读书人
栏目

Spring-Security 三初

发布时间: 2012-10-14 14:55:08 作者: rapoo

Spring-Security 3初

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
?http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
??? <http use-expressions="true" auto-config="true">
??????? <intercept-url pattern="/secure/protected.jsp" access="hasRole('ROLE_USER')"/>
??????? <intercept-url pattern="/login.jsp" access="isAnonymous()"/>
??????? <intercept-url pattern="/**" access="permitAll"/>
??????? <form-login login-processing-url="/j_spring_security_check"
???????? login-page="/login.jsp" default-target-url="/index.jsp"
???????? authentication-failure-url="/login.jsp?error=1"/>
??????? <logout logout-url="/j_spring_security_logout"/>
??? </http>
??? <authentication-manager>
??????? <authentication-provider user-service-ref="securityManager"/>
??? </authentication-manager>
??? <beans:bean id="securityManager" access="hasRole('admin') and hasIpAddress('192.168.1.0/24')"/>

? 除了Common built-in和Web Security的Expression之外,也提供annotation expression,如Method Security Expression,使用它的事先要在context.xml宣告如下

<global-method-security pre-post-annotations="enabled"/>

  如此一才能在Bean Class的method做的定:

@PreAuthorize("hasRole('ROLE_USER')")
public void create(Contact contact);
// OR
@PreAuthorize("hasPermission(#contact, 'admin')")
public void deletePermission(Contact contact, Sid recipient, Permission permission);
// OR
@PreAuthorize("#contact.name == principal.name)")
public void doSomething(Contact contact);

  上述的security-context.xml尚未到<form-login>和<logout>,各自映到/j_spring_security_check和/j_spring_security_logout,是Spring Security的Filter URL,然可以改,但超出自身修之外了。

  整流程是:

    <http>url pattern後<authentication-manager>指定的bean理,bean即承UserDetailsService的class。 藉由bean的loadUserByUsernamemethod去存取DB或LDAP,成功再return承UserDetails的instance。 return後由Spring-Security去密和授,定是否允access。 在上面步2和3之,承UserDetails的instance在被New出,就要好其interface的性,重要如username、password和Authorizes等,些源在行loadUserByUsername束之前就要完成置。

读书人网 >软件架构设计

热点推荐

触屏版 | 电脑版

读书人网 m.reader8.net