原创文章,欢迎转载!转载时务必保留:作者:jmppok ;出处http://blog.csdn.net/jmppok/article/details/44833545
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- 自动配置模式,拦截所有请求,有ROLE_USER才可以通过 -->
<http auto-config="true" >
<intercept-url pattern="/login**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/**" access="ROLE_USER" />
<form-login login-page="/login.html" authentication-failure-url ="/loginfailure" default-target-url="/loginsuccess"/>
<logout invalidate-session="true" logout-success-url="/login.html" logout-url="/j_spring_security_logout"/>
<access-denied-handler ref="myAuthenticationFailureHandler"/>
<custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="myFilter" />
</http>
<beans:bean id="myAuthenticationFailureHandler" class="com.lenovo.itcloud.api.base.MyAuthenticationFailureHandler" />
<!-- 一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,
我们的所有控制将在这三个类中实现,解释详见具体配置 -->
<beans:bean id="myFilter" class="com.lenovo.itcloud.api.base.MyFilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="myAccessDecisionManagerBean" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<!-- 认证管理器。用户名密码都集成在配置文件中 -->
<authentication-manager alias="authenticationManager">
<authentication-provider
user-service-ref="myUserDetailService" />
<!--
<authentication-provider>
<user-service>
<user name="admin" password="admin" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
-->
</authentication-manager>
<beans:bean id="myUserDetailService"
class="com.lenovo.itcloud.api.base.MyUserDetailService" />
<!-- 访问决策器,决定某个用户具有的角色,是否有足够的权限去访问某个资源 -->
<beans:bean id="myAccessDecisionManagerBean"
class="com.lenovo.itcloud.api.base.MyAccessDecisionManager">
</beans:bean>
<!-- 资源源数据定义,即定义某一资源可以被哪些角色访问 -->
<beans:bean id="securityMetadataSource"
class="com.lenovo.itcloud.api.base.MyInvocationSecurityMetadataSource" />
</beans:beans>一个自定义的filter,必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性,同时authenticationManager中需要包含一个用户验证服务UserDetailServie。
/**
* 类 MyFilterSecurityInterceptor 的实现描述:TODO 类实现描述
*
* @author ligh4 2015年3月31日下午4:58:57
*/
public class MyFilterSecurityInterceptor extends AbstractSecurityInterceptor implements Filter {
private FilterInvocationSecurityMetadataSource securityMetadataSource;
/**
* @author ligh4 2015年3月31日下午5:03:16
*/
@Override
public void destroy() {
// TODO Auto-generated method stub
}
/**
* @author ligh4 2015年3月31日下午5:03:16
*/
@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(arg0, arg1, arg2);
invoke(fi);
}
public void invoke(FilterInvocation fi) throws IOException, ServletException {
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
}
public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
return this.securityMetadataSource;
}
public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource newSource) {
this.securityMetadataSource = newSource;
}
/**
* @author ligh4 2015年3月31日下午5:03:16
*/
@Override
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
/**
* @author ligh4 2015年3月31日下午5:03:16
*/
@Override
public Class<?> getSecureObjectClass() {
return FilterInvocation.class;
}
/**
* @author ligh4 2015年3月31日下午5:03:16
*/
@Override
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this.securityMetadataSource;
}
}
/**
* 类 MyUserDetailService 的实现描述:TODO 类实现描述
*
* @author ligh4 2015年3月31日下午5:08:27
*/
@SuppressWarnings("deprecation")
public class MyUserDetailService implements UserDetailsService {
/**
* @author ligh4 2015年3月31日下午5:10:54
*/
@Override
public UserDetails loadUserByUsername(String arg0) throws UsernameNotFoundException {
if (arg0.equals("admin")) {
Collection<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
GrantedAuthorityImpl auth2 = new GrantedAuthorityImpl("ROLE_USER");
auths.add(auth2);
// User(String username, String password, boolean enabled, boolean accountNonExpired,
// boolean credentialsNonExpired, boolean accountNonLocked, Collection<GrantedAuthority> authorities) {
User user = new User(arg0, "admin", true, true, true, true, auths);
return user;
} else {
throw new UsernameNotFoundException(arg0);
}
}
}
/**
* 类 MyInvocationSecurityMetadataSource 的实现描述:TODO 类实现描述
*
* @author ligh4 2015年3月31日下午5:01:54
*/
public class MyInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
Collection<ConfigAttribute> role_user = new ArrayList<ConfigAttribute>();
Collection<ConfigAttribute> role_anonymous = new ArrayList<ConfigAttribute>();
public MyInvocationSecurityMetadataSource() {
role_user.add(new SecurityConfig("ROLE_USER"));
role_anonymous.add(new SecurityConfig("IS_AUTHENTICATED_ANONYMOUSLY"));
role_anonymous.add(new SecurityConfig("ROLE_ANONYMOUS"));
role_anonymous.add(new SecurityConfig("ROLE_USER"));
}
/**
* @author ligh4 2015年3月31日下午5:17:14
*/
@Override
public Collection<ConfigAttribute> getAttributes(Object arg0) throws IllegalArgumentException {
// guess object is a URL.
