Spring Security3.1配置

最新推荐文章于 2025-08-15 10:38:51 发布

weixin_34284188

最新推荐文章于 2025-08-15 10:38:51 发布

阅读量124

点赞数

CC 4.0 BY-SA版权

文章标签：数据库 java 设计模式

原文链接：http://blog.51cto.com/flyingsnail/1317752

本文详细介绍使用SpringSecurity3.1进行权限管理的设计与实践，包括数据库结构搭建、系统配置及自定义过滤器等关键步骤。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

这几天学习了一下SpringSecurity3.1，从官网下载了SpringSecurity3.1版本进行练习，以下大部分来自网友的分享，自己加了一点自己的理解。

一、数据库结构

先来看一下数据库结构，采用的是基于角色-资源-用户的权限管理设计。(MySql数据库)

为了节省篇章，只对比较重要的字段进行注释。

1.用户表Users

CREATETABLE`users`(

--账号是否有限1.是0.否
`enable`int(11)defaultNULL,
`password`varchar(255)defaultNULL,
`account`varchar(255)defaultNULL,
`id`int(11)NOTNULLauto_increment,
PRIMARYKEY(`id`)
)

2.角色表Roles

CREATETABLE`roles`(
`enable`int(11)defaultNULL,
`name`varchar(255)defaultNULL,
`id`int(11)NOTNULLauto_increment,
PRIMARYKEY(`id`)
)

3用户_角色表users_roles

CREATETABLE`users_roles`(

--用户表的外键
`uid`int(11)defaultNULL,

--角色表的外键
`rid`int(11)defaultNULL,
`urId`int(11)NOTNULLauto_increment,
PRIMARYKEY(`urId`),
KEY`rid`(`rid`),
KEY`uid`(`uid`),
CONSTRAINT`users_roles_ibfk_1`FOREIGNKEY(`rid`)REFERENCES`roles`(`id`),
CONSTRAINT`users_roles_ibfk_2`FOREIGNKEY(`uid`)REFERENCES`users`(`id`)
)

4.资源表resources

CREATETABLE`resources`(
`memo`varchar(255)defaultNULL,

--权限所对应的url地址
`url`varchar(255)defaultNULL,

--优先权
`priority`int(11)defaultNULL,

--类型
`type`int(11)defaultNULL,

--权限所对应的编码，例201代表发表文章
`name`varchar(255)defaultNULL,
`id`int(11)NOTNULLauto_increment,
PRIMARYKEY(`id`)
)

5.角色_资源表roles_resources

CREATETABLE`roles_resources`(
`rsid`int(11)defaultNULL,
`rid`int(11)defaultNULL,
`rrId`int(11)NOTNULLauto_increment,
PRIMARYKEY(`rrId`),
KEY`rid`(`rid`),
KEY`roles_resources_ibfk_2`(`rsid`),
CONSTRAINT`roles_resources_ibfk_2`FOREIGNKEY(`rsid`)REFERENCES`resources`(`id`),
CONSTRAINT`roles_resources_ibfk_1`FOREIGNKEY(`rid`)REFERENCES`roles`(`id`)
)

二、系统配置

所需要的jar包，请自行到官网下载，我用的是SpringSecurity3.1.0.RC1版的。把dist下的除了源码件包导入就行了。还有那些零零碎的数据库驱动啊，log4j.jar等等，我相信在用SpringSecurity之前，大家已经会的了。

1）web.xml

<!-- Spring -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>classpath:applicationContext.xml,classpath:applicationContext-security.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!-- 权限 -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

这里主要是配置了让容器启动的时候加载application-security.xml和SpringSecurity的权限过滤器代理,让其过滤所有的客服请求。

这里用到的filter-class是DelegatingFilterProxy，其实它不是一个filter。

DelegatingFilterProxy就是一个对于servletfilter的代理，用这个类的好处主要是通过Spring容器来管理servletfilter的生命周期，还有就是如果filter中需要一些Spring容器的实例，可以通过spring直接注入，另外读取一些配置文件这些便利的操作都可以通过Spring来配置实现。详细解释可参考以下链接：http://www.cnblogs.com/hzhuxin/archive/2011/12/19/2293730.html

