spring-security3.2.5实现中国式安全管理(转)
2015-03-09 22:27
309 查看
最近公司要做开发平台,对安全要求比较高;SPRING SECURTIY框架刚好对所有安全问题都有涉及,框架的作者最近还做了spring-session项目实现分布式会话管理,还有他的另一个开源项目spring-security-oauth2。 关于spring-security的配置方法,网上有非常多的介绍,大都是基于XML配置,配置项目非常多,阅读和扩展都不方便。其实spring-security也有基于java的配置方式,今天就讲讲如何通过java配置方式,扩展spring-security实现权限配置全部从表中读取。
直接上代码:
application.properties配置文件
Java代码
privilesByUsernameQuery= select authority from user_authorities where username = ?
allUrlAuthoritiesQuery=SELECT authority_id , url FROM Url_Authorities
javaconfig
Java代码
/**
*
*/
package com.sivalabs.springapp.config;
import java.util.List;
import javax.annotation.Resource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
//import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.util.StringUtils;
import com.sivalabs.springapp.entities.UrlAuthority;
import com.sivalabs.springapp.repositories.UserRepository;
/**
* @author tony
*
*/
@Configuration
@EnableWebSecurity(debug = true)
// @EnableGlobalMethodSecurity(prePostEnabled = true)
// @ImportResource("classpath:applicationContext-security.xml")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
JdbcTemplate jdbcTemplate ;
@Autowired
private Environment env;
@Bean
CustomUserDetailsService customUserDetailsService() {
//==================application.properties文件中配置2个SQL=============
//privilesByUsernameQuery= select authority from user_authorities where username = ?
//allUrlAuthoritiesQuery=SELECT authority_id , url FROM Url_Authorities
String privilesByUsernameQuery = env.getProperty("privilesByUsernameQuery");
String allUrlAuthoritiesQuery = env.getProperty("allUrlAuthoritiesQuery");
CustomUserDetailsService customUserDetailsService = new CustomUserDetailsService();
customUserDetailsService.setJdbcTemplate(jdbcTemplate);
customUserDetailsService.setEnableGroups(false);
//根据登录ID,查登录用户的所有权限
if(StringUtils.hasLength(privilesByUsernameQuery))
customUserDetailsService.setAuthoritiesByUsernameQuery(privilesByUsernameQuery);
//所有URL与权限的对应关系
if(StringUtils.hasLength(privilesByUsernameQuery))
customUserDetailsService.setAllUrlAuthoritiesQuery(allUrlAuthoritiesQuery);
return customUserDetailsService;
}
@Resource(name = "userRepository")
private UserRepository userRepository;
@Override
protected void configure(AuthenticationManagerBuilder registry)
throws Exception {
/*
* registry .inMemoryAuthentication() .withUser("siva") // #1
* .password("siva") .roles("USER") .and() .withUser("admin") // #2
* .password("admin") .roles("ADMIN","USER");
*/
// registry.jdbcAuthentication().dataSource(dataSource);
registry.userDetailsService(customUserDetailsService());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**"); // #3web
}
// AntPathRequestMatcher --> AntPathRequestMatcher --->AntPathMatcher
@Override
protected void configure(HttpSecurity http) throws Exception {
//1.登录注册等URL不要身份验证
http.csrf().disable().authorizeRequests()
.antMatchers("/login", "/login/form**", "/register", "/logout")
.permitAll() // #4
.antMatchers("/admin", "/admin/**").hasRole("ADMIN"); // #6
//2. 从数据库中读取所有需要权限控制的URL资源,注意当新增URL控制时,需要重启服务
List<UrlAuthority> urlAuthorities = customUserDetailsService().loadUrlAuthorities();
for (UrlAuthority urlAuthority : urlAuthorities) {
http.authorizeRequests().antMatchers(urlAuthority.getUrl()).hasAuthority(String.valueOf(urlAuthority.getId()));
}
//3. 除1,2两个步骤验证之外的URL资源,只要身份认证即可访问
http.authorizeRequests().anyRequest().authenticated() // 7
.and().formLogin() // #8
.loginPage("/login/form") // #9
.loginProcessingUrl("/login").defaultSuccessUrl("/welcome") // #defaultSuccessUrl
.failureUrl("/login/form?error").permitAll(); // #5
}
}
1.读取数据库中的URL资源对应的权限列表 2.读取登录用户拥有的权限列表
Java代码
/**
*
*/
package com.sivalabs.springapp.config;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.List;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
import com.sivalabs.springapp.entities.UrlAuthority;
/**
* @author tony
*
*/
public class CustomUserDetailsService extends JdbcDaoImpl{
private String allUrlAuthoritiesQuery ;
/**
* 从数据库中读取所有需要权限控制的URL资源,注意当新增URL控制时,需要重启服务
*/
public List<UrlAuthority> loadUrlAuthorities( ) {
return getJdbcTemplate().query(allUrlAuthoritiesQuery, new RowMapper<UrlAuthority>() {
public UrlAuthority mapRow(ResultSet rs, int rowNum) throws SQLException {
return new UrlAuthority (rs.getInt(1),rs.getString(2));
}
});
}
/**
* 从数据库中读取用户权限
* Loads authorities by executing the SQL from <tt>authoritiesByUsernameQuery</tt>.
