ldap与Acegi? ----Acegi配置文件解剖
ldap与Acegi? ----Acegi配置文件解剖
这两个之间没什么必然的联系吧?ldap不熟悉,Acegi更是不熟悉.呵呵,这两个再搅和在一起就乱了.
ldap好像是与数据库连接相关的一个东东,那它与现在常见的数据库连接JDBC有什么区别?与JNDI呢?与这两个比又有什么优势?这个优势又怎么暗合了Acegi的需求?
对于Acegi只知道它是与Spring协作很好的一个Security框架,先不说Security别的方面,现在只看它如何管理登录这块,登录肯定是要访问数据库,那么在Acegi的配置文件中又是怎么来体现管理这个访问数据库的呢?
仔细研究项目中定义的applicationContext-acegi-secutiry.xml文件,这里面配置了如下的几个Bean:
?1,filterChainProxy -->org.acegisecurity.util.FilterChainProxy
?? ?property: filterInvocationDefinitionSource,其值有:
?? ??? ?CONVERT_URL_TOLOWERCASE_BEFORE_COMPARISON
?? ??? ?PATTEN_TYPE_APCHE_ANT
?? ??? ?/**=httpSessionContextIntegrationFilter,?? ??? ?logoutFilter,authenicationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
?? ??? ??**
?? ??? ?这么一长串是参数是干啥的,filterInvocationDefinitionSource是个什么类型?
?? ??? ??? ?看了一下它的源代码,其类型为:FilterInvocationDefinitionSource,那么这个类型怎么又会接收上面那么长的字符串?
?? ??? ??? ?再看FilterInvocationDefinitionSource的源代码,它是个接口,这下更惨了,FilterChainProxy初始化调用set时怎么又会初始化一个接口?内部匿名类?
?? ??? ??? ?先往下看.........
?? ??? ??
2,httpSessionContextIntegrationFilter -->org.acegisecurity.context.HttpSessionContextIntegrationFilter. 这个类没有属性可配.
3,logoutFilter -->org.acegisecurity.ui.logout.LogoutFilter
?? ?通过<constuctor-arg>配置了value="/index.htm".
?? ?又通过<constructor-arg>配置了 一个List其值为:
?? ?
?? ?<ref bean = "remeberMeServices">?????????????????????????????????
?? ?
?? ?和<bean class = "org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
4,authenicationProcessingFilter --> org.acegisecurity.ui.webapp.AuthenticationProcessingFilter
?? ?六个property:
?? ??? ?authenticationManager ref authenticationManager ??????????????????????????
?? ??? ?authenticationFailureUrl value="/jsp/accessDenied.jsp"
?? ??? ?alwaysUseDefaultTargetUrl value = "true"
?? ??? ?defaultTargetUrl value="/pages/content.html"/
?? ??? ?filterProcessesUrl value="/jsp/j_acegi_security_check" ???????这个好像很关键的.
?? ??? ?rememberMeServices? ref="rememberMeServices" ???????????????????
5,securityContextHolderAwareRequestFilter --> org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter 没任何属性可配.
6,rememberMeProcessingFilter --> org.acegisecurity.ui.rememberme.RememberMeProcessingFilter
?? ?两个属性:
?? ?authenticationManager ref="authenticationManager" ???????????????????
?? ?rememberMeServices ref="rememberMeServices" ??????????????????
7,anonymousProcessingFilter --> org.acegisecurity.providers.anonymous.AnonymousProcessingFilter
?? ?两个属性:
?? ?key value="changeThis"
?? ?userAttribute? value="anonymousUser,ROLE_ANONYMOUS"
8,exceptionTranslationFilter --> org.acegisecurity.ui.ExceptionTranslationFilter
?? ?两个属性:
?? ?<property name="authenticationEntryPoint">
??????????? <bean value="/jsp/login.jsp"/>
??????????????? <property name="forceHttps" value="false"/>
??????????? </bean>
??????? </property>
??????? <property name="accessDeniedHandler">
??????????? <bean value="/jsp/accessDenied.jsp"/>
??????????? </bean>
??????? </property>
9,filterInvocationInterceptor --> org.acegisecurity.intercept.web.FilterSecurityInterceptor
?? ?三个属性:
?? ?authenticationManager ref="authenticationManager" ???????????????????????
?? ?<property name="accessDecisionManager">
??????????? <bean value="false"/>
??????????????? <property name="decisionVoters">
??????????????????? <list>
??????????????????????? <bean ref="userDetailsService"/> ????????????
