Spring story-Spring Security3 research on the 15th day

Sparta-zishu

Preface

As recorded in the Southern Dynasty "record of exception", Jin wangzhi went up the hill to cut firewood and saw two children play chess. Before reading it, the ax was rotten and went down the hill and back to the village, you are not getting older.
Therefore, the "one day in the mountains, thousands of years in the world" sigh. There are a few texts in the original article, but they are thought-provoking.

In addition, Zhou dunyi of the Song Dynasty also had poetry cloud in the "muchun instant event": the case of dual-tile publishing book, and a little bit of Yang Hua entered the zhuchi. I don't know how many times the Spring Festival is.

The time discussion in the ancient or ancient poems above is most in line with my current feelings. Spring Serurity3 has been studied for the last 15 days.

I feel like the past 15 days have passed for a moment, and I am immersed in it. A strong desire for knowledge makes me happy. So far, a version has finally been called and can be used properly.
Looking back, the small park downstairs has opened a bunch of yellow flowers, neat willow trees in the jungle, has been cut by the spring breeze green scenery.
Looking back at my experiences, there are many gains to pave the way, and all the pain and fatigue have vanished.
I'm glad to sort out my cognition and further understand it. I can record it as a reference.

Four methods of using Spring Security3

There are four methods in Spring Security3:

One is to use all configuration files to hard encode users, permissions, and resources (URLs) in xml files, which have been implemented and verified;

Users and permissions are stored in databases, and resources (URLs) and permissions are configured with hard encoding. Currently, this method has been implemented and verified.

The three types are subdivided roles and permissions. Users, roles, permissions, and resources are stored in databases and user-defined filters are used to replace the original FilterSecurityInterceptor filters,
AccessDecisionManager, invocationsecuritymeta‑ceservice, and UserDetailsService are implemented respectively, and configured in the configuration file.
This method has been implemented and verified.

The fourth is to modify the source code of spring security, which is mainly to modify the invocationsecuritymeta‑ceservice and UserDetailsService classes.
The former is to extract the configuration file or the resource (url) stored in the database and process it as a Map of the url and permission list for Security, the latter extracts the User name and permissions to form a complete (UserDetails) User object, which can provide User details for AuthentationManager to AuthentationManager for authentication and authorization.
This method is theoretically feasible, but it is violent and has no time to implement it. It is not verified and will be studied later.

Description: The current debugging environment is java1.6 + struts2.1.6 + spring3.0.1 + hibernate3.3.1 + spring security3.0.2 + oracle9i + weblogic10.3,
By the way, the latest version of serutity () is 3.1, and the stable versions are 3.0.5 and 2.0.6.

Of course, before introducing the following four methods of spring security3, assume that the SSH2 environment has been configured to enter the normal development process and has been imported
Five jar packages of spring security3.0.2 are:
Spring-security-acl-3.0.2.RELEASE.jar
Spring-security-config-3.0.2.RELEASE.jar
Spring-security-core-3.0.2.RELEASE.jar
Spring-security-taglibs-3.0.2.RELEASE.jar
Spring-security-web-3.0.2.RELEASE.jar
Of course there are other related jar packages, which will not be described here.

Method 1

The first method is relatively simple, you can refer to the example spring-security-samples-tutorial-3.0.2.RELEASE built-in Spring Security.
Here is the download URL: http://www.springsource.com/download/community? Sid = 1087087. However, you must enter the corresponding user information before downloading. All versions can be downloaded.

In the example of a spring-security-samples-tutorial-3.0.2.RELEASE, hard-coded configuration can be found in the contents of the applicationContext-security.xml file.
It is configured with the user name, MD5 encrypted password ciphertext, related permissions, and access resources (URLs) that correspond to the permissions ). In addition, Session timeout is also handled.
Especially because the version number is 3.0.2, the expression configuration demonstration is added. For details, see this example.

Of course you 'd better run this example, feel, you can directly find the spring-security-samples-tutorial-3.0.2.RELEASE.war file in the downloaded decompressed folder, copy the file to the webapps folder under the Tomcat installation directory, and then run the Tomcat server. The server will automatically unbind the war file during startup, and enter http in IE: // localhost: 8080/webapps/spring-security-samples-tutorial-3.0.2.RELEASE to run the system. I will not go into details here.