* @return a list of GrantedAuthority objects for the user
*/
protected List<GrantedAuthority> loadUserAuthorities(String username) {
return getJdbcTemplate().query(super.getAuthoritiesByUsernameQuery(), new String[] {username}, new RowMapper<GrantedAuthority>() {
public GrantedAuthority mapRow(ResultSet rs, int rowNum) throws SQLException {
String roleName = rs.getString(1);
return new SimpleGrantedAuthority(roleName);
}
});
}
public void setAllUrlAuthoritiesQuery(String allUrlAuthoritiesQuery) {
this.allUrlAuthoritiesQuery = allUrlAuthoritiesQuery;
}
}
测试数据及案例见 http://note.youdao.com/share/?id=c20e348d9a08504cd3ac1c7c58d1026e&type=note spring-security-oauth2 http://www.mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2 Maven Repository: org.springframework.session » spring-session http://www.mvnrepository.com/artifact/org.springframework.session/spring-session
直接上代码:
application.properties配置文件
Java代码
privilesByUsernameQuery= select authority from user_authorities where username = ?
allUrlAuthoritiesQuery=SELECT authority_id , url FROM Url_Authorities
javaconfig
Java代码
/**
*
*/
package com.sivalabs.springapp.config;
import java.util.List;
import javax.annotation.Resource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.env.Environment;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
//import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.util.StringUtils;
import com.sivalabs.springapp.entities.UrlAuthority;
import com.sivalabs.springapp.repositories.UserRepository;
/**
* @author tony
*
*/
@Configuration
@EnableWebSecurity(debug = true)
// @EnableGlobalMethodSecurity(prePostEnabled = true)
// @ImportResource("classpath:applicationContext-security.xml")
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
JdbcTemplate jdbcTemplate ;
@Autowired
private Environment env;
@Bean
CustomUserDetailsService customUserDetailsService() {
//==================application.properties文件中配置2个SQL=============
//privilesByUsernameQuery= select authority from user_authorities where username = ?
//allUrlAuthoritiesQuery=SELECT authority_id , url FROM Url_Authorities
String privilesByUsernameQuery = env.getProperty("privilesByUsernameQuery");
String allUrlAuthoritiesQuery = env.getProperty("allUrlAuthoritiesQuery");
CustomUserDetailsService customUserDetailsService = new CustomUserDetailsService();
customUserDetailsService.setJdbcTemplate(jdbcTemplate);
customUserDetailsService.setEnableGroups(false);
//根据登录ID,查登录用户的所有权限
if(StringUtils.hasLength(privilesByUsernameQuery))
customUserDetailsService.setAuthoritiesByUsernameQuery(privilesByUsernameQuery);
//所有URL与权限的对应关系
if(StringUtils.hasLength(privilesByUsernameQuery))
customUserDetailsService.setAllUrlAuthoritiesQuery(allUrlAuthoritiesQuery);
return customUserDetailsService;
}
@Resource(name = "userRepository")
private UserRepository userRepository;
@Override
protected void configure(AuthenticationManagerBuilder registry)
throws Exception {
/*
* registry .inMemoryAuthentication() .withUser("siva") // #1
* .password("siva") .roles("USER") .and() .withUser("admin") // #2
* .password("admin") .roles("ADMIN","USER");
*/
// registry.jdbcAuthentication().dataSource(dataSource);
registry.userDetailsService(customUserDetailsService());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**"); // #3web
}
// AntPathRequestMatcher --> AntPathRequestMatcher --->AntPathMatcher
@Override
