本文档指导从AcegiPlugin迁移到SpringSecurityCorePlugin的过程,包括配置更改、密码编码调整及新特性介绍。适用于希望了解迁移步骤的技术人员。
现在Acegi Plugin插件已经停止开发了,已经转移到了Spring Security Core Plugin了。它们虽然师出同门,还是有很多地方需要调整的。
以下是官方文档,新入手看了这些还是有点蒙的,具体在文章后面进行解说。
3 Migrating from the Acegi Plugin
If you formerly used the Acegi plugin, change your application configuration settings as follows.
| Setting | Spring Security Plugin | Acegi Plugin |
|---|---|---|
| Enabled by default | true | false |
| Cache UserDetails by default | false | true |
| Configuration location | grails-app/conf/ Config.groovy | grails-app/conf/ SecurityConfig.groovy |
| Security service | springSecurityService | authenticateService |
The table shows names of corresponding configuration properties.
The plugin's configuration values all start withgrails.plugins.springsecurityto distinguish them from similarly named options in Grails and from other plugins. You must specify all property overrides with thegrails.plugins.springsecuritysuffix. For example, you specify the attributepassword.algorithmas:
grails.plugins.springsecurity.password.algorithm='SHA-512'in
Config.groovy
| Acegi Plugin | Spring Security Plugin |
|---|---|
| active | active |
| loginUserDomainClass | userLookup.userDomainClassName |
| userName | userLookup.usernamePropertyName |
| enabled | userLookup.enabledPropertyName |
| password | userLookup.passwordPropertyName |
| relationalAuthorities | userLookup.authoritiesPropertyName |
| getAuthoritiesMethod | N/A |
| authorityDomainClass | authority.className |
| authorityField | authority.nameField |
| authenticationFailureUrl | failureHandler.defaultFailureUrl |
| ajaxAuthenticationFailureUrl | failureHandler.ajaxAuthFailUrl |
| defaultTargetUrl | successHandler.defaultTargetUrl |
| alwaysUseDefaultTargetUrl | successHandler.alwaysUseDefault |
| filterProcessesUrl | apf.filterProcessesUrl |
| key | anon.key |
| userAttribute | anon.userAttribute |
| loginFormUrl | auth.loginFormUrl |
| forceHttps | auth.forceHttps |
| ajaxLoginFormUrl | auth.ajaxLoginFormUrl |
| afterLogoutUrl | logout.afterLogoutUrl |
| errorPage | adh.errorPage |
| ajaxErrorPage | adh.ajaxErrorPage |
| ajaxHeader | ajaxHeader |
| algorithm | password.algorithm |
| encodeHashAsBase64 | password.encodeHashAsBase64 |
| cookieName | rememberMe.cookieName |
| alwaysRemember | rememberMe.alwaysRemember |
| tokenValiditySeconds | rememberMe.tokenValiditySeconds |
| parameter | rememberMe.parameter |
| rememberMeKey | rememberMe.key |
| useLogger | registerLoggerListener |
| useRequestMapDomainClass | securityConfigType = "Requestmap" |
| requestMapClass | requestMap.className |
| requestMapPathField | requestMap.urlField |
| requestMapConfigAttributeField | requestMap.configAttributeField |
| useControllerAnnotations | securityConfigType = "Annotation" |
| controllerAnnotationsMatcher | controllerAnnotations.matcher |
| controllerAnnotationsMatchesLowercase | controllerAnnotations.lowercase |
| controllerAnnotationStaticRules | controllerAnnotations.staticRules |
| controllerAnnotationsRejectIfNoRule | rejectIfNoRule |
| requestMapString | N/A - securityConfigType = "InterceptUrlMap" is very similar |
| realmName | basic.realmName |
| basicProcessingFilter | useBasicAuth |
| switchUserProcessingFilter | useSwitchUserFilter |
| swswitchUserUrl | switchUser.switchUserUrl |
| swexitUserUrl | switchUser.exitUserUrl |
| swtargetUrl | switchUser.targetUrl |
| useMail | N/A - registration is supported in the UI plugin |
| mailHost | N/A - registration is supported in the UI plugin |
| mailUsername | N/A - registration is supported in the UI plugin |
| mailPassword | N/A - registration is supported in the UI plugin |
| mailProtocol | N/A - registration is supported in the UI plugin |
| mailFrom | N/A - registration is supported in the UI plugin |
| mailPort | N/A - registration is supported in the UI plugin |
| defaultRole | N/A - registration is supported in the UI plugin |
| useOpenId | N/A - supported in the OpenID plugin |
