocation)object).getRequestUrl();………………return list;}@Overridepublic boolean supports(Class<?> clazz) {return true;}}

?认证访问控制器：

public class X509AccessDecisionManager implements AccessDecisionManager{Logger logger = LoggerFactory.getLogger(this.getClass());/** * 决定是否有权限访问资源 * @param authentication 登录用户权限信息 * @param object 访问的资源对象 * @param configAttributes 资源对象具有的配置属性 * @exception AccessDeniedException 访问被拒绝 */@Overridepublic void decide(Authentication authentication, Object object,Collection<ConfigAttribute> configAttributes)throws AccessDeniedException, InsufficientAuthenticationException {FilterInvocation filterInvocation = (FilterInvocation)object;for(ConfigAttribute configAttribute:configAttributes){for(GrantedAuthority grantedAuthority:authentication.getAuthorities()){if(configAttribute.getAttribute().equalsIgnoreCase(grantedAuthority.getAuthority())){logger.debug("访问success! - {}",filterInvocation.getFullRequestUrl());return;}}}logger.debug("无权访问! - {}",filterInvocation.getFullRequestUrl());throw new AccessDeniedException("无权限！");}@Overridepublic boolean supports(ConfigAttribute attribute) {return true;}@Overridepublic boolean supports(Class<?> clazz) {return true;}}

??最后上配置：

<?xml version="1.0" encoding="UTF-8"?><b:beans xmlns:b="http://www.springframework.org/schema/beans"    xmlns="http://www.springframework.org/schema/security"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"><http access-denied-page="/accessdenied.jsp"><custom-filter position="X509_FILTER" ref="x509Filter"/><custom-filter ref="x509Intercepter" before="FILTER_SECURITY_INTERCEPTOR"/><intercept-url pattern="/*" requires-channel="https"/><port-mappings><port-mapping http="8080" https="8443"/></port-mappings><form-login/></http><b:bean id="preAuthenticatedProcessingFilterEntryPoint" ref="authenticationmanager"></b:property><b:property name="principalExtractor"><b:bean ref="authenticationmanager"></b:property><b:property name="securityMetadataSource" ref="x509securityMetadataSource"></b:property><b:property name="accessDecisionManager" ref="x509AccessDecisionManager"></b:property></b:bean><b:bean id="x509securityMetadataSource" ><authentication-provider ref="x509provider"></authentication-provider></authentication-manager><b:bean id="x509provider" ref="UserDetailsService"></b:property><b:property name="throwExceptionWhenTokenRejected" value="true"></b:property></b:bean><b:bean id="loggerListener" name="code">。。。。。<filter>        <filter-name>springSecurityFilterChain</filter-name>        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>    </filter>    <filter-mapping>      <filter-name>springSecurityFilterChain</filter-name>      <url-pattern>/manager/*</url-pattern>    </filter-mapping>。。。。。

?