转至: http://www.cnblogs.com/yl2755/archive/2012/04/19/2456823.html
谢谢作者!!!
首先导入spring security所需要的jar包
spring-security-core-2.0.5.RELEASE.jar
spring-security-core-tiger-2.0.5.RELEASE.jar
一.配置过滤器
在web.xml中定义如下过滤器
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
CREATE TABLE `t_account` (
`id` int(11) NOT
NULL,
`username` varchar(255) default
NULL,
`password` varchar(255) default
NULL,
`enabled` int default NULL,
PRIMARY KEY
(`id`)
)
ENGINE=InnoDB DEFAULT
CHARSET=utf8;
CREATE TABLE
`t_role` (
`id` int(11) NOT
NULL,
`name` varchar(255) default NULL,
`descn` varchar(255) default NULL,
PRIMARY KEY
(`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `t_account_role` (
`a_id` int(11) NOT
NULL,
`r_id` int(11) NOT
NULL,
PRIMARY KEY
(`a_id`,`r_id`),
KEY `FK1C2BC9332D31C656`
(`r_id`),
KEY `FK1C2BC93371CCC630`
(`a_id`),
CONSTRAINT `FK1C2BC93384B0A30E` FOREIGN KEY
(`a_id`) REFERENCES `t_account`
(`id`),
CONSTRAINT `FK1C2BC9332D31C656` FOREIGN KEY
(`r_id`) REFERENCES `t_role`
(`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
insert into t_account values(1,'zhangsan','123',1);
insert into t_account values(2,'lisi','321',1);
insert into t_role values(1,'系统管理员','ROLE_ADMIN');
insert into t_role values(2,'普通用户','ROLE_USER');
insert into t_account_role values(1,2);
insert into
t_account_role values(2,1);
当用户登录时,spring security首先判断用户是否可以登录。用户登录后spring security获得该用户的
所有权限以判断用户是否可以访问资源。
spring配置文件中定义
users-by-username-query="select username,password,enabled from
t_account where username=?"
authorities-by-username-query="select r.descn from t_account_role
ar join
t_account a on ar.a_id=a.id join t_role r on ar.r_id=r.id where
a.username=?"/>
users-by-username-query:根据用户名查找用户
authorities-by-username-query:根据用户名查找这个用户所有的角色名,将用户访问的URL地址和
查询结果与标签进行匹配。
匹配成功就允许访问,否则就返回到提示页面。
在标签中添加登录页面等信息
CREATE TABLE `t_account` (
`id` int(11) NOT
NULL,
`username` varchar(255) default
NULL,
`password` varchar(255) default
NULL,
`enabled` int default NULL,
PRIMARY KEY
(`id`)
)
ENGINE=InnoDB DEFAULT
CHARSET=utf8;
CREATE TABLE
`t_role` (
`id` int(11) NOT
NULL,
`name` varchar(255) default NULL,
`descn` varchar(255) default NULL,
PRIMARY KEY
(`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `t_account_role` (
`a_id` int(11) NOT
NULL,
`r_id` int(11) NOT
NULL,
PRIMARY KEY
(`a_id`,`r_id`),
KEY `FK1C2BC9332D31C656`
(`r_id`),
KEY `FK1C2BC93371CCC630`
(`a_id`),
CONSTRAINT `FK1C2BC93384B0A30E` FOREIGN KEY
(`a_id`) REFERENCES `t_account`
(`id`),
CONSTRAINT `FK1C2BC9332D31C656` FOREIGN KEY
(`r_id`) REFERENCES `t_role`
(`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `t_module` (
`id` int(11) NOT
NULL,
`name` varchar(255) default
NULL,
`address` varchar(255) default
NULL,
PRIMARY KEY
(`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `t_module_role` (
`m_id` int(11) NOT
NULL,
`r_id` int(11) NOT
NULL,
PRIMARY KEY
(`m_id`,`r_id`),
KEY `FKA713071E2D31C656`
(`r_id`),
KEY `FKA713071ED78C9071`
(`m_id`),
CONSTRAINT `FKA713071ED78C9071` FOREIGN KEY
(`m_id`) REFERENCES `t_module`
(`id`),
CONSTRAINT `FKA713071E2D31C656` FOREIGN KEY
(`r_id`) REFERENCES `t_role`
(`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
insert into t_account values(1,'zhangsan','123',1);
insert into t_account values(2,'lisi','321',1);
insert into t_role values(1,'系统管理员','ROLE_ADMIN');
insert into t_role values(2,'普通用户','ROLE_USER');
insert into t_account_role values(1,2);
insert into
t_account_role values(2,1);
insert into
t_module
values(1,'部门管理','/dept.jsp');
insert into
t_module
values(2,'人员管理','/emp.jsp');
insert into
`t_module_role` values(1,1);
insert into
`t_module_role` values(1,2);
insert into
`t_module_role` values(2,1);
1.在自定义的过滤器中获取资源的URL地址和角色名以取代spring配置文件中原有的
过滤器代码:
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.sql.DataSource;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.jdbc.core.support.JdbcDaoSupport;
import org.springframework.jdbc.object.MappingSqlQuery;
import org.springframework.security.ConfigAttributeDefinition;
import org.springframework.security.ConfigAttributeEditor;
import org.springframework.security.intercept.web.DefaultFilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;
import org.springframework.security.intercept.web.RequestKey;
import org.springframework.security.util.AntUrlPathMatcher;
import org.springframework.security.util.UrlMatcher;
public class JdbcFilterInvocationDefinitionSourceFactoryBean
extends
JdbcDaoSupport implements FactoryBean
{
private
String resourceQuery;
public
boolean isSingleton() {
return true;
}
public Class
getObjectType() {
return
FilterInvocationDefinitionSource.class;
}
public
Object getObject() {
return new
DefaultFilterInvocationDefinitionSource(this
.getUrlMatcher(),
this.buildRequestMap());
}
protected
Map findResources() {
ResourceMapping resourceMapping = new
ResourceMapping(getDataSource(),
resourceQuery);
Map resourceMap = new
LinkedHashMap();
for (Resource resource : (List) resourceMapping.execute())
{
String url = resource.getUrl();
String role =
resource.getRole();
if (resourceMap.containsKey(url))
{
String value =
resourceMap.get(url);
resourceMap.put(url, value + "," +
role);
} else {
resourceMap.put(url, role);
}
}
return resourceMap;
}
protected
LinkedHashMap buildRequestMap()
{
LinkedHashMap requestMap = null;
requestMap = new
LinkedHashMap();
ConfigAttributeEditor editor = new
ConfigAttributeEditor();
Map resourceMap =
this.findResources();
for (Map.Entry entry : resourceMap.entrySet())
{
RequestKey key = new RequestKey(entry.getKey(),
null);
editor.setAsText(entry.getValue());
requestMap.put(key,
(ConfigAttributeDefinition)
editor.getValue());
}
return requestMap;
}
protected
UrlMatcher getUrlMatcher() {
return new AntUrlPathMatcher();
}
public void
setResourceQuery(String resourceQuery)
{
this.resourceQuery =
resourceQuery;
}
private
class Resource {
private String url;
private String role;
public Resource(String url, String role)
{
this.url = url;
this.role = role;
}
public String getUrl() {
return url;
}
public String getRole() {
return role;
}
}
private
class ResourceMapping extends MappingSqlQuery
{
protected ResourceMapping(DataSource
dataSource,
String resourceQuery) {
super(dataSource,
resourceQuery);
compile();
}
protected Object mapRow(ResultSet rs, int
rownum)
throws SQLException {
String url = rs.getString(1);
String role = rs.getString(2);
Resource resource = new Resource(url,
role);
return resource;
}
}
}
将自定义的过滤器放入到原有的spring security过滤器链中(在spring配置文件中配置)
定义自定义过滤器(sql语句用于查询资源的URL地址 如:/index.jsp 和角色名 如ROLE_USER)
class="com.lovo.JdbcFilterInvocationDefinitionSourceFactoryBean">
select m.address,r.descn
from t_module_role mr
join t_module m on mr.m_id=m.id
join t_role r on mr.r_id=r.id;
"/>
将自定义过滤器放入过滤器链中
