spring-security 学习笔记

security:http是整个spring security框架的入口，把filter按顺序组装成一个链条auto-config="true"相当于配置了基本的一些组件：form-login、anonymous、http-basic、logout、remember-me    <security:http auto-config="true"        entry-point-ref="formAuthenticationEntryPoint"  指定登录的入口点，可以切换成CAS        session-fixation-protection="none"        access-decision-manager-ref="accessDecisionManager">        <security:intercept-url pattern="/*/.jpg" filters="none" />为了性能，忽略图片、js等无需保护的资源        <security:intercept-url pattern="/*/.gif" filters="none" />        <security:intercept-url pattern="/*/.js" filters="none" />        <security:intercept-url pattern="/*/.css" filters="none" />        <security:intercept-url pattern="/*/.png" filters="none" />        <security:intercept-url pattern="/j_spring_security_check*"  requires-channel="https" />登录url和页面强制采用https协议        <security:intercept-url pattern="/login.jsp*" requires-channel="https" />        <security:intercept-url pattern="/loginError.jsp*" requires-channel="https" />        <security:intercept-url pattern="/**" requires-channel="http" />非敏感资源采用http协议即可，以免影响性能        <security:port-mappings>            <security:port-mapping http="8080" https="8443" />指定https和http协议如何切换端口            <security:port-mapping http="80" https="443" />        </security:port-mappings>        <security:form-login login-processing-url="${acegi.login_url}"            default-target-url="${acegi.login_success_url}"  authentication-failure-url="${acegi.login_failure_url}" />        <security:remember-me  key="e37f4b31-0c45-11dd-bd0b-0800200c9a66" />        <security:logout logout-success-url="/index.bms" />    </security:http>    <bean id="formAuthenticationEntryPoint"  表单登录的入口        value="${acegi.login_page}" />        <property name="forceHttps" value="true" />    </bean>    <security:authentication-manager alias="authenticationManager" />把authentication-manager声明为一个bean，供后面复用    <security:authentication-provider  user-service-ref="userDetailsService">        <security:password-encoder hash="md5" />    </security:authentication-provider>    <bean id="roleVoter"  value="ROLE_" />角色需要加前缀    </bean>    <!- =================CAS CAS================== ->    <bean id="serviceProperties"  value="${cas.securityContext.serviceProperties.service}" />从cas返回后验证serviceTicket的URL        <property name="sendRenew" value="false" />    </bean>    <bean id="casProcessingFilter" />将其加入处理器链        -->        <property name="authenticationManager"  ref="authenticationManager" />        <property name="authenticationFailureUrl"  value="${acegi.login_failure_url}" />        <property name="alwaysUseDefaultTargetUrl" value="false" />        <property name="defaultTargetUrl"  value="${acegi.login_success_url}" />        <property name="filterProcessesUrl" value="${acegi.login_url}" />    </bean>    <bean id="casProcessingFilterEntryPoint" value="${cas.securityContext.casProcessingFilterEntryPoint.loginUrl}" />        <property name="serviceProperties" ref="serviceProperties" />    </bean>    CAS认证提供者：通过HTTPS与CAS通信，认证serviceTicket    <bean id="casAuthenticationProvider" ref="userDetailsService" />        <property name="serviceProperties" ref="serviceProperties" />        <property name="ticketValidator">            <bean value="an_id_for_this_auth_provider_only" />    </bean>    <bean id="accessDecisionManager"  />                <bean />            </list>        </property>    </bean>    <!- ================= UAAS Extends ================== ->    <bean id="filterInvocationInterceptor" />        <property name="authenticationManager"  ref="authenticationManager" />        <property name="accessDecisionManager"  ref="accessDecisionManager" />        <property name="objectDefinitionSource"  ref="filterDefinitionSource" />    </bean>    <bean id="filterDefinitionSource"         value="true" />        <property name="useAntPath" value="true" />        <property name="protectAllResource" value="false" />        <property name="userDetailsService" ref="userDetailsService" />    </bean>  <!--   从数据库获取method资源及其相关角色 -->    <bean id="objectDefinitionSource" ref="userDetailsService" />        <property name="protectAllResource" value="false" />    </bean>    <bean id="authenticationUtil"        ref="roleVoter" />        <property name="filterInvocationDefinitionSource" ref="filterDefinitionSource" />    </bean>    <bean id="userDetailsService" parent="baseTransactionProxy">        <property name="proxyTargetClass" value="true" />        <property name="target">            <bean value="${acegi.uaas.subSystemKey}" />子系统的标识                <property name="orgManager" ref="orgManagerImpl" />                <property name="privilegeManager" ref="privilegeManagerImpl" />            </bean>        </property>    </bean>    <bean id="orgManagerImpl" ref="dao" />    </bean>    <bean id="privilegeManagerImpl"    ref="dao" />    </bean>

