接上篇—–
1.FilterSecurityInterceptor
上篇说到如下代码会自动初始化FilterChainProxy ,当然了那是 spring自己默认的初始化,这个就不多说了,我们直接从自定义开始来进步了解这个过程,这样也便于我们灵活的去运用,我们重点关注FilterSecurityInterceptor
<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic />
</http>
<http auto-config='true'>
<intercept-url pattern="/**" access="ROLE_USER" />
<!-- 自定义filter -->
<custom-filter before="FILTER_SECURITY_INTERCEPTOR"
ref="securityInterceptorFilter" />
</http>
<bean id="filterSecurityInterceptor"
class="org.springframework.security.web.access.intercept.FilterSe curityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="securityMetadataSource">
<security:filter-security-metadata-source>
<security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
<security:intercept-url pattern="/**" access="ROLE_USER,ROLE_ADMIN" />
</security:filter-security-metadata-source>
</property>
</bean>
这里面FilterSecurityInterceptor当然啦可以自己定义,看下他的基类AbstractSecurityInterceptor在beforeInvocation中完成用户校验和授权,那么先看下用户的校验,然后再看怎么授权
2.用户校验管理器securityMetadataSource
accessDecisionManager:
<bean id="userFinderService" class="cn.com.nuskin.agelocme.config.UserFinderService" lazy-init="false">
</bean>
<!-- <bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userFinderService" />
<property name="hideUserNotFoundExceptions" value="false" />
</bean>
-->
<bean id="authenticationProvider" class="cn.com.nuskin.agelocme.config.PersonalDaoAuthenticationProvider">
<property name="userDetailsService" ref="userFinderService" />
<property name="hideUserNotFoundExceptions" value="false" />
</bean>
<sec:authentication-manager alias="authenticationManager">
<sec:authentication-provider ref= "authenticationProvider"/>
<sec:authentication-provider user-service-ref="userFinderService" >
<sec:password-encoder hash="md5">
<sec:salt-source user-property="username"/>
</sec:password-encoder>
</sec:authentication-provider>
</sec:authentication-manager>
<sec:http pattern="/backend/**" security="none"/>
<sec:http pattern="/resources/**" security="none"/>
<sec:http pattern="/swagger_ui/**" security="none"/>
<sec:http pattern="/api-docs/**" security="none"/>
<bean id="customAuthenticationEntryPoint" class="cn.com.nuskin.agelocme.config.CustomAuthenticationEntryPoint"></bean>
<!-- intercept-url:拦截器,可以设定哪些路径需要哪些权限来访问. filters=none 不使用过滤,也可以理解为忽略 -->
<sec:http pattern="/api/**" use-expressions="true" auto-config="false" entry-point-ref="customAuthenticationEntryPoint">
<sec:intercept-url pattern="/api/**" access="permitAll"/>
<!-- 页面角色控制 -->
<!-- <sec:intercept-url pattern="/admin/sensitiveWordInfo/**" access="hasRole('admin')"/>
<sec:intercept-url pattern="/admin/clientInfo/**" access="hasRole('admin')"/>
<sec:intercept-url pattern="/admin/adminUserInfo/**" access="hasRole('admin')"/>
<sec:intercept-url pattern="/admin/roleInfo/**" access="hasRole('admin')"/> -->
<sec:intercept-url pattern="/admin/login" access="permitAll"/>
</sec:http>
<!-- spring acegi权限校验失败处理器 -->
<bean id="errorMessageAuthenticationFailureHandler" class="cn.com.nuskin.agelocme.config.ErrorMessageAuthenticationFailureHandler">
</bean>
<!-- spring acegi权限校验成功处理器 -->
<bean id="successMessageAuthenticationHandler" class="cn.com.nuskin.agelocme.config.SuccessMessageAuthenticationHandler">
</bean>
<!-- spring acegi权限校验失败处理器 -->
<bean id="backEndErrorMessageAuthenticationFailureHandler" class="cn.com.nuskin.agelocme.config.ErrorMessageAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/admin/login"/>
<property name="allowSessionCreation" value="true"/>
</bean>
<!-- Spring Security -->
<sec:http pattern="/admin/**" use-expressions="true" entry-point-ref="customAuthenticationEntryPoint">
<sec:intercept-url pattern="/admin/login" access="permitAll"/>
<!-- 用户后台 -->
<sec:form-login login-page="/admin/login"
username-parameter="userName"
password-parameter="password"
login-processing-url="/admin/validate"
default-target-url="/admin/clientInfo/list"
authentication-failure-handler-ref="backEndErrorMessageAuthenticationFailureHandler"
always-use-default-target="true"/>
<sec:logout logout-url="/admin/logout" logout-success-url="/admin/login" delete-cookies="JSESSIONID"/>
<!-- session过期 -->
<sec:session-management invalid-session-url="/admin/login" />
<sec:session-management>
<sec:concurrency-control max-sessions="99999" expired-url="/admin/login" session-registry-alias="sessionRegistry" />
</sec:session-management>
<sec:port-mappings>
<sec:port-mapping http="${spring.config.prot.http}" https="${spring.config.prot.https}"/>
</sec:port-mappings>
<sec:session-management>
<sec:concurrency-control max-sessions="99999" expired-url="/admin/login" session-registry-ref="sessionRegistry"/>
</sec:session-management>