These days the project used the springsecurity to do landing security. So it might be helpful to write a little bit about it.
The springsecurity configuration file is as follows:
<beans:beans xmlns= "http://www.springframework.org/schema/security" xmlns:beans= "http// Www.springframework.org/schema/beans "xmlns:xsi=" Http://www.w3.org/2001/XMLSchema-instance "xsi:schemalocation=" http://www.springframework.org/schema/beanshttp://www.springframework.org/schema/beans/ spring-beans-3.0.xsdhttp://www.springframework.org/schema/securityhttp://www.springframework.org/schema/ Security/spring-security-3.1.xsd "><!--This element is used to enable security-based annotations in your application <global-method-security pre-post-annotations= "Enabled" access-decision-manager-ref= "Myaccessdecisionmanager"/>-->All of the implementation logic is in this filterinterceptor, the main implementation of this interceptor in the three attributes, and the implementation of these three classes:
Interceptor:
Package Com.yihaomen.common.intercept;import Java.io.ioexception;import Javax.servlet.filter;import Javax.servlet.filterchain;import Javax.servlet.filterconfig;import Javax.servlet.servletexception;import Javax.servlet.servletrequest;import Javax.servlet.servletresponse;import Org.springframework.beans.factory.annotation.autowired;import Org.springframework.security.access.securitymetadatasource;import Org.springframework.security.access.intercept.abstractsecurityinterceptor;import Org.springframework.security.access.intercept.interceptorstatustoken;import Org.springframework.security.web.filterinvocation;import Org.springframework.security.web.access.intercept.filterinvocationsecuritymetadatasource;public class Myfiltersecurityinterceptor extends Abstractsecurityinterceptor implements Filter {// Corresponds to the attribute Securitymetadatasource of the myfilter in Spring-security.xml,//other two components, Already defined @autowiredprivate Filterinvocationsecuritymetadatasource securityMetadataSource in Abstractsecurityinterceptor; public void DoFilter (ServletRequest request, Servletresponse Response,filterchain chain) throws IOException, Servletexception { Filterinvocation fi = new Filterinvocation (request, response, chain); invoke (FI);} Public class<? Extends Object> Getsecureobjectclass () {return filterinvocation.class;} public void Invoke (Filterinvocation fi) throws Ioexception,servletexception {//object for Filterinvocation objects// Super.beforeinvocation (FI); source//1. Get permission to request a resource//execute collection<configattribute> attributes =// Securitymetadatasource.getattributes (object);//2. Have permission//this.accessDecisionManager.decide (authenticated, object, attributes); Interceptorstatustoken token = Super.beforeinvocation (FI); try {fi.getchain (). DoFilter ( Fi.getrequest (), Fi.getresponse ());} Finally {super.afterinvocation (token, null);}} @Overridepublic Securitymetadatasource Obtainsecuritymetadatasource () {return this.securitymetadatasource;} public void Setsecuritymetadatasource (Filterinvocationsecuritymetadatasource securitymetadatasource) {This.securitymetadatasource = Securitymetadatasource;} public void Destroy () {}public void init (Filterconfig filterconfig) throws servletexception {}}
Package Com.yihaomen.comm.service;import Java.util.collection;import Java.util.hashmap;import java.util.Iterator; Import Java.util.list;import Java.util.map;import Org.springframework.beans.factory.annotation.autowired;import Org.springframework.security.access.configattribute;import org.springframework.security.web.FilterInvocation; Import Org.springframework.security.web.access.intercept.filterinvocationsecuritymetadatasource;import Com.yihaomen.common.dao.resourcesdao;import Com.yihaomen.common.domain.sysresource;public Class Myinvocationsecuritymetadatasourceservice Implementsfilterinvocationsecuritymetadatasource {@Autowiredprivate Resourcesdao resourcesdao;//Resourcemap and Key-url,value-collection<configattribute> resource permissions correspond to mapprivate static map<string, collection<configattribute>> resourcemap = Null;public Myinvocationsecuritymetadatasourceservice (Resourcesdao resourcesdao) {This.resourcesdao = ResourcesDao; SYSTEM.OUT.PRINTLN ("Load MyinvocationsecuritymetadatasourceserviCe ... "+ Resourcesdao); Loadresourcedefine ();} Load all resources and permissions relationship private void Loadresourcedefine () {if (Resourcemap = = null) {Resourcemap = new hashmap<string, Collectio N<configattribute>> (); list<sysresource> resources = Resourcesdao.findall ();//load resource corresponding permissions for (Sysresource resource:resources) { collection<configattribute> auths = Resourcesdao.loadrolebyresource (Resource.getresource ()); System.out.println ("Permission =" + auths); Resourcemap.put (Resource.getresource (), auths);}}} The resource path that gets the permissions//object for the requested resource paths public collection<configattribute> getattributes (Object object) throws IllegalArgumentException {//object is a URL that is requested by the user urlstring Requesturl = ((filterinvocation) object). Getrequesturl (); System.out.println ("Requesturl is" + requesturl); int firstquestionmarkindex = Requesturl.indexof ("?"); /If the requested resource path has? The following parameters, then? The back of the cut off so as not to deny access to if (firstquestionmarkindex! =-1) {Requesturl = requesturl.substring (0, firstquestionmarkindex);} if (Resourcemap = = null) {Loadresourcedefine ();} Iterator<String> ite = Resourcemap.keyset (). iterator ();//get its required permissions according to the resource path while (Ite.hasnext ()) {String Resurl = Ite.next () if (Resurl.equals (Requesturl)) {return resourcemap.get (Resurl);}} return null;} Public Boolean supports (class<?> arg0) {//TODO auto-generated method Stubreturn true;} Public collection<configattribute> getallconfigattributes () {//TODO auto-generated method Stubreturn null;}}
Package Com.yihaomen.comm.service;import Java.sql.sqlexception;import Java.util.collection;import Org.springframework.beans.factory.annotation.autowired;import org.springframework.dao.DataAccessException; Import Org.springframework.security.core.grantedauthority;import Org.springframework.security.core.userdetails.user;import Org.springframework.security.core.userdetails.usercache;import Org.springframework.security.core.userdetails.userdetails;import Org.springframework.security.core.userdetails.userdetailsservice;import Org.springframework.security.core.userdetails.usernamenotfoundexception;import Com.yihaomen.common.dao.userinfodao;import com.yihaomen.common.domain.sysuser;/** * Returns the status information for a user by obtaining the permissions it has, based on the user name. And put the permissions it has in Grantedauthority * @author Administrator * */public class Myuserdetailservice implements Userdetailsservice {@Autowiredprivate Userinfodao Userinfodao; @Autowiredprivate usercache usercache;public userdetails Loaduserbyusername (String username) throws UsernamenotfoundexceptIon, DataAccessException {System.out.println ("username is:" + username); Sysuser user = null;try {user = This.userInfoDao.findByName (username); SYSTEM.OUT.PRINTLN (user);} catch (SQLException e) {//TODO auto-generated catch Blocke.printstacktrace ();} Get user rights collection<grantedauthority> auths = Userinfodao.loaduserauthoritybyname (username); Boolean enables = true;//Account Expires No Boolean accountnonexpired = true;//Certificate Expires no Boolean credentialsnonexpired = true;//Account Lockout No Boolean accountnonlocked = true;//encapsulated into Spring security useruser userdetail = new User (username, User.getpassword (), enables, Accountnonexpired, credentialsnonexpired, accountnonlocked,auths); for (grantedauthority s:auths) {s.getAuthority ();} System.out.println (auths); return userdetail;} Public Userinfodao Getuserinfodao () {return userinfodao;} public void Setuserinfodao (Userinfodao userinfodao) {This.userinfodao = Userinfodao;} Sets the user caching feature. Public Usercache Getusercache () {return usercache;} public void Setusercache (Usercache usercache){this.usercache = Usercache;}}
Package Com.yihaomen.comm.service;import Java.util.collection;import Java.util.iterator;import Org.springframework.security.access.accessdecisionmanager;import Org.springframework.security.access.accessdeniedexception;import Org.springframework.security.access.configattribute;import Org.springframework.security.access.SecurityConfig; Import Org.springframework.security.authentication.insufficientauthenticationexception;import Org.springframework.security.core.authentication;import org.springframework.security.core.GrantedAuthority; public class Myaccessdecisionmanager implements Accessdecisionmanager {public void Decide (authentication Authentication, Object object,collection<configattribute> configattributes) throws Accessdeniedexception, insufficientauthenticationexception {if (configattributes = = null) {return;} The requested resource has permissions (one resource to multiple permissions) iterator<configattribute> ite = Configattributes.iterator (); while (Ite.hasnext ()) { Configattribute CA = Ite.next ();//the permission required to access the requested resource String needRole = ((securityconfig) CA). getattribute (); System.out.println ("Needrole is" + needrole); GA is the permission that the user is given. Needrole the permissions that should be granted to access the appropriate resources. For (grantedauthority ga:authentication.getAuthorities ()) {if (Needrole.trim (). Equals (Ga.getauthority (). Trim ())) { return;}}} No permissions throw new Accessdeniedexception ("No access!") ");} Public Boolean supports (Configattribute arg0) {//TODO auto-generated method Stubreturn true;} Public Boolean supports (class<?> arg0) {//TODO auto-generated method Stubreturn true;}}
Storing users, roles, and resources in the Springsecurity database