最近在做一个项目,负现用户管理,要求使用数据库对用户和权限进行管理,对资源进行管理等,想用 Spring Security 2.0 来实现,可是看了几篇文章和Spring Security的文档,但是还是感觉没明白,想要求几个 Spring Security的源码看一下,自己也找了几个例子但不是没连数据库就是不能下载。有这方面例子(源码)的分享一下吧,可以直接发到
希望各位帮帮忙……
希望各位帮帮忙……
调试欢乐多
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<!-- 过滤器链配置,其中filterInvocationDefinitionSource属性为配置过滤器的种类与先后顺序,注意,顺序不能配置错误哦 -->
<bean id="filterChainProxy"
class="org.springframework.security.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value><![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionIntegrationFilter,authenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor]]>
</value>
</property>
</bean>
<!-- 看看你是否已经登录了,如果登录了就略过下面的过滤器了,直接访问资源 -->
<bean id="httpSessionIntegrationFilter"
class="org.springframework.security.context.HttpSessionContextIntegrationFilter" />
<!-- 安全验证入口 -->
<bean id="authenticationEntryPoint"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/index.jsp" /><!--默认登录页面-->
<property name="forceHttps" value="true" /><!--使登录页面通过 HTTPS安全地进行显示-->
</bean>
<!-- 身份验证过滤器,就是验证身份用的嘛 -->
<bean id="authenticationProcessingFilter"
class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
<!-- 验证连接名称,对应表单的action -->
<property name="filterProcessesUrl"
value="/j_spring_security_check" />
<!-- 验证失败后去哪 -->
<property name="authenticationFailureUrl"
value="/index.jsp?error=1" />
<!-- 验证成功后去哪 -->
<property name="defaultTargetUrl"
value="/security/security.jsp" />
<!--依靠一个身份验证管理器来验证身份 其实这个才是干活的BEAN-->
<property name="authenticationManager"
ref="authenticationManager" />
</bean>
<!-- 用于处理登录失败异常和权限不足异常 -->
<bean id="exceptionTranslationFilter"
class="org.springframework.security.ui.ExceptionTranslationFilter">
<!--配置出现exception时跳转到登录页-->
<property name="authenticationEntryPoint"
ref="authenticationEntryPoint" />
<!--配置403(权限不足)错误后跳转的页面-->
<property name="accessDeniedHandler" ref="accessDeniedHandler" />
</bean>
<!-- 配置权限不足时跳转到的页面 -->
<bean id="accessDeniedHandler"
class="org.springframework.security.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/error.jsp" />
</bean>
<!-- 安全拦截器,下面看看它是干嘛的 -->
<bean id="filterSecurityInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<!-- 验证管理者 -->
<property name="authenticationManager"
ref="authenticationManager" />
<!-- 权限决定管理者,他手下的一帮人投票决定登录者是否有权访问该资源 -->
<property name="accessDecisionManager"
ref="accessDecisionManager" />
<!--受保护资源-->
<property name="objectDefinitionSource">
<!-- 下面表示/security/security.jsp需要ROLE_ADMIN权限才能访问 -->
<value><![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/security/security.jsp=ROLE_ADMIN]]>
</value>
</property>
</bean>
<!-- 验证管理者,他管理DAO验证提供者来验证 -->
<bean id="authenticationManager"
class="org.springframework.security.providers.ProviderManager">
<property name="providers">
<list>
<!-- DAO验证提供者,SPRING SECURITY支持各种验证,这里可以添加相应配置 -->
<ref local="daoAuthenticationProvider" />
</list>
</property>
</bean>
<!-- -->
<bean id="accessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<!-- 如果所有投票者都弃权则不让访问 -->
<property name="allowIfAllAbstainDecisions">
<value>false</value>
</property>
<!-- 参加投票的BEAN -->
<property name="decisionVoters">
<list>
<bean class="org.springframework.security.vote.RoleVoter">
<!-- 权限的前缀 -->
<property name="rolePrefix" value="ROLE_" />
</bean>
<bean class="org.springframework.security.vote.AuthenticatedVoter" />
</list>
</property>
</bean>
<!-- DAO验证提供者依靠userDetailsService获得一个userDetails实例,进而验证权限 -->
<bean id="daoAuthenticationProvider"
class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
<!-- jdbcDaoImpl实现了userDetailsService接口 -->
<property name="userDetailsService">
<ref local="jdbcDaoImpl" />
</property>
</bean>
<bean id="jdbcDaoImpl"
class="org.springframework.security.userdetails.jdbc.JdbcDaoImpl">
<!-- 根据用户名获得用户名、密码、用户是否启用等信息 -->
<property name="usersByUsernameQuery">
<value>
select username,password,enabled from user where
username=?