class="org.springframework.security.intercept.web.FilterSecurityInterceptor"
>
注意:FilterSecurityInterceptor过滤器会向request中写入一个标记,用于标记是否已经控制了当前请求,以避免对同一请求多次处理,导致第2个FilterSecurityInterceptor不会再次执行。
在中不需要再定义,如下:
authentication-failure-url="/error.jsp"
default-target-url="/index.jsp"
/>
自定义的过滤器就从配置文件中读取sql,查询结果就是角色和资源,用户登录时就在session中保存了用户的角色。
注意:intercept-url的先后顺序,spring
security使用第一个能匹配的intercept-url标签进行权限控制。
现在intercept-url来源于数据库,所以在sql查询时注意角色和资源的顺序。
建议在角色和资源的中间表中添加1个字段用于标识顺序,(按从严到宽的顺序)
表结构修改如下:
CREATE TABLE `t_module_role` (
`m_id` int(11) NOT
NULL,
`r_id` int(11) NOT
NULL,
`priority` int(11) default NULL,
PRIMARY KEY
(`m_id`,`r_id`),
KEY `FKA713071E2D31C656`
(`r_id`),
KEY `FKA713071ED78C9071`
(`m_id`),
CONSTRAINT `FKA713071ED78C9071` FOREIGN KEY
(`m_id`) REFERENCES `t_module`
(`id`),
CONSTRAINT `FKA713071E2D31C656` FOREIGN KEY
(`r_id`) REFERENCES `t_role`
(`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
数据如下:
insert into t_account values(1,'zhangsan','123',1);
insert into t_account values(2,'lisi','321',1);
insert into t_role values(1,'系统管理员','ROLE_ADMIN');
insert into t_role values(2,'普通用户','ROLE_USER');
insert into t_account_role values(1,2);
insert into
t_account_role values(2,1);
insert into
t_module
values(1,'部门管理','/dept.jsp');
insert into
t_module
values(2,'人员管理','/emp.jsp');
insert into
`t_module_role` values(1,1,3);
insert into
`t_module_role` values(1,2,2);
insert into
`t_module_role` values(2,1,1);
自定义过滤器修改如下:
class="com.lovo.JdbcFilterInvocationDefinitionSourceFactoryBean">
select m.address,r.descn
from t_module_role mr
join t_module m on mr.m_id=m.id
join t_role r on mr.r_id=r.id
order by mr.priority
"/>
如果持久层使用的是hibernate,那么只需要给自定义过滤器注入1个hibernateTemplate.
在自定义过滤器中就不需要再使用mapRow的方式。而是直接获取url和角色名即可。
例如:
public class
ModuleFilter implements FactoryBean
{
private String resourceQuery;
public
boolean isSingleton() {
return true;
}
public Class
getObjectType() {
return
FilterInvocationDefinitionSource.class;
}
public
Object getObject() {
return new
DefaultFilterInvocationDefinitionSource(this
.getUrlMatcher(),
this.buildRequestMap());
}
protected
Map findResources() {
ResourceMapping resourceMapping = new
ResourceMapping();
Map resourceMap = new
LinkedHashMap();
for (Resource resource : (List) resourceMapping.execute())
{
String url = resource.getUrl();
String role =
resource.getRole();
if (resourceMap.containsKey(url))
{
String value =
resourceMap.get(url);
resourceMap.put(url, value + "," +
role);
} else {
resourceMap.put(url, role);
}
}
return resourceMap;
}
protected
LinkedHashMap buildRequestMap()
{
LinkedHashMap requestMap = null;
requestMap = new
LinkedHashMap();
ConfigAttributeEditor editor = new
ConfigAttributeEditor();
Map resourceMap =
this.findResources();
for (Map.Entry entry : resourceMap.entrySet())
{
RequestKey key = new RequestKey(entry.getKey(),
null);
editor.setAsText(entry.getValue());
requestMap.put(key,
(ConfigAttributeDefinition)
editor.getValue());
}
return requestMap;
}
protected
UrlMatcher getUrlMatcher() {
return new AntUrlPathMatcher();
}
public void
setResourceQuery(String resourceQuery)
{
this.resourceQuery =
resourceQuery;
}
private
class Resource {
private String url;
private String role;
public Resource(String url, String role)
{
this.url = url;
this.role = role;
}
public String getUrl() {
return url;
}
public String getRole() {
return role;
}
}
private
class ResourceMapping{