protected void configure(HttpSecurity http) throws Exception {
//1.登录注册等URL不要身份验证
http.csrf().disable().authorizeRequests()
.antMatchers("/login", "/login/form**", "/register", "/logout")
.permitAll() // #4
.antMatchers("/admin", "/admin/**").hasRole("ADMIN"); // #6
//2. 从数据库中读取所有需要权限控制的URL资源,注意当新增URL控制时,需要重启服务
List<UrlAuthority> urlAuthorities = customUserDetailsService().loadUrlAuthorities();
for (UrlAuthority urlAuthority : urlAuthorities) {
http.authorizeRequests().antMatchers(urlAuthority.getUrl()).hasAuthority(String.valueOf(urlAuthority.getId()));
}
//3. 除1,2两个步骤验证之外的URL资源,只要身份认证即可访问
http.authorizeRequests().anyRequest().authenticated() // 7
.and().formLogin() // #8
.loginPage("/login/form") // #9
.loginProcessingUrl("/login").defaultSuccessUrl("/welcome") // #defaultSuccessUrl
.failureUrl("/login/form?error").permitAll(); // #5
}
}
1.读取数据库中的URL资源对应的权限列表 2.读取登录用户拥有的权限列表
Java代码
/**
*
*/
package com.sivalabs.springapp.config;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.List;
import org.springframework.jdbc.core.RowMapper;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl;
import com.sivalabs.springapp.entities.UrlAuthority;
/**
* @author tony
*
*/
public class CustomUserDetailsService extends JdbcDaoImpl{
private String allUrlAuthoritiesQuery ;
/**
* 从数据库中读取所有需要权限控制的URL资源,注意当新增URL控制时,需要重启服务
*/
public List<UrlAuthority> loadUrlAuthorities( ) {
return getJdbcTemplate().query(allUrlAuthoritiesQuery, new RowMapper<UrlAuthority>() {
public UrlAuthority mapRow(ResultSet rs, int rowNum) throws SQLException {
return new UrlAuthority (rs.getInt(1),rs.getString(2));
}
});
}
/**
* 从数据库中读取用户权限
* Loads authorities by executing the SQL from <tt>authoritiesByUsernameQuery</tt>.
* @return a list of GrantedAuthority objects for the user
*/
protected List<GrantedAuthority> loadUserAuthorities(String username) {
return getJdbcTemplate().query(super.getAuthoritiesByUsernameQuery(), new String[] {username}, new RowMapper<GrantedAuthority>() {
public GrantedAuthority mapRow(ResultSet rs, int rowNum) throws SQLException {
String roleName = rs.getString(1);
return new SimpleGrantedAuthority(roleName);
}
});
}
public void setAllUrlAuthoritiesQuery(String allUrlAuthoritiesQuery) {
this.allUrlAuthoritiesQuery = allUrlAuthoritiesQuery;
}
}
测试数据及案例见 http://note.youdao.com/share/?id=c20e348d9a08504cd3ac1c7c58d1026e&type=note spring-security-oauth2 http://www.mvnrepository.com/artifact/org.springframework.security.oauth/spring-security-oauth2 Maven Repository: org.springframework.session » spring-session http://www.mvnrepository.com/artifact/org.springframework.session/spring-session
相关文章推荐
- spring-security实现权限管理
- springboot+mybatis+SpringSecurity 实现用户角色数据库管理(一)
- springboot+mybatis+SpringSecurity 实现用户角色数据库管理(一)
- springmvc+shiro+freemarker实现的安全及权限管理
- Spring Security + JWT 实现基于Token的安全验证
- springboot+mybatis+SpringSecurity 实现用户角色数据库管理(一)
- springboot+springSecurity+mybatis实现权限管理
- Spring boot + Spring Security 实现用户登录管理
- 基于Spring的轻量级Web Service事务管理框架及其实现
- ASP.NET中启用Windows集成验证,怎样在调用System.DirectoryServices下的组件时传递安全上下文,也就是说当前用户凭据,来实现权限管理
- 对Spring事务管理实现技术的分析
- spring_security-安全框架
- 基于Spring的轻量级Web Service事务管理框架及其实现
- Spring声明式事务管理,通过Spring AOP实现
- Spring2.0用注解实现事务管理
- 使用Spring 2.0 新特性实现声明式事务管理-基于XML Schema
- Spring实现基于容器的事务管理
- 一个基于Spring.net AOP实现的安全方案
- 管理exchange2003客户端访问及前后端安全实现
- 《pro Spring》学习笔记之Spring HTTP 远程方法调用集成Tomcat实现安全验证