Spring-Security 三初體驗
Spring-Security 3初體驗beans:beans xmlnshttp://www.springframework.org/schema/securityxmlns:bea
Spring-Security 3初體驗
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
?http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
??? <http use-expressions="true" auto-config="true">
??????? <intercept-url pattern="/secure/protected.jsp" access="hasRole('ROLE_USER')"/>
??????? <intercept-url pattern="/login.jsp" access="isAnonymous()"/>
??????? <intercept-url pattern="/**" access="permitAll"/>
??????? <form-login login-processing-url="/j_spring_security_check"
???????? login-page="/login.jsp" default-target-url="/index.jsp"
???????? authentication-failure-url="/login.jsp?error=1"/>
??????? <logout logout-url="/j_spring_security_logout"/>
??? </http>
??? <authentication-manager>
??????? <authentication-provider user-service-ref="securityManager"/>
??? </authentication-manager>
??? <beans:bean id="securityManager" access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>
? 除了Common built-in和Web Security的Expression之外,也提供annotation expression,如Method Security Expression,使用它的話事先要在context.xml宣告如下
<global-method-security pre-post-annotations="enabled"/>
如此一來才能在Bean Class的method做這樣的設定:
@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact);
// OR
@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(Contact contact, Sid recipient, Permission permission);
// OR
@PreAuthorize("#contact.name == principal.name)")
public void doSomething(Contact contact);
上述的security-context.xml尚未講到<form-login>和<logout>兩個標籤,各自對映到/j_spring_security_check和/j_spring_security_logout,這是Spring Security預設的Filter URL,當然可以改寫,但超出自身修維之外了。
整個流程是:
<http>標籤對url pattern過濾後轉給<authentication-manager>指定的bean處理,該bean即繼承UserDetailsService的class。 藉由該bean的loadUserByUsername這個method去存取DB或LDAP驗證,驗證成功再return繼承UserDetails的instance。 return後由Spring-Security去驗證密碼和授權,來決定是否允許access。 在上面步驟2和3之間,繼承UserDetails的instance在被New出時,就要設好其interface的屬性,重要如username、password和Authorizes等,這些來源應該在執行loadUserByUsername結束之前就要完成設置。