??????? <property name="key" value="changeThis"/>
11, authenticationManager --> org.acegisecurity.providers.ProviderManager
?? ?一个属性:
?? ?<property name="providers"> ????????难道说这可就是登录信息的验证来源?providers嘛.
??????????? <list>
??????????????? <!-- To Disable LDAP, comment out ldapAuthProvider reference below -->
??????????????? <ref local="ldapAuthProvider"/>
??????????????? <ref local="daoAuthenticationProvider"/>
??????????????? <bean value="changeThis"/>
??????????????? </bean>
??????????????? <bean value="changeThis"/>
??????????????? </bean>
??????????? </list>
??????? </property>
12, daoAuthenticationProvider --> org.acegisecurity.providers.dao.DaoAuthenticationProvider
?? ?一个属性:
?? ?<property name="userDetailsService" ref="userDetailsService"/>
13, userDetailsService --> org.acegisecurity.userdetails.memory.InMemoryDaoImpl
?? ?一个属性:
?? ?<property name="userMap">
??????????? <value>
??????????????? jklaassen=4moreyears,ROLE_ADMIN
??????????????? test=test,ROLE_MPIXTOOLGROUP?? ?????????????这是静态的验证,没有去数据库里查用户和密码吗?
??????????????? devteam=get2work,ROLE_MPIXTOOLGROUP
??????????????? jgaerlan=1234,ROLE_MPIXTOOLGROUP
??????????????? opts=opts,ROLE_OPERATIONS
??????????? </value>
??????? </property>
?? ?注意下面有一段配置被注释掉了: ??????????????这个是要到数据库里查找吧?
?? ?<!--
?? ??? ???? <bean id="userDetailsService" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
?? ??? ??? ?<property name="dataSource">
?? ??? ??? ???? <ref bean="dataSource"/>
?? ??? ??? ?</property>
?? ??? ??? ?<property name="usersByUsernameQuery">
?? ??? ??? ???? <value>{call dbo.MLab_User_GetInfoByUserName(?)}</value>
?? ??? ??? ?</property>
?? ??? ??? ?<property name="authoritiesByUsernameQuery">
?? ??? ??? ???? <value>{call dbo.MLab_UserRole_GetInfoByID(?)}</value>
?? ??? ??? ?</property>
?? ??? ???? </bean>
?? ?-->
14, initialDirContextFactory --> org.acegisecurity.ldap.DefaultInitialDirContextFactory
?? ?其配置如下:
?? ?<constructor-arg value="ldap://dc03:389/OU=Employees,OU=Pleasanton,dc=kittyhawk,dc=funmail,dc=com"/>
??????? <property name="managerDn">
??????????? <value>cn=mpixtool,OU=Employees,OU=Pleasanton,dc=kittyhawk,dc=funmail,dc=com</value>
??????? </property>
??????? <property name="managerPassword">
??????????? <value>p@55w0rd</value> ??????????????????这个密码并没有用到呀,而是用test的
??????? </property>
15, userSearch --> org.acegisecurity.ldap.search.FilterBasedLdapUserSearch ?????????这个来负责登录用户的验证?
?? ?<constructor-arg index="0">
??????????? <value></value>
??????? </constructor-arg>
??????? <constructor-arg index="1">
??????????? <value>sAMAccountName={0}</value>
??????? </constructor-arg>
??????? <constructor-arg index="2">
??????????? <ref local="initialDirContextFactory"/>
??????? </constructor-arg>
??????? <property name="searchSubtree">
??????????? <value>true</value>
??????? </property>
16, ?? ?ldapAuthProvider --> org.acegisecurity.providers.ldap.LdapAuthenticationProvider
?? ?<constructor-arg>
??????????? <bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
??????????????? <constructor-arg>
??????????????????? <ref local="initialDirContextFactory"/>
??????????????? </constructor-arg>
??????????????? <property name="userSearch">
??????????????????? <ref local="userSearch"/>
??????????????? </property>
??????????? </bean>
??????? </constructor-arg>
??????? <constructor-arg>
??????????? <bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
??????????????? <constructor-arg>
??????????????????? <ref local="initialDirContextFactory"/>
??????????????? </constructor-arg>
??????????????? <constructor-arg>
??????????????????? <value></value>
??????????????? </constructor-arg>
??????????????? <property name="groupRoleAttribute">
??????????????????? <value>cn</value>
??????????????? </property>
??????????????? <property name="rolePrefix">
??????????????????? <value>ROLE_</value>
??????????????? </property>
??????????????? <property name="convertToUpperCase">
??????????????????? <value>true</value>
??????????????? </property>
??????????????? <property name="defaultRole">
??????????????????? <value>IS_AUTHENTICATED_FULLY</value>
??????????????? </property>
??????????? </bean>
??????? </constructor-arg>
一共配置了16个Bean,
?? ?filterChainProxy引用的Bean有:
?? ??? ?--httpSessionContextIntegrationFilter,上面标号的第2个Bean.