<?xml version="1.0" encoding="UTF-8"?><beans     xmlns="http://www.springframework.org/schema/beans"   xmlns:security="http://www.springframework.org/schema/security"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       xsi:schemaLocation="http://www.springframework.org/schema/beans     http://www.springframework.org/schema/beans/spring-beans-2.0.xsd                   http://www.springframework.org/schema/security               http://www.springframework.org/schema/security/spring-security-2.0.xsd">    <bean id="loggerListener" />    <security:http auto-config='true' access-denied-page="/access.jsp"><!-- ROLE_SUPERVISOR:超级管理员<超级用户，拥有所有权限>ROLE_USER:普通管理员<只能浏览的用户> --> <security:intercept-url pattern="/*/.jpg" filters="none"/><!--为了性能，忽略图片，js等无需保护的资源 --><security:intercept-url pattern="/*/.gif" filters="none"/><security:intercept-url pattern="/*/.png" filters="none"/><security:intercept-url pattern="/*/.wmv" filters="none"/><security:intercept-url pattern="/*/.css" filters="none"/><security:intercept-url pattern="/*/.js" filters="none"/><security:intercept-url pattern="/layout/*" access="ROLE_ADMIN"/><security:intercept-url pattern="/manage/*" access="ROLE_ADMIN"/><security:intercept-url pattern="/source/*" access="ROLE_ADMIN"/><security:intercept-url pattern="/generalmanage/*" access="ROLE_ADMIN"/><security:intercept-url pattern="/supermanage/*" access="ROLE_SUPERADMIN"/>    <security:port-mappings>  <security:port-mapping http="8080" https="8443"/>  <security:port-mapping http="80" https="443"/>  </security:port-mappings>           <security:form-login         login-page="/index.jsp"                authentication-failure-url="/index.jsp?flag=error"                default-target-url="/generalmanage/login.do?method=login"                 login-processing-url="/j_spring_security_check" />                 <security:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="false" expired-url="/expired.jsp"/>        <security:logout logout-success-url="/login.do?method=exit" invalidate-session="true" logout-url="/j_spring_security_logout"/>        <security:http-basic />    </security:http>            <security:authentication-manager alias="authenticationManager" />    <security:authentication-provider user-service-ref="authManager" ><security:password-encoder hash="md5">  <security:salt-source user-property="username"/></security:password-encoder>    </security:authentication-provider>        <bean id="authManager" /> <bean id="accessDecisionManager" value="false"/><property name="decisionVoters"><list>      <bean />      <bean />     </list>   </property></bean><bean id="exceptionTranslationFilter" ref="accessDeniedHandler"/><property name="authenticationEntryPoint" ref="authenticationEntryPoint"/></bean><bean id="accessDeniedHandler" value="/access.jsp"/></bean><bean id="authenticationEntryPoint" value="/index.jsp"/></bean></beans>

/** * @此方法描述的是： * @Dec 8, 2009 */package cn.com.sohocat.security;import org.springframework.dao.DataAccessException;import org.springframework.security.GrantedAuthority;import org.springframework.security.userdetails.UserDetails;import org.springframework.security.userdetails.UserDetailsService;import org.springframework.security.userdetails.UsernameNotFoundException;import cn.com.sohocat.api.IHoAdmin;import cn.com.sohocat.pojo.HoAdministrator;import cn.com.sohocat.util.BeanHelp;import cn.com.sohocat.util.LogClass;public class AdminLogin extends LogClass implements UserDetailsService {public UserDetails loadUserByUsername(String userName)throws UsernameNotFoundException, DataAccessException {HoAdministrator admin = ScurityUserHolder.getCurrentUser();if(null==admin){IHoAdmin iHoAdmin = (IHoAdmin) BeanHelp.getBean("iHoAdmin");admin = iHoAdmin.queryHoAdministratorByAdminName(userName);}if(null==admin){this.log.debug("***"+userName+"*** 用户名不从在或是用户名密码不匹配");throw new UsernameNotFoundException("User " + userName + " has no GrantedAuthority");} else {this.log.debug("新用户登陆：***"+userName+"***");String auth = "";for(GrantedAuthority authority : admin.getAuthorities()) {   auth = auth + ","+ authority.getAuthority().toString();}this.log.debug("***"+userName+"***拥有权限："+auth);return admin;}}}

<%@ page language="java" contentType="text/html; charset=UTF-8"%><%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags" %><sec:authorize ifAllGranted="ROLE_ADMIN"><div class='unit'><h5>Admin管理</h5><ul><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/linkAdmin.jsp'>账户管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/linkGroup.jsp'>组管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/linkRole.jsp'>角色管理</a></li></sec:authorize></ul></div></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><div class='unit'><h5>User管理</h5><ul><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>账户管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>组管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>角色管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>积分管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>货币管理</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>群发功能</a></li></sec:authorize></ul></div></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><div class='unit'><h5>基础数据管理</h5><ul><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/importcorpus.jsp'>语料批量导入</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/importterminology.jsp'>术语批量导入</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/corpus.jsp'>语料单条操作</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/terminology.jsp'>术语单条操作</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/category.jsp'>术语类别操作</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='*'>CAT统计</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../generalmanage/menu.jsp'>菜单管理</a></li></sec:authorize></ul></div></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><div class='unit'><h5>系统参数管理</h5><ul><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/fault_tolerance.jsp'>语料插入容错</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='/supermanage/corpora_host_map.do?method=query'>语料数据映射</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/glossary_fault_tolerance.jsp'>术语插入容错</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/glossary_host_map.jsp'>术语数据映射</a></li></sec:authorize><sec:authorize ifAllGranted="ROLE_ADMIN"><li><a href='../supermanage/host_data.jsp'>主机档案</a></li></sec:authorize></ul></div></sec:authorize>