Method 2

The code for the second method is as follows:

The two tables used, the user table and the SQL statement of the permission table. Store users and permissions in a database.

 

Create table USERS (
USERNAME VARCHAR2 (50) not null,
PASSWORD VARCHAR2 (50) not null,
Enabled number (1) not null,
USERNAMECN VARCHAR2 (50 ),
Primary key (username)
)

Create table AUTHORITIES (
USERNAME VARCHAR2 (50) not null,
AUTHORITY VARCHAR2 (50) not null
)
-- Foreign keys associate users with permissions.

Create/Recreate primary, unique and foreign key constraints
Alter table AUTHORITIES
Add constraint FK_AUTHORITIES_USERS foreign key (USERNAME)
References USERS (USERNAME );

Several pieces of data can be inserted as a test. First, insert the user:

Insert into users (USERNAME, PASSWORD, ENABLED, USERNAMECN, ROWID)
Values (lxb, c7d3f4c857bc8c145d6e5d40c1bf23d9, 1, logon user, AAAHmhAALAAAAAOAAA );

Insert into users (USERNAME, PASSWORD, ENABLED, USERNAMECN, ROWID)
Values (admin, ceb4f32325eda6142bd65215f4c0f371, 1, system administrator, aaahmhaalaaapaaa );

Insert into users (USERNAME, PASSWORD, ENABLED, USERNAMECN, ROWID)
Values (user, 47a733d60998c719cf3526ae7d1_d13, 1, common user, aaahmhaalaaapaab );
Insert a role:

Insert into authorities (USERNAME, AUTHORITY, ROWID)
Values (admin, ROLE_PLATFORMADMIN, aaahmjaalaaagaaa );

Insert into authorities (USERNAME, AUTHORITY, ROWID)
Values (admin, ROLE_SYSADMIN, aaahmjaalaaagaab );

Insert into authorities (USERNAME, AUTHORITY, ROWID)
Values (lxb, ROLE_LOGIN, aaahmjaalaaaeaaa );

Insert into authorities (USERNAME, AUTHORITY, ROWID)
Values (lxb, role_logtailwelcome, aaahmjaalaaaeaab );

Insert into authorities (USERNAME, AUTHORITY, ROWID)
Values (user, ROLE_USER, aaahmjaalaaagaac );

Method 2-Password Encryption

Someone may ask how the password in the User table is obtained? The password is encrypted by using MD5, And the username is used as the salt value, and finally becomes a 32-bit number, see the password-encoder and salt-source configurations in the applicationContext-Security.xml below.
How is encryption in spring security3? After pawwrod-encoder and salt-source are set, Spring Security3 uses matching encryption algorithms (for example, MD5 encryption algorithms) based on the configuration) in addition, the salt-source is encrypted to form a 32-bit ciphertext.
For example, the user name is yew, the password is yew1234, and the salt value is yew. The final encrypted plaintext is "yew1234 {yew}", and the ciphertext is "8fe2657d1599dba8e78a7a0bda8651bb ".

During the test, we usually like to insert several common users and passwords into the database for test. In this case, how can we get the password ciphertext of this user?
Let me try this method. Assume that the user name is user, the password is user369 in plaintext, and MD5 is configured in the configuration file as the encryption algorithm, and the user name is used as the salt value.
Then, you can first combine the information groups into the plaintext of the password to be encrypted, which should be the plaintext of the password + {+ salt value +}. Obviously, the plaintext of the above user password should be:

User369 {user}

Copy the above string to the input box on the http://www.51240.com/md5jiami/ web page, click the encryption button, the following will generate a 32-bit password ciphertext.

Haha. This method should be used with caution. I will not tell anyone about it.

Configuration of method 2

Configure the relationship between permissions and resources (URL or Action) in the xml file, and configure other configurations related to Spring Security3:

1. applicationContext-Security.xml code:

 

<B: beans xmlns ="