本文详细解析了Acegi安全框架的配置文件applicationContext-acegi-security.xml,介绍了其中16个Bean的配置细节及其相互之间的依赖关系,特别关注了与数据库交互的认证流程。
ldap与Acegi? ----Acegi配置文件解剖
这两个之间没什么必然的联系吧?ldap不熟悉,Acegi更是不熟悉.呵呵,这两个再搅和在一起就乱了.
ldap好像是与数据库连接相关的一个东东,那它与现在常见的数据库连接JDBC有什么区别?与JNDI呢?与这两个比又有什么优势?这个优势又怎么暗合了Acegi的需求?
对于Acegi只知道它是与Spring协作很好的一个Security框架,先不说Security别的方面,现在只看它如何管理登录这块,登录肯定是要访问数据库,那么在Acegi的配置文件中又是怎么来体现管理这个访问数据库的呢?
仔细研究项目中定义的applicationContext-acegi-secutiry.xml文件,这里面配置了如下的几个Bean:
1,filterChainProxy -->org.acegisecurity.util.FilterChainProxy
property: filterInvocationDefinitionSource,其值有:
CONVERT_URL_TOLOWERCASE_BEFORE_COMPARISON
PATTEN_TYPE_APCHE_ANT
/**=httpSessionContextIntegrationFilter, logoutFilter,authenicationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
?**
这么一长串是参数是干啥的,filterInvocationDefinitionSource是个什么类型?
看了一下它的源代码,其类型为:FilterInvocationDefinitionSource,那么这个类型怎么又会接收上面那么长的字符串?
再看FilterInvocationDefinitionSource的源代码,它是个接口,这下更惨了,FilterChainProxy初始化调用set时怎么又会初始化一个接口?内部匿名类?
先往下看.........
?
2,httpSessionContextIntegrationFilter -->org.acegisecurity.context.HttpSessionContextIntegrationFilter. 这个类没有属性可配.
3,logoutFilter -->org.acegisecurity.ui.logout.LogoutFilter
通过<constuctor-arg>配置了value="/index.htm".
又通过<constructor-arg>配置了 一个List其值为:
<ref bean = "remeberMeServices">?????????????????????????????????
和<bean class = "org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
4,authenicationProcessingFilter --> org.acegisecurity.ui.webapp.AuthenticationProcessingFilter
六个property:
authenticationManager ref authenticationManager ??????????????????????????
authenticationFailureUrl value="/jsp/accessDenied.jsp"
alwaysUseDefaultTargetUrl value = "true"
defaultTargetUrl value="/pages/content.html"/
filterProcessesUrl value="/jsp/j_acegi_security_check" ???????这个好像很关键的.
rememberMeServices ref="rememberMeServices" ???????????????????
5,securityContextHolderAwareRequestFilter --> org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter 没任何属性可配.
6,rememberMeProcessingFilter --> org.acegisecurity.ui.rememberme.RememberMeProcessingFilter
两个属性:
authenticationManager ref="authenticationManager" ???????????????????
rememberMeServices ref="rememberMeServices" ??????????????????
7,anonymousProcessingFilter --> org.acegisecurity.providers.anonymous.AnonymousProcessingFilter
两个属性:
key value="changeThis"
userAttribute value="anonymousUser,ROLE_ANONYMOUS"
8,exceptionTranslationFilter --> org.acegisecurity.ui.ExceptionTranslationFilter
两个属性:
<property name="authenticationEntryPoint">
<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/jsp/login.jsp"/>
<property name="forceHttps" value="false"/>
</bean>
</property>
<property name="accessDeniedHandler">
<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/jsp/accessDenied.jsp"/>
</bean>
</property>
9,filterInvocationInterceptor --> org.acegisecurity.intercept.web.FilterSecurityInterceptor
三个属性:
authenticationManager ref="authenticationManager" ???????????????????????
<property name="accessDecisionManager">
<bean class="org.acegisecurity.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<bean class="org.acegisecurity.vote.RoleVoter"/>
<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/jsp/login.jsp=ROLE_ANONYMOUS
/jsp/**=ROLE_MPIXTOOLGROUP
</value>
</property>
10, rememberMeServices --> org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices
两个属性:
<property name="userDetailsService" ref="userDetailsService"/> ????????????
<property name="key" value="changeThis"/>
11, authenticationManager --> org.acegisecurity.providers.ProviderManager
一个属性:
<property name="providers"> ????????难道说这可就是登录信息的验证来源?providers嘛.
