Security is always a top priority for Web applications, and the biggest headache is that the security system includes only two questions: Authentication and authorization.
Before doing some Web site systems, security detection logic in the need for security control in front of the code, so there are a lot of bad places, repeat the code is needless to say that the coding portability, reusability are not reflected, security detection logic should always be put together with the business logic.
So is it possible to invoke some security checks before entering the method? In fact, Spring AOP is this idea, then how to achieve security detection? The Spring Acegi security framework is about doing this.
This article is mainly discussed in the existing SSH system, how to use Acegi as a security framework to implement ROLE-BASED permission control (role Based access Controls RBAC), this article is mainly in the form of Java 5 Annotations to configure the security framework, greatly reduce configuration and operation.
Key references in this article: <spring 2.0 core technologies and Best practices > 10th (Spring Acegi security Framework)
< master Spring 2.X-Enterprise application Development detailed > 17th (use Acegi to implement application system security)
acegi-security-1.0.6 Official documents
Note: This article is about RBAC, the official document based on the expansion or change to more suitable for Web application systems. In fact, I think most of the Web site based on the role is enough, generally do not need to be based on permissions.
Article Start:
A. Download the software or jar package you want:
My related configuration is: Java 5, Tomcat 5.5.26, Struts 2.0.11, Spring 2.5.1, Hibernate 3.2, Acegi 1.0.6
Two. Establishment of the relevant database:
Datasheet: User Information table User:id, enable, user_name, User_pass, Email_box
Role Information table Roleinfo:id, Role_name, Role_title, DESCP
User and Role correlation table (user and role is many-to-many relationship) userrole:user_id, user_name, role_id, Role_name
and inserting the relevant data in these three tables, I defined two roles (role_name): Role_user, Role_admin
And three users, one user role: Role_user, Role_admin
Another user role is: role_user
The third one has no role.