spring security 2.0 命名空间配置(带例子)
spring security已经成为企业软件中应用最为广泛的Java安全框架之一,它可以在Spring应用上下文中配置的Bean,充分利用了Spring IoC(依赖注入,也称控制反转)和AOP(面向切面编程)功能,为应用系统提供声明式的安全访问控制功能,减少了为企业系统安全控制编写大量重复代码的工作。它提供了全面的认证、授权、基于实例的访问控制、channel安全及人类用户检验能力。
Spring Security 2.0构建在Acegi Security坚实的基础之上,并在此基础上增加了许多新特性,现在本文的重点是要讲spring security简化的基于命名空间的配置,旧式配置可能需要上百行的XML.
通过下面的例子,你会了解到基于命名空间的配置是如何的简单。
spring security 2.0 例子:
开发环境:MyEclipse 6.0
服务器 :tomcat 6.x
开发架构:struts 1.2 + spring 2.5
spring security 版本:2.0
1.首先要搭好应用的款架,struts和spring(省略)
2.在web.xml里把spring-security 的配置文件路径添加进来
3.在web.xml中添加过spring的过滤器代理
4.添加相关的监听器,以便spring的监听管理
具体web.xml文件如下:
<?xml version="1.0" encoding="UTF-8"?><web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <!-- 装载spring配置文件 --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/spring-security-ns.xml /WEB-INF/applicationContext.xml </param-value> </context-param> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>/WEB-INF/classes/log4j.properties</param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <!--bean的名字是springSecurityFilterChain,这是由命名空间创建的用于处理web安全的一个内部机制 --> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- - Loads the root application context of this web app at startup. - The application context is then available via - WebApplicationContextUtils.getWebApplicationContext(servletContext). --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <!-- - Publishes events for session creation and destruction through the application - context. Optional unless concurrent session control is being used. --> <listener> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> </listener> <servlet> <servlet-name>action</servlet-name> <servlet-class>org.apache.struts.action.ActionServlet</servlet-class> <init-param> <param-name>config</param-name> <param-value>/WEB-INF/struts-config.xml</param-value> </init-param> <init-param> <param-name>debug</param-name> <param-value>3</param-value> </init-param> <init-param> <param-name>detail</param-name> <param-value>3</param-value> </init-param> <load-on-startup>0</load-on-startup> </servlet> <servlet-mapping> <servlet-name>action</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>login.jsp</welcome-file> </welcome-file-list> <error-page> <error-code>403</error-code> <location>/error.html</location> </error-page> <login-config> <auth-method>BASIC</auth-method> </login-config></web-app>
<?xml version="1.0" encoding="UTF-8"?><!-- - 基于名称空间配置 --><beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd"><global-method-security secured-annotations="enabled" ><!-- AspectJ pointcut expression that locates our "post" method and applies security that way<protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/>--></global-method-security> <http access-denied-page="/error.jsp" access-decision-manager-ref="accessDecisionManager" session-fixation-protection="newSession" auto-config="true" path-type="ant" ><!--session-fixation-protection属性可以防止session固定攻击 --> <!-- 权限入口的顺序十分重要,注意必须把特殊的URL权限写在一般的URL权限之前。 --> <intercept-url pattern="/acegiTest.do" access="ROLE_SUPERVISOR"/> <intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_REMEMBERED" /> <intercept-url pattern="/roleA/**.jsp" access="ROLE_A"/> <intercept-url pattern="/roleB/**.jsp" access="ROLE_B"/> <intercept-url pattern="/roleC/**.jsp" access="ROLE_C"/> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/><!-- x509认证 <x509 /> --> <!-- All of this is unnecessary if auto-config="true" <form-login /> <anonymous /> <http-basic /> <logout /> <remember-me /> --> <form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?login_error=1" /> <anonymous key="cookie_key" username="ananoymous" granted-authority="IS_AUTHENTICATED_ANONYMOUSLY"/> <logout invalidate-session="true" /> <!-- session并发控制 --><concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /><!-- exception-if-maximum-exceeded="true" 第二次登入失效 --> </http> <!-- 访问决策管理 --><beans:bean id="accessDecisionManager" value="true"/><beans:property name="decisionVoters"><!-- 投票者列表 --><beans:list><beans:bean --> <!-- 基于内存存储用户 --> <user-service> <user name="admin" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B, ROLE_C, ROLE_SUPERVISOR"/> <user name="userab" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A, ROLE_B"/> <user name="usera" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_A"/> <user name="userb" password="202cb962ac59075b964b07152d234b70" authorities="ROLE_B"/> </user-service> <!--密码md5加密--> <password-encoder hash="md5"/> <!-- <jdbc-user-service data-source-ref="f3CenterDS" users-by-username-query="select name as 'username',password`,'true' as 'enabled' from users where name = ?" authorities-by-username-query="select name as 'username',authorities as 'authority' from authentication where name = ?" /> --> </authentication-provider><!--用户信息存在在数据库的验证--><!-- <beans:bean id="userDetailsService"ref="f3CenterDS" /><beans:property name="usersByUsernameQuery"><beans:value>select name as 'username',password,'true' as 'enabled' from users where name = ?</beans:value></beans:property><beans:property name="authoritiesByUsernameQuery"><beans:value>select name as 'username',authorities as 'authority' from authentication where name = ?</beans:value></beans:property></beans:bean>--></beans:beans>