public List execute(){
List rlist = new ArrayList();
List list =
hibernateTemplate.find(resourceQuery);
for(int i=0;i
Role role = list.get(i);
Set set = role.getModuleSet();
Iterator it = set.iterator();
while(it.hasNext()){
Module m = it.next();
Resource re = new
Resource(m.getUrl(),role.getDescn());
rlist.add(re);
}
}
return rlist;
}
}
public void
setHibernateTemplate(HibernateTemplate hibernateTemplate)
{
this.hibernateTemplate = hibernateTemplate;
}
private HibernateTemplate hibernateTemplate;
}
而从灵活性的角度考虑,把hql写在配置文件中
value="from com.lovo.po.Role order by
ind">
问题:系统只会在初始化的时候从数据库中加载信息。无法识别数据库中信息的改变。
解决:每个jsp页面上重新内存
代码:每个jsp页面include如下代码:
spring-security-core-2.0.5.RELEASE.jar
spring-security-core-tiger-2.0.5.RELEASE.jar
一.配置过滤器
在web.xml中定义如下过滤器
CREATE TABLE `t_account` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `t_account_role` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
insert into t_account values(1,'zhangsan','123',1);
insert into t_account values(2,'lisi','321',1);
insert into t_role values(1,'系统管理员','ROLE_ADMIN');
insert into t_role values(2,'普通用户','ROLE_USER');
insert into t_account_role values(1,2);
当用户登录时,spring security首先判断用户是否可以登录。用户登录后spring security获得该用户的
所有权限以判断用户是否可以访问资源。
spring配置文件中定义
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `t_account_role` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `t_module` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
CREATE TABLE `t_module_role` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
insert into t_account values(1,'zhangsan','123',1);
insert into t_account values(2,'lisi','321',1);
insert into t_role values(1,'系统管理员','ROLE_ADMIN');
insert into t_role values(2,'普通用户','ROLE_USER');
insert into t_account_role values(1,2);
1.在自定义的过滤器中获取资源的URL地址和角色名以取代spring配置文件中原有的
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import javax.sql.DataSource;
import org.springframework.beans.factory.FactoryBean;
import org.springframework.jdbc.core.support.JdbcDaoSupport;
import org.springframework.jdbc.object.MappingSqlQuery;
import org.springframework.security.ConfigAttributeDefinitio
import org.springframework.security.ConfigAttributeEditor;
import org.springframework.security.intercept.web.DefaultFilterInvocationD
import org.springframework.security.intercept.web.FilterInvocationDefiniti
import org.springframework.security.intercept.web.RequestKey;
import org.springframework.security.util.AntUrlPathMatcher;
import org.springframework.security.util.UrlMatcher;
public class JdbcFilterInvocationDefi
}
将自定义的过滤器放入到原有的spring security过滤器链中(在spring配置文件中配置)
定义自定义过滤器(sql语句用于查询资源的URL地址 如:/index.jsp 和角色名 如ROLE_USER)
from t_module_role mr
join t_module m on mr.m_id=m.id
join t_role r on mr.r_id=r.id;
CREATE TABLE `t_module_role` (
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
数据如下:
insert into t_account values(1,'zhangsan','123',1);
insert into t_account values(2,'lisi','321',1);
insert into t_role values(1,'系统管理员','ROLE_ADMIN');
insert into t_role values(2,'普通用户','ROLE_USER');
insert into t_account_role values(1,2);
from t_module_role mr
join t_module m on mr.m_id=m.id
join t_role r on mr.r_id=r.id
order by mr.priority
private String resourceQuery;
return rlist;
this.hibernateTemplate = hibernateTemplate;
}
private HibernateTemplate hibernateTemplate;
}
而从灵活性的角度考虑,把hql写在配置文件中
版权声明:本文为博主原创文章,未经博主允许不得转载。