| openIdNonceMaxSeconds | N/A - supported in the OpenID plugin |
| useLdap | N/A - supported in the LDAP plugin |
| ldapRetrieveGroupRoles | N/A - supported in the LDAP plugin |
| ldapRetrieveDatabaseRoles | N/A - supported in the LDAP plugin |
| ldapSearchSubtree | N/A - supported in the LDAP plugin |
| ldapGroupRoleAttribute | N/A - supported in the LDAP plugin |
| ldapPasswordAttributeName | N/A - supported in the LDAP plugin |
| ldapServer | N/A - supported in the LDAP plugin |
| ldapManagerDn | N/A - supported in the LDAP plugin |
| ldapManagerPassword | N/A - supported in the LDAP plugin |
| ldapSearchBase | N/A - supported in the LDAP plugin |
| ldapSearchFilter | N/A - supported in the LDAP plugin |
| ldapGroupSearchBase | N/A - supported in the LDAP plugin |
| ldapGroupSearchFilter | N/A - supported in the LDAP plugin |
| ldapUsePassword | N/A - supported in the LDAP plugin |
| useKerberos | N/A - will be supported in a secondary plugin |
| kerberosLoginConfigFile | N/A - will be supported in a secondary plugin |
| kerberosRealm | N/A - will be supported in a secondary plugin |
| kerberosKdc | N/A - will be supported in a secondary plugin |
| kerberosRetrieveDatabaseRoles | N/A - will be supported in a secondary plugin |
| useHttpSessionEventPublisher | useHttpSessionEventPublisher |
| cacheUsers | cacheUsers |
| useCAS | N/A - supported in the CAS plugin |
| cas.casServer | N/A - supported in the CAS plugin |
| cas.casServerPort | N/A - supported in the CAS plugin |
| cas.casServerSecure | N/A - supported in the CAS plugin |
| cas.localhostSecure | N/A - supported in the CAS plugin |
| cas.failureURL | N/A - supported in the CAS plugin |
| cas.defaultTargetURL | N/A - supported in the CAS plugin |
| cas.fullLoginURL | N/A - supported in the CAS plugin |
| cas.fullServiceURL | N/A - supported in the CAS plugin |
| cas.authenticationProviderKey | N/A - supported in the CAS plugin |
| cas.userDetailsService | N/A - supported in the CAS plugin |
| cas.sendRenew | N/A - supported in the CAS plugin |
| cas.proxyReceptorUrl | N/A - supported in the CAS plugin |
| cas.filterProcessesUrl | N/A - supported in the CAS plugin |
| useNtlm | N/A - will be supported in a secondary plugin |
| ntlm.stripDomain | N/A - will be supported in a secondary plugin |
| ntlm.retryOnAuthFailure | N/A - will be supported in a secondary plugin |
| ntlm.forceIdentification | N/A - will be supported in a secondary plugin |
| ntlm.defaultDomain | N/A - will be supported in a secondary plugin |
| ntlm.netbiosWINS | N/A - will be supported in a secondary plugin |
| httpPort | portMapper.httpPort |
| httpsPort | portMapper.httpsPort |
| secureChannelDefinitionSource | N/A, use secureChannel.definition |
| channelConfig | secureChannel.definition |
| ipRestrictions | ipRestrictions |
| useFacebook | N/A - will be supported in the Facebook plugin |
| facebook.filterProcessesUrl | N/A - will be supported in the Facebook plugin |
| facebook.authenticationUrlRoot | N/A - will be supported in the Facebook plugin |
| facebook.apiKey | N/A - will be supported in the Facebook plugin |
| facebook.secretKey | N/A - will be supported in the Facebook plugin |
问题一、
Acegi Plugin插件是在rails-app/conf/ SecurityConfig.groovy里面的,而Spring Security是在grails-app/conf/Config.groovy的,这点不复杂,官方文档也有说道。
问题二、
很多命名已经更改了,这个上文也有提到,如果没什么印象,可在看看上面的官方文档。
问题三、
这个问题比较关键Acegi Plugin插件默认的密码编码是与Spring Security默认编码是不一样的,所以需要在Config.groovy里面指定编码,如果以前使用的是MD5则需要重新配置为MD5,如下:
grails {
plugins {
springsecurity {
...
password.algorithm = "MD5"
...
}
}
}读取配置文件
Spring Security CorePlugin读取配置文件的方式为 SpringSecurityUtils.securityConfig
页面读取登录信息
采用了sec标签,如<sec:ifLoggedIn>,更多标签可见:http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/6%20Helper%20Classes.html#6.1%20SecurityTagLib
工具类与service类,目前能够用到的主要是这两个类里面的方法
org.codehaus.groovy.grails.plugins.springsecurity.SpringSecurityUtils
grails.plugins.springsecurity.SpringSecurityService
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