<list>
<!-- To Disable LDAP, comment out ldapAuthProvider reference below -->
<ref local="ldapAuthProvider"/>
<ref local="daoAuthenticationProvider"/>
<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="changeThis"/>
</bean>
<bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="changeThis"/>
</bean>
</list>
</property>
12, daoAuthenticationProvider --> org.acegisecurity.providers.dao.DaoAuthenticationProvider
一个属性:
<property name="userDetailsService" ref="userDetailsService"/>
13, userDetailsService --> org.acegisecurity.userdetails.memory.InMemoryDaoImpl
一个属性:
<property name="userMap">
<value>
jklaassen=4moreyears,ROLE_ADMIN
test=test,ROLE_MPIXTOOLGROUP ?????????????这是静态的验证,没有去数据库里查用户和密码吗?
devteam=get2work,ROLE_MPIXTOOLGROUP
jgaerlan=1234,ROLE_MPIXTOOLGROUP
opts=opts,ROLE_OPERATIONS
</value>
</property>
注意下面有一段配置被注释掉了: ??????????????这个是要到数据库里查找吧?
<!--
<bean id="userDetailsService" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
<property name="usersByUsernameQuery">
<value>{call dbo.MLab_User_GetInfoByUserName(?)}</value>
</property>
<property name="authoritiesByUsernameQuery">
<value>{call dbo.MLab_UserRole_GetInfoByID(?)}</value>
</property>
</bean>
-->
14, initialDirContextFactory --> org.acegisecurity.ldap.DefaultInitialDirContextFactory
其配置如下:
<constructor-arg value="ldap://dc03:389/OU=Employees,OU=Pleasanton,dc=kittyhawk,dc=funmail,dc=com"/>
<property name="managerDn">
<value>cn=mpixtool,OU=Employees,OU=Pleasanton,dc=kittyhawk,dc=funmail,dc=com</value>
</property>
<property name="managerPassword">
<value>p@55w0rd</value> ??????????????????这个密码并没有用到呀,而是用test的
</property>
15, userSearch --> org.acegisecurity.ldap.search.FilterBasedLdapUserSearch ?????????这个来负责登录用户的验证?
<constructor-arg index="0">
<value></value>
</constructor-arg>
<constructor-arg index="1">
<value>sAMAccountName={0}</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
16, ldapAuthProvider --> org.acegisecurity.providers.ldap.LdapAuthenticationProvider
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg>
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="userSearch">
<ref local="userSearch"/>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg>
<ref local="initialDirContextFactory"/>
</constructor-arg>
<constructor-arg>
<value></value>
</constructor-arg>
<property name="groupRoleAttribute">
<value>cn</value>
</property>
<property name="rolePrefix">
<value>ROLE_</value>
</property>
<property name="convertToUpperCase">
<value>true</value>
</property>
<property name="defaultRole">
<value>IS_AUTHENTICATED_FULLY</value>
</property>
</bean>
</constructor-arg>
一共配置了16个Bean,
filterChainProxy引用的Bean有:
--httpSessionContextIntegrationFilter,上面标号的第2个Bean.
--logoutFilter,上面标号的第3个Bean.
----这个logoutFilter引用的有:
------ rememberMeServices(标号为10)
--------这个rememberMeServices引用的有:
----------userDetailsService(标号为13)
--authenicationProcessingFilter, 上面标号的第4个Bean.
----这个authenicationProcessingFilter引用的有:
------authenticationManager(标号为11)
--------这个authenticationManager引用的有:
----------ldapAuthProvider(标号为16)
------------这个IdapAuthProvider引用的有:
--------------initialDirContextFactory(标号为14)
--------------userSearch(标号为15)
----------daoAuthenticationProvider(标号为12)
------------这个authenticationManager引用的有:
--------------userDetailsService(标号为13)
------ rememberMeServices(标号为10)
--securityContextHolderAwareRequestFilter, 上面标号的第5个Bean.
--rememberMeProcessingFilter,上面标号的第6个Bean.
----这个rememberMeProcessingFilter引用的有:
------authenticationManager(标号为11)
------ rememberMeServices(标号为10)
--anonymousProcessingFilter,上面标号的第7个Bean.
--exceptionTranslationFilter,上面标号的第8个Bean.
--filterInvocationInterceptor,上面标号的第9个Bean.
----这个filterInvocationInterceptor引用的有:
------authenticationManager(标号为11)
止此整个Bean树解析完毕,16个Bean中除了filterChainProxy自己外的15个里它引用了8个,另外的7个又都间接地引用,filterChainProxy是带头大哥无疑了!
这两个之间没什么必然的联系吧?ldap不熟悉,Acegi更是不熟悉.呵呵,这两个再搅和在一起就乱了.
ldap好像是与数据库连接相关的一个东东,那它与现在常见的数据库连接JDBC有什么区别?与JNDI呢?与这两个比又有什么优势?这个优势又怎么暗合了Acegi的需求?
