首页 > 新闻动态 >  

新闻动态
NEWS

Spring Security3简单应用(权限设备在文件中)

添加时间:2013-5-10 点击量:

  1、权限既然写在设备文件中,那么数据库中只须要三个表即可。


    1)t_user  用户表


    2)t_role  角色表


    3)t_user_role  用户角色表 


  2、对应的范畴实体


    1)用户



package cn.luxh.app.domain;

/
用户
@author Luxh
/
public class User {

private Integer id;
/帐号/
private String account;
/暗码/
private String password;


@Override
public int hashCode() {
return account.hashCode();
}

@Override
public boolean equals(Object obj) {
User user
= (User) obj;
return this.account.equals(user.getAccount());
}

//getter setter
//...
}


    2)角色



package cn.luxh.app.domain;


/
角色
@author Luxh
/
public class Role {

private Integer id;
/角色名称/
private String name;

//getter setter
//...
}


    3)用户-角色



package cn.luxh.app.domain;

/
用户角色
@author Luxh
/
public class UserRole {
private Integer id;
/用户id/
private Integer userId;
/角色id/
private Integer roleId;

//getter setter
//...
}


  3、设备文件


    在web.xml文件中加上如下内容:



<!-- SpringSecurity权限框架 -->  

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/</url-pattern>
</filter-mapping>

<!-- 获取Spring Security session的生命周期-->
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>


    当然设备spring器的时辰得把springsecurity的权限设备文件给加载进去:



<!-- 设备Spring器 -->

<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml,classpath:application-security.xml</param-value>
</context-param>


    权限设备文件内容如下:



<?xml version=1.0 encoding=UTF-8?>

<beans:beans xmlns=http://www.springframework.org/schema/security
xmlns:beans
=http://www.springframework.org/schema/beans
xmlns:xsi
=http://www.w3.org/2001/XMLSchema-instance
xsi:schemaLocation
=http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
>

<!-- 登录页面不阻碍 -->
<http pattern=/login security=none />
<!-- 资料文件不阻碍 -->
<http pattern=/resources/ security=none />


<http auto-config=true use-expressions=true access-denied-page=/denied>

<!-- default-target-url 指定了从登录页面登录掉队行跳转的页面 always-use-default-target true默示登录成功后强迫跳转
authentication-failure-url 默示验证失败掉队入的页面 login-processing-url 设置验证登录验证地址,若是不设置,默认是j_spring_security_check
username-parameter,password-parameter 设置登录用户名和暗码的恳求name,默认:j_username,j_password
default-target-url=/user/home
-->
<form-login login-page=/login
always-use-default-target
=true
authentication-success-handler-ref
=successHandler
authentication-failure-handler-ref
=failureHandler />

<!-- 经管员和通俗用户可以接见 -->
<intercept-url pattern=/index access=hasAnyRole(ROLE_ADMIN,ROLE_USER) />
<!-- 经管员和通俗用户可以接见 -->
<intercept-url pattern=/common access=hasAnyRole(ROLE_ADMIN,ROLE_USER) />
<!-- 只有经管员可以接见 -->
<intercept-url pattern=/admin access=hasAnyRole(ROLE_ADMIN) />
<!-- 退出后到登岸页面 -->
<logout logout-success-url=/login />

<!-- error-if-maximum-exceeded 后登岸的账号会挤掉第一次登岸的账号
session-fixation-protection
防止捏造sessionid进击. 用户登录成功后会烧毁用户当前的session.
创建新的session,并把用户信息复制到新session中.
-->

<session-management invalid-session-url=/login?error=3
session-fixation-protection
=none>
<concurrency-control max-sessions=1
error-if-maximum-exceeded
=true expired-url=/login?error=2 /><!-- 阻拦第二次登录 -->
</session-management>
</http>


<authentication-manager alias=authenticationManager>
<authentication-provider user-service-ref=UserDetailsService/>
</authentication-manager>

<beans:bean id=UserDetailsService class=cn.luxh.app.security.UserDetailsServiceImpl />

<!-- 登录成功营业处理惩罚 -->
<beans:bean id=successHandler
class
=cn.luxh.app.security.LoginAuthenticationSuccessHandler>
<beans:property name=url value=/index></beans:property>
</beans:bean>

<!-- 登录失败营业处理惩罚 -->
<beans:bean id=failureHandler class=cn.luxh.app.security.LoginAuthenticationFailureHandler/>


</beans:beans>


  4、权限设备文件顶用到的类


    1)UserDetailsServiceImpl



package cn.luxh.app.security;


import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

import cn.luxh.app.domain.Role;
import cn.luxh.app.domain.User;
import cn.luxh.app.persistence.RoleMapper;
import cn.luxh.app.persistence.UserMapper;

public class UserDetailsServiceImpl implements UserDetailsService{

private static Logger log = LoggerFactory.getLogger(UserDetailsServiceImpl.class);

