Security Framework in springside 3

Reproduced http://www.blogjava.net/youxia/archive/2008/12/07/244883.html

In the official document of springside 3, the security framework uses spring Security 2.0. At first glance, I was shocked and thought that acegi was eliminated so quickly. A search engine found that the original spring Security 2.0 is acegi 2.0. The Hanging heart has been put down. Although the configuration file for acegi in springside 3 looks unfamiliar, after reading the official acegi 2.0 documentation, everything is relieved.

Let's talk about the basic knowledge of acegi. The architecture of acegi is complicated, but I hope I can make it clear in the following words. As we all know, the best way to protect web resources is filter. The best way to protect method calls is AOP. Acegi protects web resources by using filters. For example:

In general, our filters are all configured on the web. XML, but acegi is different, it is in the web. the configuration in XML is only a proxy, and the filter that actually works is configured in spring as bean. The proxy in Web. xml calls these beans in turn to implement protection for web resources. At the same time, these filters are managed by spring as beans, so Implementing AOP is also very simple. It is really just two birds in one fell swoop.

The acegi provides many filters and more than 10 filters, which are complicated to learn one by one. But for our web developers, there are a few common ones, such as marked by red circles:

From top to bottom, they implement the following functions in sequence: 1. They must be set to HTTPS connections; 2. Extract user authentication information from sessions; 3. log out; 4. log on; 5. Remember the user. 6. This filter must be configured for all applications.

Generally, you only need to be familiar with these filters when writing web applications. If you do not need HTTPS connections, you do not need to be familiar with the first filter. But some people will think, how can these filters be linked with my database? Don't worry. These filters do not directly process user authentication, nor directly process user authorization. Instead, they are handed over to the Authentication Manager and decision manager. For example:

For these two managers, we do not need to write code. acegi also provides ready-made classes. It's strange to everyone: It's a ready-made database. How can it be associated with my database? Don't worry. In fact, the two managers do not do things themselves. The Authentication Manager handed over the task to the provider, and the decision manager handed over the task to the voter, for example:

Now I want to tell you that the provider and voter here do not need to be written. Don't crash. It's almost time to reach the goal. Acegi provides multiple provider implementation classes. If we want to use a database to store user authentication data, we should select daoauthenticationprovider. For voter, it is enough to select rolevoter. It determines whether to allow a user to access the specified web resources based on the settings in our configuration file.

Daoauthenticationprovider does not directly operate the database. It delegates the task to userdetailservice, for example:

What we need to do is implement this userdetailservice. The picture is not good, so don't laugh, but if we say so much, it finally leads to the key in our development, that is, we need to implement our own userdetailservice, it is a bridge between our database and acegi. The requirements for userdetailservice are also very simple. You only need to return the loaduserbyusername (string username) method of the org. springframework. Security. userdetails. User object. Therefore, you can design a database. Whether we use one table, two tables, or three tables, whether we are user-authorized or user-role-authorized, or user-user group-role-authorization. acegi does not care about these specific items. acegi only cares about the returned user object and how to read data from the database, that's what we do.

Looking at the above process, we found that even if we only want to implement our userdetailservice class, we have to configure a lot of beans in spring, including several filters and several managers, several providers and voters, and these configurations are often repeated and meaningless. Fortunately, acegi 2.0 also recognized this problem. Therefore, it designed a

Is the correspondence between traditional filter settings and

The following code is an example of userdetailservice implementation in springside 3. In springside 3, three tables, user, role, and authority, are used in white clothing. However, acegi does not care about the tables you use. It only cares about the userdetails object. The rolevoter Class determines whether a user can access a specified web resource. It can work well without any modification. The only drawback is that it only recognizes the role _ prefix, so the white authority looks like a role.

Package personal. youxia. Service. Security;

Import java. util. arraylist;
Import java. util. List;

Import org. springframework. Beans. Factory. annotation. required;
Import org. springframework. Dao. dataaccessexception;
Import org. springframework. Security. grantedauthority;
Import org. springframework. Security. grantedauthorityimpl;
Import org. springframework. Security. userdetails. userdetails;
Import org. springframework. Security. userdetails. userdetailsservice;
Import org. springframework. Security. userdetails. usernamenotfoundexception;
Import personal. youxia. entity. User. Authority;
Import personal. youxia. entity. User. role;
Import personal. youxia. entity. User. user;
Import personal. youxia. Service. User. usermanager;

/**
* Implements the userdetailsservice interface of springsecurity to obtain the user detail information.
*
* @ Author Calvin
*/
Public class userdetailserviceimpl implements userdetailsservice {

Private usermanager;

Public userdetails loaduserbyusername (string username) throws usernamenotfoundexception, dataaccessexception {
User user = usermanager. getuserbyloginname (username );
If (user = NULL)
Throw new usernamenotfoundexception (username + "nonexistent ");

List <grantedauthority> authslist = new arraylist <grantedauthority> ();

For (role: User. getroles ()){
For (authority: role. getauths ()){
Authslist. Add (New grantedauthorityimpl (authority. getname ()));
}
}

// Currently, the multidatabaseexample user class does not have attributes such as enabled, accountnonexpired, credentialsnonexpired, and accountnonlocked.
// Temporarily set all to true. These attributes are added only when necessary.
Org. springframework. Security. userdetails. User userdetail = new org. springframework. Security. userdetails. User (
User. getloginname (), user. GetPassword (), true, authslist
. Toarray (New grantedauthority [authslist. Size ()]);

Return userdetail;
}

@ Required
Public void setusermanager (usermanager ){
This. usermanager = usermanager;
}
}

Finally, let's talk about the naming problem. I'm disgusted with the words authentication and authority. Two reasons are: one is that they are too uncommon, and the other is that they look too similar, clearly one is authentication, and the other is authorization. The meaning is very different, but the appearance is so similar, it is really annoying. If I want to make a choice, I like the word privilege. I was familiar with it when I was just using MySQL, so in my project, I may use privilege to replace authority. If we only use the user-role-level relationship, the rolevoter default role _ prefix is of course irrelevant. If the rolevoter uses a layer-3 relationship, we 'd better change the prefix, to avoid confusion.

Supplement:

What I mentioned above is my understanding of acegi. I think it is easier to understand acegi. I think it is relatively simple. Of course I will miss some details. Add it here.

1. The main content I mentioned above includes authentication and authorization, but the resource is missing. The resource is the URL we need to protect, or some methods in the class. To protect the URL, configure it in the XML file according to the previous example. To protect the methods in the class, use @ secured.
But which component is associated with acegi? Are filtersecurityinterceptor and methodsecurityinterceptor. Both interceptor must set an attribute named objectdefinitionsource. So someone has to ask how to transfer all protection settings for resources to the database to avoid writing them in XML, so we should start with objectdefinitionsource.

2. As mentioned above, userdetailservice needs to be configured in acegi, for example, remembermeservice. Of course, this service is also ready-made and we do not need to write code. remembermeprocessingfilter depends on this service.

3. acegi supports openid and CAS 3. What are these two things? You can use multiple websites by allowing users to log on only once. This is very useful for those very large websites and allows users to log on to a server. To use cas, you only need to select casprocessingfilte When configuring filter, and select casauthenticationprovider When configuring provider. The other concepts are the same. Let's explore the specific implementation details.