对于Acegi只知道它是与Spring协作很好的一个Security框架,先不说Security别的方面,现在只看它如何管理登录这块,登录肯定是要访问数据库,那么在Acegi的配置文件中又是怎么来体现管理这个访问数据库的呢?
仔细研究项目中定义的applicationContext-acegi-secutiry.xml文件,这里面配置了如下的几个Bean:
1,filterChainProxy -->org.acegisecurity.util.FilterChainProxy
property: filterInvocationDefinitionSource,其值有:
CONVERT_URL_TOLOWERCASE_BEFORE_COMPARISON
PATTEN_TYPE_APCHE_ANT
/**=httpSessionContextIntegrationFilter, logoutFilter,authenicationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
?**
这么一长串是参数是干啥的,filterInvocationDefinitionSource是个什么类型?
看了一下它的源代码,其类型为:FilterInvocationDefinitionSource,那么这个类型怎么又会接收上面那么长的字符串?
再看FilterInvocationDefinitionSource的源代码,它是个接口,这下更惨了,FilterChainProxy初始化调用set时怎么又会初始化一个接口?内部匿名类?
先往下看.........
?
2,httpSessionContextIntegrationFilter -->org.acegisecurity.context.HttpSessionContextIntegrationFilter. 这个类没有属性可配.
3,logoutFilter -->org.acegisecurity.ui.logout.LogoutFilter
通过<constuctor-arg>配置了value="/index.htm".
又通过<constructor-arg>配置了 一个List其值为:
<ref bean = "remeberMeServices">?????????????????????????????????
和<bean class = "org.acegisecurity.ui.logout.SecurityContextLogoutHandler" />
4,authenicationProcessingFilter --> org.acegisecurity.ui.webapp.AuthenticationProcessingFilter
六个property:
authenticationManager ref authenticationManager ??????????????????????????
authenticationFailureUrl value="/jsp/accessDenied.jsp"
alwaysUseDefaultTargetUrl value = "true"
defaultTargetUrl value="/pages/content.html"/
filterProcessesUrl value="/jsp/j_acegi_security_check" ???????这个好像很关键的.
rememberMeServices ref="rememberMeServices" ???????????????????
5,securityContextHolderAwareRequestFilter --> org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter 没任何属性可配.
6,rememberMeProcessingFilter --> org.acegisecurity.ui.rememberme.RememberMeProcessingFilter
两个属性:
authenticationManager ref="authenticationManager" ???????????????????
rememberMeServices ref="rememberMeServices" ??????????????????
7,anonymousProcessingFilter --> org.acegisecurity.providers.anonymous.AnonymousProcessingFilter
两个属性:
key value="changeThis"
userAttribute value="anonymousUser,ROLE_ANONYMOUS"
8,exceptionTranslationFilter --> org.acegisecurity.ui.ExceptionTranslationFilter
两个属性:
<property name="authenticationEntryPoint">
<bean class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl" value="/jsp/login.jsp"/>
<property name="forceHttps" value="false"/>
</bean>
</property>
<property name="accessDeniedHandler">
<bean class="org.acegisecurity.ui.AccessDeniedHandlerImpl">
<property name="errorPage" value="/jsp/accessDenied.jsp"/>
</bean>
</property>
9,filterInvocationInterceptor --> org.acegisecurity.intercept.web.FilterSecurityInterceptor
三个属性:
authenticationManager ref="authenticationManager" ???????????????????????
<property name="accessDecisionManager">
<bean class="org.acegisecurity.vote.AffirmativeBased">
<property name="allowIfAllAbstainDecisions" value="false"/>
<property name="decisionVoters">
<list>
<bean class="org.acegisecurity.vote.RoleVoter"/>
<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
</list>
</property>
</bean>
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/jsp/login.jsp=ROLE_ANONYMOUS
/jsp/**=ROLE_MPIXTOOLGROUP
</value>
</property>
10, rememberMeServices --> org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices
两个属性:
<property name="userDetailsService" ref="userDetailsService"/> ????????????
<property name="key" value="changeThis"/>
11, authenticationManager --> org.acegisecurity.providers.ProviderManager
一个属性:
<property name="providers"> ????????难道说这可就是登录信息的验证来源?providers嘛.