</value>
</property>
<!-- 通过用户名获取用户权限 -->
<property name="authoritiesByUsernameQuery">
<value>
select username,authority from authentication where
username=?
</value>
</property>
<!-- DataSource,不用我说了吧 -->
<property name="dataSource">
<ref local="dataSource" />
</property>
</bean>
<bean id="dataSource"
class="org.apache.commons.dbcp.BasicDataSource">
<property name="driverClassName"
value="org.gjt.mm.mysql.Driver">
</property>
<property name="url" value="jdbc:mysql://localhost:3306/user">
</property>
<property name="username" value="root"></property>
<property name="password" value="hicc"></property>
</bean>
</beans>
<property name="objectDefinitionSource">
<!-- 下面表示/security/security.jsp需要ROLE_ADMIN权限才能访问 -->
<value><![CDATA[
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/security/security.jsp=ROLE_ADMIN]]>
</value>
</property>能用数据库实现吗?我想使用数据库来对资源进行管理
ch005文件夹里有
下一个springside,里面有完整的例子
<beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener" />
<http access-denied-page="/403.jsp" >
<intercept-url pattern="/static/**" filters="none" />
<intercept-url pattern="/template/**" filters="none" />
<intercept-url pattern="/" filters="none" />
<intercept-url pattern="/js/*" filters="none" />
<intercept-url pattern="/resources/**" filters="none" />
<intercept-url pattern="/login.jsp" filters="none" />
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=true" default-target-url="/login" />
<logout logout-success-url="/login.jsp"/>
<http-basic />
</http> <authentication-manager alias="authenticationManager" /> <authentication-provider user-service-ref="securityManager">
<password-encoder hash="md5"/>
</authentication-provider>
<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="allowIfAllAbstainDecisions" value="false"/>
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.vote.RoleVoter"/>
<beans:bean class="org.springframework.security.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="resourceSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
<beans:property name="objectDefinitionSource" ref="secureResourceFilterInvocationDefinitionSource" />
<beans:property name="observeOncePerRequest" value="false" />
<custom-filter after="LAST" />
</beans:bean>
<beans:bean id="secureResourceFilterInvocationDefinitionSource" class="edu.leadforwar.filter.SecureResourceFilterInvocationDefinitionSource" /> <beans:bean id="securityManager" class="edu.leadforwar.dao.SecurityManagerSupport">
<beans:property name="sessionFactory" ref="sessionFactory"></beans:property>
</beans:bean>找了一段代码,可是看不太懂,有没有人可以给加点注释,解释一下
<beans:property name="allowIfAllAbstainDecisions" value="false"/>
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.vote.RoleVoter"/>
<beans:bean id="resourceSecurityInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
<beans:property name="objectDefinitionSource" ref="secureResourceFilterInvocationDefinitionSource" />
<beans:property name="observeOncePerRequest" value="false" />
<custom-filter after="LAST" /> <beans:bean id="secureResourceFilterInvocationDefinitionSource" class="edu.leadforwar.filter.SecureResourceFilterInvocationDefinitionSource" />