Spring Security（Acegi）实现原理与应用二

最新推荐文章于 2020-04-19 12:30:13 发布

原创最新推荐文章于 2020-04-19 12:30:13 发布 · 1.1k 阅读

0 ·

CC 4.0 BY-SA版权

spring 专栏收录该内容

5 篇文章

订阅专栏

本文深入探讨Spring Security的自定义配置方法，包括FilterSecurityInterceptor的实现细节、用户认证及授权流程、自定义过滤器的应用等核心内容。通过具体配置示例展示了如何灵活设置不同URL的访问权限。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

接上篇—–
1.FilterSecurityInterceptor
上篇说到如下代码会自动初始化FilterChainProxy ，当然了那是 spring自己默认的初始化，这个就不多说了，我们直接从自定义开始来进步了解这个过程，这样也便于我们灵活的去运用，我们重点关注FilterSecurityInterceptor

<http auto-config='true'>  
        <intercept-url pattern="/**" access="ROLE_USER" />  
        <http-basic />  
    </http>

  <http auto-config='true'>  
        <intercept-url pattern="/**" access="ROLE_USER" />  
         <!-- 自定义filter -->  
       <custom-filter before="FILTER_SECURITY_INTERCEPTOR"    
           ref="securityInterceptorFilter" />      
    </http>
 <bean id="filterSecurityInterceptor"
    class="org.springframework.security.web.access.intercept.FilterSe curityInterceptor">
      <property name="authenticationManager" ref="authenticationManager" />
      <property name="accessDecisionManager" ref="accessDecisionManager" />
      <property name="securityMetadataSource">
         <security:filter-security-metadata-source>
            <security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
            <security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
         </security:filter-security-metadata-source>
      </property>
   </bean>

这里面FilterSecurityInterceptor当然啦可以自己定义，看下他的基类AbstractSecurityInterceptor在beforeInvocation中完成用户校验和授权，那么先看下用户的校验，然后再看怎么授权
2.用户校验管理器securityMetadataSource
accessDecisionManager：

<bean id="userFinderService" class="cn.com.nuskin.agelocme.config.UserFinderService" lazy-init="false"> 
    </bean>

    <!-- <bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
        <property name="userDetailsService" ref="userFinderService" /> 
        <property name="hideUserNotFoundExceptions" value="false" /> 
    </bean>
     -->
    <bean id="authenticationProvider" class="cn.com.nuskin.agelocme.config.PersonalDaoAuthenticationProvider"> 
        <property name="userDetailsService" ref="userFinderService" /> 
        <property name="hideUserNotFoundExceptions" value="false" /> 
    </bean>

    <sec:authentication-manager alias="authenticationManager">
        <sec:authentication-provider ref= "authenticationProvider"/>  
        <sec:authentication-provider user-service-ref="userFinderService" >
             <sec:password-encoder hash="md5">
                <sec:salt-source user-property="username"/>
            </sec:password-encoder>
        </sec:authentication-provider>
    </sec:authentication-manager>

    <sec:http pattern="/backend/**" security="none"/>
    <sec:http pattern="/resources/**" security="none"/>
    <sec:http pattern="/swagger_ui/**" security="none"/>
    <sec:http pattern="/api-docs/**" security="none"/>


    <bean id="customAuthenticationEntryPoint" class="cn.com.nuskin.agelocme.config.CustomAuthenticationEntryPoint"></bean>

     <!-- intercept-url:拦截器,可以设定哪些路径需要哪些权限来访问. filters=none 不使用过滤,也可以理解为忽略 --> 
    <sec:http pattern="/api/**" use-expressions="true" auto-config="false" entry-point-ref="customAuthenticationEntryPoint">
        <sec:intercept-url pattern="/api/**" access="permitAll"/>
        <!-- 页面角色控制 -->
        <!-- <sec:intercept-url pattern="/admin/sensitiveWordInfo/**" access="hasRole('admin')"/>
        <sec:intercept-url pattern="/admin/clientInfo/**" access="hasRole('admin')"/>
        <sec:intercept-url pattern="/admin/adminUserInfo/**" access="hasRole('admin')"/>
        <sec:intercept-url pattern="/admin/roleInfo/**" access="hasRole('admin')"/> -->
        <sec:intercept-url pattern="/admin/login" access="permitAll"/>

    </sec:http>
    <!-- spring acegi权限校验失败处理器 -->
    <bean id="errorMessageAuthenticationFailureHandler" class="cn.com.nuskin.agelocme.config.ErrorMessageAuthenticationFailureHandler">
    </bean>
    <!-- spring acegi权限校验成功处理器 -->
    <bean id="successMessageAuthenticationHandler" class="cn.com.nuskin.agelocme.config.SuccessMessageAuthenticationHandler">
    </bean>
    <!-- spring acegi权限校验失败处理器 -->
     <bean id="backEndErrorMessageAuthenticationFailureHandler" class="cn.com.nuskin.agelocme.config.ErrorMessageAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/admin/login"/>
        <property name="allowSessionCreation" value="true"/>
    </bean>


   <!-- Spring Security -->
    <sec:http pattern="/admin/**" use-expressions="true"  entry-point-ref="customAuthenticationEntryPoint">
        <sec:intercept-url pattern="/admin/login" access="permitAll"/>

        <!-- 用户后台 --> 
        <sec:form-login login-page="/admin/login" 
                username-parameter="userName"
                password-parameter="password"
                login-processing-url="/admin/validate"
                default-target-url="/admin/clientInfo/list"
                authentication-failure-handler-ref="backEndErrorMessageAuthenticationFailureHandler"
                always-use-default-target="true"/>
        <sec:logout logout-url="/admin/logout" logout-success-url="/admin/login" delete-cookies="JSESSIONID"/>
        <!-- session过期 -->
        <sec:session-management invalid-session-url="/admin/login" /> 

        <sec:session-management>
            <sec:concurrency-control max-sessions="99999" expired-url="/admin/login" session-registry-alias="sessionRegistry" />
        </sec:session-management>

        <sec:port-mappings>
            <sec:port-mapping http="${spring.config.prot.http}" https="${spring.config.prot.https}"/>
        </sec:port-mappings>

        <sec:session-management>
            <sec:concurrency-control max-sessions="99999" expired-url="/admin/login" session-registry-ref="sessionRegistry"/>
        </sec:session-management>