Spring Security 学习(5)
这篇主要的内容?
Spring Security 保护业务代码的执行
?
准备工作 .
1.创建HelloService接口
package zyk.service;//import org.springframework.security.access.annotation.Secured;public interface HelloService {//@Secured({ "ROLE_USER", "ROLE_ADMIN" })public String sayHi(String userName);//@Secured({"ROLE_ADMIN"})public String sayBye(String userName);}?
2.实现类HelloServiceImpl
package zyk.service.impl;import zyk.service.HelloService;public class HelloServiceImpl implements HelloService {public String sayHi(String userName) {return "大家好!我是:" + userName;}public String sayBye(String userName) {return userName + " 跟大家说再见!";}}?
3.配置applicationContext.xml 使HelloService 交给Spring 管理.
<bean id="helloService" />
?
4.创建?HelloServlet
package zyk.servlet;import java.io.IOException;import java.io.PrintWriter;import javax.servlet.ServletException;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.springframework.context.ApplicationContext;import org.springframework.web.context.support.WebApplicationContextUtils;import zyk.service.HelloService;public class HelloServlet extends HttpServlet {/** * */private static final long serialVersionUID = 1L;/** * Constructor of the object. */public HelloServlet() {super();}/** * Destruction of the servlet. <br> */public void destroy() {super.destroy(); // Just puts "destroy" string in log// Put your code here}/** * The doGet method of the servlet. <br> * * This method is called when a form has its tag value method equals to get. * * @param request * the request send by the client to the server * @param response * the response send by the server to the client * @throws ServletException * if an error occurred * @throws IOException * if an error occurred */public void doGet(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {response.setContentType("text/html;charset=UTF-8");response.setCharacterEncoding("UTF-8");String userName = request.getParameter("userName");String method = request.getParameter("method");ApplicationContext ctx = WebApplicationContextUtils.getWebApplicationContext(this.getServletContext());HelloService helloService = ctx.getBean("helloService",HelloService.class);PrintWriter out = response.getWriter();out.println("<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">");out.println("<HTML>");out.println(" <HEAD><TITLE></TITLE></HEAD>");out.println(" <BODY>");if (method.equals("sayHi")) {out.println(helloService.sayHi(userName));} else {out.println(helloService.sayBye(userName));}out.println(" </BODY>");out.println("</HTML>");out.flush();out.close();}/** * The doPost method of the servlet. <br> * * This method is called when a form has its tag value method equals to * post. * * @param request * the request send by the client to the server * @param response * the response send by the server to the client * @throws ServletException * if an error occurred * @throws IOException * if an error occurred */public void doPost(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException {doGet(request, response);}/** * Initialization of the servlet. <br> * * @throws ServletException * if an error occurs */public void init() throws ServletException {// Put your code here}}?
5.在web.xml 中配置?HelloServlet 的映射路径.?
<servlet> <description>This is the description of my J2EE component</description> <display-name>This is the display name of my J2EE component</display-name> <servlet-name>HelloServlet</servlet-name> <servlet-class>zyk.servlet.HelloServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>HelloServlet</servlet-name> <url-pattern>/hello.action</url-pattern> </servlet-mapping>
?
6.在Index.jsp 中添加链接.?
<a href="${pageContext.request.contextPath}/hello.action?method=sayHi&userName=<sec:authentication property="name" />">SayHi!</a> <br /><a href="${pageContext.request.contextPath}/hello.action?method=sayBye&userName=<sec:authentication property="name" />">SayBye!</a>?
?
第一次测试 ?User 和 admin 均可以调用 SayHi 和 SayBye 方法.
接下来 要实现的是?
admin 可以?调用 SayHi 和 SayBye 方法.
user ?只能?调用 SayHi 方法..
?
A)使用XML的方式
1.在applicationContext.xml 中 配置?
<!-- XML 的方式 --><security:global-method-security><!-- 拥有ROLE_USER或者ROLE_ADMIN 权限的用户 可以访问 包 zyk.service 下的任意个类 里 返回值类型为任意类型 并 方法名为sayHi 的方法--><security:protect-pointcut access="ROLE_USER,ROLE_ADMIN" expression="execution(* zyk.service.*.sayHi(..))"/><!-- 第一个* :表示返回任意类型 第二个 * :表示任意的类 第三个* : 以say开头的任意方法名 对应的是 : 拥有ROLE_ADMIN 权限的用户 可以访问 包 zyk.service 下的任意个类 里 返回值类型为任意类型 并以say开头的方法 (例如 sayHi 和 sayBye) --><security:protect-pointcut access="ROLE_ADMIN" expression="execution(* zyk.service.*.say*(..))"/></security:global-method-security>
?
第二次测试 Ok 。将上面的配置注释掉.换用Annotation 的方式 .
?
B)使用Annotation的方式
?
1.启用Annotation ?配置applicationContext.xml
<!-- 启用annotation --><security:global-method-securitysecured-annotations="enabled" jsr250-annotations="enabled" />
?
?2.给HelloService接口里的方法加上 SpringSecurity的注解.用法很明显.
package zyk.service;import org.springframework.security.access.annotation.Secured;public interface HelloService {@Secured({ "ROLE_USER", "ROLE_ADMIN" })public String sayHi(String userName);@Secured({"ROLE_ADMIN"})public String sayBye(String userName);}?再次测试 Ok。
?
?