String url = ((FilterInvocation) arg0).getRequestUrl();
if (url.startsWith("/V1") || url.startsWith("/index**")) {
return role_user;
} else {
return role_anonymous;
}
}
/**
* @author ligh4 2015年3月31日下午5:17:14
*/
@Override
public boolean supports(Class<?> arg0) {
// TODO Auto-generated method stub
return true;
}
/**
* @author ligh4 2015年3月31日下午5:17:14
*/
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
// TODO Auto-generated method stub
return null;
}
}
/**
* 类 MyAccessDecisionManager 的实现描述:TODO 类实现描述
*
* @author ligh4 2015年3月31日下午5:01:04
*/
public class MyAccessDecisionManager implements AccessDecisionManager {
/**
* @author ligh4 2015年3月31日下午5:28:21
*/
@Override
public void decide(Authentication arg0, Object arg1, Collection<ConfigAttribute> arg2)
throws AccessDeniedException {
if (arg2 == null) {
return;
}
LogHelper.debug(this, arg1.toString()); //object is a URL.
Iterator<ConfigAttribute> ite = arg2.iterator();
while (ite.hasNext()) {
ConfigAttribute ca = ite.next();
String needRole = ((SecurityConfig) ca).getAttribute();
for (GrantedAuthority ga : arg0.getAuthorities()) {
if (needRole.equals(ga.getAuthority())) { //ga is user's role.
return;
}
}
}
LogHelper.warn(this, "No right of url:" + arg1.toString());
throw new AccessDeniedException("no right");
}
/**
* @author ligh4 2015年3月31日下午5:28:21
*/
@Override
public boolean supports(ConfigAttribute arg0) {
// TODO Auto-generated method stub
return true;
}
/**
* @author ligh4 2015年3月31日下午5:28:21
*/
@Override
public boolean supports(Class<?> arg0) {
// TODO Auto-generated method stub
return true;
}
}6. 拒绝访问的处理 ------------- MyAuthenticationFailureHandler
/**
* 类 MyAuthenticationFailureHandler 的实现描述:TODO 类实现描述
*
* @author ligh4 2015年3月31日下午4:04:40
*/
public class MyAuthenticationFailureHandler implements AccessDeniedHandler {
/**
* @author ligh4 2015年3月31日下午4:15:59
*/
@Override
public void handle(HttpServletRequest arg0, HttpServletResponse arg1, AccessDeniedException arg2)
throws IOException, ServletException {
LogHelper.debug(this, "handler AccessDeniedException...");
HttpServletRequest httpRequest = arg0;
// is ajax request?
if ("XMLHttpRequest".equals(httpRequest.getHeader("X-Requested-With"))) {
String msg = "{\"success\" : false, \"message\" : \"authentication-failure\"}";
arg1.setContentType("json");
OutputStream outputStream = arg1.getOutputStream();
outputStream.write(msg.getBytes());
outputStream.flush();
}
}
}
注意只有拒绝访问才会执行.如果是未登陆或Session超时,会跳转到登陆页面。参考我的另一篇博客。
Spring security3.x 自定义验证Filter
原文地址:http://blog.csdn.net/jmppok/article/details/44833545