@Autowired
private UserMapper userMapper;

@Autowired
private RoleMapper roleMapper;

/
@param account 登录帐号
/
public UserDetails loadUserByUsername(String account)
throws UsernameNotFoundException {
log.info(
登录账号:+account);
org.springframework.security.core.userdetails.User userDetails
= null;
User user
= userMapper.ByAccount(account);

//账号暗码错误,可以在这熟步履抛出异常,让验证失败处理惩罚器AuthenticationFailureHandler进行处理惩罚

Collection
<GrantedAuthority> grantedAuthorities = getGrantedAuthorities(user);
boolean enables = true;
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
boolean accountNonLocked = true;
userDetails
= new org.springframework.security.core.userdetails.User(user.getAccount(), user.getPassword(), enables, accountNonExpired, credentialsNonExpired, accountNonLocked, grantedAuthorities);
return userDetails;
}

/
按照用户获取该用户拥有的角色
@param user
@return
/
private Set<GrantedAuthority> getGrantedAuthorities(User user) {
Set
<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>();
List
<Role> roles = roleMapper.ByUserId(user.getId());
if(roles != null) {
for(Role role : roles) {
grantedAuthorities.add(
new SimpleGrantedAuthority(role.getName()));
}
}
return grantedAuthorities;
}

}


    UserMapper和RoleMapper是我应用MyBatis接见数据库的接口。


    2)LoginAuthenticationSuccessHandler



package cn.luxh.app.security;


import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

/
登录验证成功处理惩罚器
@author Luxh
/
public class LoginAuthenticationSuccessHandler implements AuthenticationSuccessHandler{

private static Logger log = LoggerFactory.getLogger(LoginAuthenticationSuccessHandler.class);

//登录验证成功后须要跳转的url
private String url;

public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws IOException,
ServletException {
log.info(
登录验证成功:+request.getContextPath()+url);
//response.sendRedirect(request.getContextPath()+url);
request.getRequestDispatcher(url).forward(request, response);
}

public void setUrl(String url) {
this.url = url;
}

}


    3)LoginAuthenticationFailureHandler



package cn.luxh.app.security;


import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;


/
登录验证失足处理惩罚
@author Luxh
/
public class LoginAuthenticationFailureHandler implements AuthenticationFailureHandler {

@Override
public void onAuthenticationFailure(HttpServletRequest request,
HttpServletResponse response, AuthenticationException ae)
throws IOException, ServletException {

//按照AuthenticationException异常的类型
//进行失足营业逻辑处理惩罚
//...

response.sendRedirect(request.getContextPath()
+/login);
}

}


  


  5、SpringMVC的Controller


    1)LoginController



package cn.luxh.app.controller;


import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;

@Controller
public class LoginController {

private static Logger log = LoggerFactory.getLogger(LoginController.class);

/
登录进口
/
@RequestMapping(value
={/,/login})
public String login(@RequestParam(required=false) String error) {
log.info(
login......);
if(1.equals(error)) {
log.info(
验证失败!);
}
else if(2.equals(error)) {
log.info(
你的帐号已登录,不容许反复登岸!);
}
else if(3.equals(error)) {
log.info(
会话超时!);
}
return login;
}

/
没有权限接见跳转url
/
@RequestMapping(value
=/denied
public String denied(){
log.info(
denied......);
return denied;
}

/
超时跳转url
/
@RequestMapping(value
=/timeout
public String timedout(){
log.info(
timeout......);
return timedout;
}
}


    2)IndexController



package cn.luxh.app.controller;


import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class IndexController {

private static Logger log = LoggerFactory.getLogger(IndexController.class);

/
经管员和通俗用户可以接见
/
@RequestMapping(value
=/index
public String index(){
log.info(
index.......);
return index;
}

/
经管员和通俗用户可以接见
/
@RequestMapping(value
=/common
public String myJsp(){
log.info(
common.......);
return common;
}

/
经管员可以接见
/
@RequestMapping(value
=/admin
public String admin(){
log.info(
admin.......);
return admin;
}
}


   6、源码,不含jar包


    spring3.2.2+springsecurity3.1.3+myBatis3.2.2


    http://files.cnblogs.com/luxh/app3.rar


    


无论对感情还是对生活,“只要甜不要苦”都是任性而孩子气的,因为我们也不完美,我们也会伤害人。正因为我们都不完美,也因为生活从不是事事如意,所以对这些“瑕疵”的收纳才让我们对生活、对他人的爱变得日益真实而具体。—— 汪冰《世界再亏欠你,也要敢于拥抱幸福》
分享到: