spring-security2.0.2初步配置

使用了spring security之後，網頁的顯示速度明顯變慢，看來spring security的使用還是需要最佳化配置的。在web.xml中配置 <!--  配置spring acegi 使用的  和com.work.core.QxglConstants.USE_ACEGI=true 配合使用 <filter>  <filter-name>springSecurityFilterChain</filter-name>  <filter-class>   org.springframework.web.filter.DelegatingFilterProxy  </filter-class> </filter> <filter-mapping>  <filter-name>springSecurityFilterChain</filter-name>  <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener>  <listener-class>   org.springframework.web.context.ContextLoaderListener  </listener-class> </listener>  <listener-class>   org.springframework.security.ui.session.HttpSessionEventPublisher  </listener-class> </listener> -->然後配置applicationContext-spring-security-2.0.2.xml<?xml version="1.0" encoding="UTF-8"?><beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">   <authentication-manager alias="authenticationManager" /> <beans:bean id="accessDecisionManager"  class="org.springframework.security.vote.AffirmativeBased">  <beans:property name="allowIfAllAbstainDecisions" value="false" /><!-- allowIfAllAbstainDecisions : 設定是否允許：“沒人反對就通過”的投票策略 -->  <beans:property name="decisionVoters"><!-- 定義投票者 -->   <beans:list>    <beans:bean class="org.springframework.security.vote.RoleVoter" />    <beans:bean class="org.springframework.security.vote.AuthenticatedVoter" />   </beans:list>  </beans:property> </beans:bean> <beans:bean id="filterInvocationInterceptor"  class="org.springframework.security.intercept.web.FilterSecurityInterceptor">  <!--  配置上之後secureResourceFilter 沒有被執行！不知道其他朋友們有沒有碰到這個問題。如果也碰到了，請問您是如何解決的？-->  <beans:property name="authenticationManager" ref="authenticationManager" />  <beans:property name="accessDecisionManager" ref="accessDecisionManager" />  <beans:property name="objectDefinitionSource" ref="secureResourceFilter" /> </beans:bean> <beans:bean id="secureResourceFilter" class="com.work.qxgl.springsecurity.MySecureResourceFilter" /> <http auto-config="true" access-denied-page="/commons/403.jsp">  <intercept-url pattern="/" access="ROLE_USER"/>  <intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />  <intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />  <intercept-url pattern="/imageszhuye/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />  <intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />  <intercept-url pattern="/ganjian*/**" access="ROLE_SUPERVISOR,ROLE_enterprise_manager"/>  <intercept-url pattern="/qxgl/menutree/**" access="ROLE_SUPERVISOR,ROLE_USER"/>  <intercept-url pattern="/qxgl*/**" access="ROLE_SUPERVISOR,ROLE_PERMITMANAGER"/>  <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <!-- access="ROLE_ANONYMOUS" -->    <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" />  <form-login login-page="/acegilogin.jsp" authentication-failure-url="/acegilogin.jsp"   default-target-url="/sysmain.action" />   <!-- 在這裡擷取使用者登陸的詳細的資訊 ,sysmain.action 在這裡可以記錄使用者登陸的資訊。成功執行！-->  <logout logout-success-url="/logout.jsp" /><!-- j_spring_security_logout 這裡是退出的URL，那麼可以在這裡做介面 在logout.jsp 中調用您自己的logout程式。  --> </http>  <!-- Automatically receives AuthenticationEvent messages --> <beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener" /> <authentication-provider >  <jdbc-user-service data-source-ref="dataSource"    users-by-username-query="SELECT U.user_account as username, U.user_password as password, 'true' AS enabled FROM qxgl_user U where U.user_issysuser=1 and  U.user_account=?"   authorities-by-username-query="select a.user_account as username,c.role_name as authority from qxgl_user a ,qxgl_user_role b,qxgl_role c where a.user_id=b.user_id and b.role_id=c.role_id and a.user_account=?" />   <!-- 還支援 group-authorities-by-username-query  --> </authentication-provider></beans:beans>java程式MySecureResourceFilter 

package com.work.qxgl.springsecurity;import java.util.Collection;import java.util.List;import org.apache.commons.logging.Log;import org.apache.commons.logging.LogFactory;import org.springframework.security.ConfigAttributeDefinition;import org.springframework.security.ConfigAttributeEditor;import org.springframework.security.intercept.web.FilterInvocation;import org.springframework.security.intercept.web.FilterInvocationDefinitionSource;import com.work.core.spring.MyBeanUtil;import com.work.qxgl.model.QxglRole;import com.work.qxgl.usermodel.UserModelServiceDao;/** * TODO 雖然配置上沒有出錯！但是也沒有起作用。不爽！！！ * @author wangmingjie * */public class MySecureResourceFilter implements FilterInvocationDefinitionSource {private static Log log = LogFactory.getLog(MySecureResourceFilter.class);public ConfigAttributeDefinition getAttributes(Object filter)throws IllegalArgumentException {FilterInvocation filterInvocation = (FilterInvocation) filter;String url = filterInvocation.getRequestUrl();if(log.isDebugEnabled()){log.debug("UR為:"+url);}UserModelServiceDao userModelServiceDao = (UserModelServiceDao) MyBeanUtil.getBean("userModelServiceDao");List<QxglRole> urlRoles = userModelServiceDao.getRolesByUrl(url);ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor();// get the Roles that can access this Url// 擷取到能夠訪問這些資源的resource，使用者根據這些資源動態到資料庫中去尋找；// 這裡可以增加許可權的動態控制，例如將許可權存放到資料庫中，將這些資源查詢出來放到緩衝中。// 增加對緩衝的管理，一旦資料庫中的內容變更了，那麼就手工去更新緩衝。當然也可以增加監聽器，不過效率上有問題。StringBuffer rolesList = new StringBuffer();if (urlRoles == null || urlRoles.size() < 1) {//如果此URL沒有賦給任何使用者，那麼就給他增加form認證的基本角色。if(log.isDebugEnabled()){log.debug("URL沒有賦給任何使用者，給他增加form認證的基本角色ROLE_USER。");}rolesList.append("ROLE_USER,");} else {for (QxglRole role : urlRoles) {rolesList.append(role.getRoleName());rolesList.append(",");}// don't want to end with a "," so remove the last ","if (rolesList.length() > 0)rolesList.replace(rolesList.length() - 1,rolesList.length() + 1, "");}if(log.isDebugEnabled()){log.debug("URL"+url+"擁有的角色為："+rolesList.toString());}configAttrEditor.setAsText(rolesList.toString());return (ConfigAttributeDefinition) configAttrEditor.getValue();}public Collection getConfigAttributeDefinitions() {return null;}public boolean supports(Class arg0) {return true;}}