?? ??? ?--logoutFilter,上面标号的第3个Bean.
?? ??? ??? ?----这个logoutFilter引用的有:
?? ??? ??? ??? ?------ rememberMeServices(标号为10)
?? ??? ??? ??? ??? ?--------这个rememberMeServices引用的有:
?? ??? ??? ??? ??? ??? ?----------userDetailsService(标号为13)
?? ??? ?--authenicationProcessingFilter, 上面标号的第4个Bean.
?? ??? ??? ?----这个authenicationProcessingFilter引用的有:
?? ??? ??? ??? ?------authenticationManager(标号为11)
?? ??? ??? ??? ??? ?--------这个authenticationManager引用的有:
?? ??? ??? ??? ??? ??? ?----------ldapAuthProvider(标号为16)
?? ??? ??? ??? ??? ??? ??? ?------------这个IdapAuthProvider引用的有:
?? ??? ??? ??? ??? ??? ??? ??? ?--------------initialDirContextFactory(标号为14)
?? ??? ??? ??? ??? ??? ??? ??? ?--------------userSearch(标号为15)
?? ??? ??? ??? ??? ??? ?----------daoAuthenticationProvider(标号为12)
?? ??? ??? ??? ??? ??? ??? ?------------这个authenticationManager引用的有:
?? ??? ??? ??? ??? ??? ??? ??? ?--------------userDetailsService(标号为13)
?? ??? ??? ??? ?------ rememberMeServices(标号为10)
?? ??? ?--securityContextHolderAwareRequestFilter, 上面标号的第5个Bean.
?? ??? ?--rememberMeProcessingFilter,上面标号的第6个Bean.
?? ??? ??? ?----这个rememberMeProcessingFilter引用的有:
?? ??? ??? ??? ?------authenticationManager(标号为11)
?? ??? ??? ??? ?------ rememberMeServices(标号为10)
?? ??? ?--anonymousProcessingFilter,上面标号的第7个Bean.
?? ??? ?--exceptionTranslationFilter,上面标号的第8个Bean.
?? ??? ?--filterInvocationInterceptor,上面标号的第9个Bean.
?? ??? ??? ?----这个filterInvocationInterceptor引用的有:
?? ??? ??? ??? ?------authenticationManager(标号为11)
?? ??? ?止此整个Bean树解析完毕,16个Bean中除了filterChainProxy自己外的15个里它引用了8个,另外的7个又都间接地引用,filterChainProxy是带头大哥无疑了!
1 楼 SSailYang 2008-03-24 ldap 是轻量级目录访问协议,是对目录服务器中各种操作的定义,和数据库没关系。推荐楼主先看看 IBM developerWorks 上的关于 Acegi 的文章。Spring in Action 也有关于 Acegi 的文章,但是相应的 Acegi 的版本比较老,但是基本的东西都没变。 2 楼 SINCE1978 2009-05-31 "这么一长串是参数是干啥的,filterInvocationDefinitionSource是个什么类型?
看了一下它的源代码,其类型为:FilterInvocationDefinitionSource,那么这个类型怎么又会接收上面那么长的字符串?........."
FilterInvocationDefinitionSource(简称FIDS吧,acegi里到处是一长串的类名,连BenAlex自己都用简称:)是FilterChainProxy的属性,它的注入是依据的spring的属性编辑器,也就是同包下的:FilterInvocationDefinitionSourceEdit类来注入的。关于此点也并非spring发明,这是javaBeans规范:spring替我们做的应该是探测同一包下的某个class是否有classEditor存在,如果有,则spring自动向JDK的PropertyEditorManager注册这个PropertyEditor.以实现由此PropertyEditor来接收xml配置文本的属性然后解析处理为对应的属性类型实例并注入。