2）application-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<global-method-security pre-post-annotations="enabled" />
<!-- 该路径下的资源不用过滤 -->
<http pattern="/js/**" security="none"/>
<http use-expressions="true" auto-config="true">
<form-login />
<logout/>
<!-- 实现免登陆验证 -->
<remember-me />
<session-management invalid-session-url="/timeout.jsp">
<concurrency-control max-sessions="10" error-if-maximum-exceeded="true" />
</session-management>
<custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
</http>
<!-- 配置过滤器 -->
<beans:bean id="myFilter" class="com.huaxin.security.MySecurityFilter">
<!-- 用户拥有的权限 -->
<beans:property name="authenticationManager" ref="myAuthenticationManager" />
<!-- 用户是否拥有所请求资源的权限 -->
<beans:property name="accessDecisionManager" ref="myAccessDecisionManager" />
<!-- 资源与权限对应关系 -->
<beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" />
</beans:bean>
<!-- 实现了UserDetailsService的Bean -->
<authentication-manager alias="myAuthenticationManager">
<authentication-provider user-service-ref="myUserDetailServiceImpl" />
</authentication-manager>
<beans:bean id="myAccessDecisionManager" class="com.huaxin.security.MyAccessDecisionManager"></beans:bean>
<beans:bean id="mySecurityMetadataSource" class="com.huaxin.security.MySecurityMetadataSource">
<beans:constructor-arg name="resourcesDao" ref="resourcesDao"></beans:constructor-arg>
</beans:bean>
<beans:bean id="myUserDetailServiceImpl" class="com.huaxin.security.MyUserDetailServiceImpl">
<beans:property name="usersDao" ref="usersDao"></beans:property>
</beans:bean>
</beans:beans>

们在第二个http标签下配置一个我们自定义的继承了org.springframework.security.access.intercept.AbstractSecurityInterceptor的Filter，并注入其

必须的3个组件authenticationManager、accessDecisionManager和securityMetadataSource。其作用上面已经注释了。

<custom-filterref="myFilter"before="FILTER_SECURITY_INTERCEPTOR"/>这里的FILTER_SECURITY_INTERCEPTOR是SpringSecurity默认的Filter，

我们自定义的Filter必须在它之前，过滤客服请求。接下来看下我们最主要的myFilter吧。

3）myFilter

(1)MySecurityFilter.java过滤用户请求

public class MySecurityFilter extends AbstractSecurityInterceptor implements Filter {
//与applicationContext-security.xml里的myFilter的属性securityMetadataSource对应，
//其他的两个组件，已经在AbstractSecurityInterceptor定义
private FilterInvocationSecurityMetadataSource securityMetadataSource;
@Override
public SecurityMetadataSource obtainSecurityMetadataSource() {
return this.securityMetadataSource;
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
FilterInvocation fi = new FilterInvocation(request, response, chain);
invoke(fi);
}
private void invoke(FilterInvocation fi) throws IOException, ServletException {
// object为FilterInvocation对象
//super.beforeInvocation(fi);源码
//1.获取请求资源的权限
//执行Collection<ConfigAttribute> attributes = SecurityMetadataSource.getAttributes(object);
//2.是否拥有权限
//this.accessDecisionManager.decide(authenticated, object, attributes);
InterceptorStatusToken token = super.beforeInvocation(fi);
try {
fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
} finally {
super.afterInvocation(token, null);
}
}
public FilterInvocationSecurityMetadataSource getSecurityMetadataSource() {
return securityMetadataSource;
}
public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource) {
this.securityMetadataSource = securityMetadataSource;
}
public void init(FilterConfig arg0) throws ServletException {
// TODO Auto-generated method stub
}
public void destroy() {
// TODO Auto-generated method stub
}
@Override
public Class<? extends Object> getSecureObjectClass() {
//下面的MyAccessDecisionManager的supports方面必须放回true,否则会提醒类型错误
return FilterInvocation.class;
}
}

核心的InterceptorStatusTokentoken=super.beforeInvocation(fi);会调用我们定义的accessDecisionManager:decide(Objectobject)和securityMetadataSource

