spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/s ... spring-security.xsd">
<security:http auto-config="true" use-expressions="false">
<!-- <security:intercept-url pattern="/welcome**" access="ROLE_USER"></security:intercept-url>
<security:intercept-url pattern="/admin**" access="ROLE_ADMIN"></security:intercept-url>
-->
<security:form-login login-page="/pages/login.jsp" authentication-failure-url="/pages/error.jsp"></security:form-login>
<security:logout logout-success-url="/pages/login.jsp"></security:logout>
<security:csrf disabled="true"></security:csrf>
<security:custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"></security:custom-filter>
</security:http>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider user-service-ref="myUserDetailsService">
<!-- <security:user-service>
<security:user name="mylo" password="{noop}123456" authorities="ROLE_USER"></security:user>
<security:user name="admin" password="{noop}123456" authorities="ROLE_ADMIN"></security:user>
</security:user-service>-->
</security:authentication-provider>
</security:authentication-manager>
<bean class="cn.test.service.MyUserDetailsService" id="myUserDetailsService"> </bean>
<bean class="cn.test.auth.MyFilter" id="myFilter">
<property name="accessDecisionManager" ref="accessDecisionManager"></property>
<property name="authenticationManager" ref="authenticationManager"></property>
<property name="securityMetadataSource" ref="mySecurityMetadataSource"></property>
</bean>
<bean class="cn.test.auth.MyAccessDecisionManager" id="accessDecisionManager"></bean>
<bean class="cn.test.auth.MySecurityMetadataSource" id="mySecurityMetadataSource"></bean>
</beans>
web.xml
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>spring security</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:spring-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>sprinmvcDispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:springmvc.xml</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>sprinmvcDispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
</web-app>
springmvc.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/mvc
http://www.springframework.org/schema/mvc/spring-mvc.xsd
">
<context:component-scan base-package="cn.test.controller" />
<bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="suffix" value=".jsp" ></property>
<property name="prefix" value="/pages/"></property>
</bean>
<mvc:annotation-driven></mvc:annotation-driven>
<mvc:default-servlet-handler></mvc:default-servlet-handler>
</beans>
MyUserDetailsServicepackage cn.test.service;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import java.util.ArrayList;
import java.util.List;
/**
* @program: test4Security
* @description: test4springSecurity
* @author: Mylo
* @create: 2019-01-04 10:06
*
* 验证
**/
public class MyUserDetailsService implements UserDetailsService {
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
//模拟赋值权限
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
//模拟从数据库获取信息 校验
if("mylo".equals(s)){
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
return new User(s,"{noop}123456",authorities);
}
if("admin".equals(s)){
authorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
return new User(s,"{noop}123456",authorities);
}
return null;
}
}
controller
package cn.test.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
/**
* @program: test4Security
* @description: test4security
* @author: Mylo
* @create: 2019-01-04 09:44
**/
@Controller
public class LoginController {
@RequestMapping("common")
public String common(){
return "common";
}
@RequestMapping("admin")
public String admin(){
return "admin";
}
@RequestMapping("welcome")
public String welcome(){
return "welcome";
}
}
package cn.test.auth;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
/**
* @program: test4Security
* @description:
* @author: Mylo
* @create: 2019-01-04 10:33
*
* 定义 地址访问所需要的权限
**/
public class MySecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
private Map<String , Collection<ConfigAttribute>> map = new HashMap<String ,Collection<ConfigAttribute>>();
//o 请求的地址
public Collection<ConfigAttribute> getAttributes(Object o) throws IllegalArgumentException {
Collection<ConfigAttribute> c1 = new ArrayList<ConfigAttribute>();
Collection<ConfigAttribute> c2= new ArrayList<ConfigAttribute>();
ConfigAttribute s1 = new SecurityConfig("ROLE_USER");
ConfigAttribute s2 = new SecurityConfig("ROLE_ADMIN");
c1.add(s1);
c2.add(s2);
map.put("/welcome**" , c1);
map.put("/admin**" , c2);
String url = ((FilterInvocation) o).getRequestUrl();
if(url.contains("welcome")){
return map.get("/welcome**");
}
if(url.contains("admin")){
return map.get("/admin**");
}
return null;
}
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
public boolean supports(Class<?> aClass) {
return true;
}
}
package cn.test.auth;
import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
import javax.servlet.*;
import java.io.IOException;
/**
* @program: test4Security
* @description: test
* @author: Mylo
* @create: 2019-01-04 10:16
*
* 校验 权限
**/
public class MyFilter extends AbstractSecurityInterceptor implements Filter {
/**
*
*/
private FilterInvocationSecurityMetadataSource securityMetadataSource;
public void init(FilterConfig filterConfig) throws ServletException {
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
//封装request response chain
FilterInvocation filterInvocation = new FilterInvocation(request,response,chain);
InterceptorStatusToken token = super.beforeInvocation(filterInvocation);
try {
filterInvocation.getChain().doFilter(filterInvocation.getRequest(),filterInvocation.getResponse());
}finally {
super.afterInvocation(token,null);
}
}
public void destroy() {
}
public Class<?> getSecureObjectClass() {
return FilterInvocation.class;
}
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this.securityMetadataSource;
}
public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
return securityMetadataSource;
}
public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
this.securityMetadataSource = securityMetadataSource;
}
}
package cn.test.auth;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import java.util.Collection;
import java.util.Iterator;
/**
* @program: test4Security
* @description:
* @author: Mylo
* @create: 2019-01-04 10:42
*
* 判断当前用于的权限 以及 访问当前路径所需要的权限
**/
public class MyAccessDecisionManager implements AccessDecisionManager {
public void decide(Authentication authentication, Object o, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
Iterator<ConfigAttribute> iterator = collection.iterator();
while(iterator.hasNext()){
ConfigAttribute attribute = iterator.next();
//访问所需要的权限
String attr = attribute.getAttribute();
//当前用户所拥有的权限
Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
for (GrantedAuthority authority : authorities) {
if(authority.getAuthority().equals(attr)){
return ;
}
}
}
throw new AccessDeniedException("没有权限访问");
}
public boolean supports(ConfigAttribute configAttribute) {
return true;
}
public boolean supports(Class<?> aClass) {
return true;
}
}
|
|