<list>
<!-- To Disable LDAP, comment out ldapAuthProvider reference below -->
<ref local="ldapAuthProvider"/>
<ref local="daoAuthenticationProvider"/>
<bean class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider">
<property name="key" value="changeThis"/>
</bean>
<bean class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider">
<property name="key" value="changeThis"/>
</bean>
</list>
</property>
12, daoAuthenticationProvider --> org.acegisecurity.providers.dao.DaoAuthenticationProvider
一个属性:
<property name="userDetailsService" ref="userDetailsService"/>
13, userDetailsService --> org.acegisecurity.userdetails.memory.InMemoryDaoImpl
一个属性:
<property name="userMap">
<value>
jklaassen=4moreyears,ROLE_ADMIN
test=test,ROLE_MPIXTOOLGROUP ?????????????这是静态的验证,没有去数据库里查用户和密码吗?
devteam=get2work,ROLE_MPIXTOOLGROUP
jgaerlan=1234,ROLE_MPIXTOOLGROUP
opts=opts,ROLE_OPERATIONS
</value>
</property>
注意下面有一段配置被注释掉了: ??????????????这个是要到数据库里查找吧?
<!--
<bean id="userDetailsService" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
<property name="usersByUsernameQuery">
<value>{call dbo.MLab_User_GetInfoByUserName(?)}</value>
</property>
<property name="authoritiesByUsernameQuery">
<value>{call dbo.MLab_UserRole_GetInfoByID(?)}</value>
</property>
</bean>
-->
14, initialDirContextFactory --> org.acegisecurity.ldap.DefaultInitialDirContextFactory
其配置如下:
<constructor-arg value="ldap://dc03:389/OU=Employees,OU=Pleasanton,dc=kittyhawk,dc=funmail,dc=com"/>
<property name="managerDn">
<value>cn=mpixtool,OU=Employees,OU=Pleasanton,dc=kittyhawk,dc=funmail,dc=com</value>
</property>
<property name="managerPassword">
<value>p@55w0rd</value> ??????????????????这个密码并没有用到呀,而是用test的
</property>
15, userSearch --> org.acegisecurity.ldap.search.FilterBasedLdapUserSearch ?????????这个来负责登录用户的验证?
<constructor-arg index="0">
<value></value>
</constructor-arg>
<constructor-arg index="1">
<value>sAMAccountName={0}</value>
</constructor-arg>
<constructor-arg index="2">
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="searchSubtree">
<value>true</value>
</property>
16, ldapAuthProvider --> org.acegisecurity.providers.ldap.LdapAuthenticationProvider
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.authenticator.BindAuthenticator">
<constructor-arg>
<ref local="initialDirContextFactory"/>
</constructor-arg>
<property name="userSearch">
<ref local="userSearch"/>
</property>
</bean>
</constructor-arg>
<constructor-arg>
<bean class="org.acegisecurity.providers.ldap.populator.DefaultLdapAuthoritiesPopulator">
<constructor-arg>
<ref local="initialDirContextFactory"/>
</constructor-arg>
<constructor-arg>
<value></value>
</constructor-arg>
<property name="groupRoleAttribute">
<value>cn</value>
</property>
<property name="rolePrefix">
<value>ROLE_</value>
</property>
<property name="convertToUpperCase">
<value>true</value>
</property>
<property name="defaultRole">
<value>IS_AUTHENTICATED_FULLY</value>
</property>
</bean>
</constructor-arg>
一共配置了16个Bean,
filterChainProxy引用的Bean有:
--httpSessionContextIntegrationFilter,上面标号的第2个Bean.
--logoutFilter,上面标号的第3个Bean.
----这个logoutFilter引用的有:
------ rememberMeServices(标号为10)
--------这个rememberMeServices引用的有:
----------userDetailsService(标号为13)
--authenicationProcessingFilter, 上面标号的第4个Bean.
----这个authenicationProcessingFilter引用的有:
------authenticationManager(标号为11)
--------这个authenticationManager引用的有:
----------ldapAuthProvider(标号为16)
------------这个IdapAuthProvider引用的有:
--------------initialDirContextFactory(标号为14)
--------------userSearch(标号为15)
----------daoAuthenticationProvider(标号为12)
------------这个authenticationManager引用的有:
--------------userDetailsService(标号为13)
------ rememberMeServices(标号为10)
--securityContextHolderAwareRequestFilter, 上面标号的第5个Bean.
--rememberMeProcessingFilter,上面标号的第6个Bean.
----这个rememberMeProcessingFilter引用的有:
------authenticationManager(标号为11)
------ rememberMeServices(标号为10)
--anonymousProcessingFilter,上面标号的第7个Bean.
--exceptionTranslationFilter,上面标号的第8个Bean.
--filterInvocationInterceptor,上面标号的第9个Bean.
----这个filterInvocationInterceptor引用的有:
------authenticationManager(标号为11)
止此整个Bean树解析完毕,16个Bean中除了filterChainProxy自己外的15个里它引用了8个,另外的7个又都间接地引用,filterChainProxy是带头大哥无疑了!
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