:getAttributes(Objectobject)方法。

（2）MySecurityMetadataSource.java

//1 加载资源与权限的对应关系
public class MySecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
//由spring调用
public MySecurityMetadataSource(ResourcesDao resourcesDao) {
this.resourcesDao = resourcesDao;
loadResourceDefine();
}
private ResourcesDao resourcesDao;
private static Map<String, Collection<ConfigAttribute>> resourceMap = null;
public ResourcesDao getResourcesDao() {
return resourcesDao;
}
public void setResourcesDao(ResourcesDao resourcesDao) {
this.resourcesDao = resourcesDao;
}
public Collection<ConfigAttribute> getAllConfigAttributes() {
// TODO Auto-generated method stub
return null;
}
public boolean supports(Class<?> clazz) {
// TODO Auto-generated method stub
return true;
}
//加载所有资源与权限的关系
private void loadResourceDefine() {
if(resourceMap == null) {
resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
List<Resources> resources = this.resourcesDao.findAll();
for (Resources resource : resources) {
Collection<ConfigAttribute> configAttributes = new ArrayList<ConfigAttribute>();
//以权限名封装为Spring的security Object
ConfigAttribute configAttribute = new SecurityConfig(resource.getName());
configAttributes.add(configAttribute);
resourceMap.put(resource.getUrl(), configAttributes);
}
}
Set<Entry<String, Collection<ConfigAttribute>>> resourceSet = resourceMap.entrySet();
Iterator<Entry<String, Collection<ConfigAttribute>>> iterator = resourceSet.iterator();
}
//返回所请求资源所需要的权限
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
String requestUrl = ((FilterInvocation) object).getRequestUrl();
System.out.println("requestUrl is " + requestUrl);
if(resourceMap == null) {
loadResourceDefine();
}
return resourceMap.get(requestUrl);
}
}

这里的resourcesDao，熟悉Dao设计模式和Spring注入的朋友应该看得明白。

（3）MyUserDetailServiceImpl.java

public class MyUserDetailServiceImpl implements UserDetailsService {
private UsersDao usersDao;
public UsersDao getUsersDao() {
return usersDao;
}
public void setUsersDao(UsersDao usersDao) {
this.usersDao = usersDao;
}
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
System.out.println("username is " + username);
Users users = this.usersDao.findByName(username);
if(users == null) {
throw new UsernameNotFoundException(username);
}
Collection<GrantedAuthority> grantedAuths = obtionGrantedAuthorities(users);
boolean enables = true;
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
boolean accountNonLocked = true;
User userdetail = new User(users.getAccount(), users.getPassword(), enables, accountNonExpired, credentialsNonExpired, accountNonLocked, grantedAuths);
return userdetail;
}
//取得用户的权限
private Set<GrantedAuthority> obtionGrantedAuthorities(Users user) {
Set<GrantedAuthority> authSet = new HashSet<GrantedAuthority>();
Set<Roles> roles = user.getRoles();
for(Roles role : roles) {
Set<Resources> tempRes = role.getResources();
for(Resources res : tempRes) {
authSet.add(new GrantedAuthorityImpl(res.getName()));
s           }
}
return authSet;
}
}

(4)MyAccessDecisionManager.java

public class MyAccessDecisionManager implements AccessDecisionManager {
public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException, InsufficientAuthenticationException {
if(configAttributes == null) {
return;
}
//所请求的资源拥有的权限(一个资源对多个权限)
Iterator<ConfigAttribute> iterator = configAttributes.iterator();
while(iterator.hasNext()) {
ConfigAttribute configAttribute = iterator.next();
//访问所请求资源所需要的权限
String needPermission = configAttribute.getAttribute();
System.out.println("needPermission is " + needPermission);
//用户所拥有的权限authentication
for(GrantedAuthority ga : authentication.getAuthorities()) {
if(needPermission.equals(ga.getAuthority())) {
return;
}
}
}
//没有权限
throw new AccessDeniedException(" 没有权限访问！ ");
}
public boolean supports(ConfigAttribute attribute) {
// TODO Auto-generated method stub
return true;
}
public boolean supports(Class<?> clazz) {
// TODO Auto-generated method stub
return true;
}
}

三、流程

1）容器启动(MySecurityMetadataSource：loadResourceDefine加载系统资源与权限列表)
2）用户发出请求
3）过滤器拦截(MySecurityFilter:doFilter)
4）取得请求资源所需权限(MySecurityMetadataSource:getAttributes)
5）匹配用户拥有权限和请求权限(MyAccessDecisionManager:decide)，如果用户没有相应的权限，

执行第6步，否则执行第7步。
6）登录
7）验证并授权(MyUserDetailServiceImpl:loadUserByUsername)
8）重复4,5

四、结束语

另外，更详细的资料科参考以下链接：

http://www.cnblogs.com/wenxiu/archive/2011/01/22/1942084.html

http://www.blogjava.net/redhatlinux/archive/2008/08/20/223148.html

另有实例可参考附件。

转载于:https://blog.51cto.com/flyingsnail/1317752