spring security3 实现自定义管理权限

今天有个群友问了下ss3的问题，他主要是登陆实现权限的校验的顺序不清晰，当初我学这个框架的时候也是被ss3登陆校验权限的顺序困扰了几天。下面是我一点理解，有错的话还望指正一下。

其实，要实现自定义权限的话只有几个关键的类和接口，只要搞清楚他们的顺序就行了。

1、你可以初始化话容器的时候就加载资源和权限列表，这个在实现FilterInvocationSecurityMetadataSource接口的类里，定一个全局的静态map，以url为key，所需权限（集合）为value，装进这个静态map。

2、登陆。登陆的action在spring配置文件里配好。这个action会直接到继承UsernamePasswordAuthenticationFilter类的一个重写的attemptAuthentication方法里，把你输入username和password（加入配了MD5加密security3会自动帮你加密）和数据比对，如果存在这个username和password，进入第3步（这是后没有退出这个attemptAuthentication方法）。没有这个username和password的话直接抛异常和终止此次登陆。

3、如果username和password存在，会进入到实现UserDetailsService接口的类里的一个重写的loadUserByUsername方法，这个方法里会把该username所有拥有的权限设为安全权限然后返回一个UserDetails类型的结果。这是返回到第二步中的attemptAuthentication中，把这这个认证了得安全实体有所拥有的权限以Authentication类型返回。共第五步调用。

4、登陆认证成功后会有一个action（这个action在spring配置文件里配置），这个action是第一个url权限认证（假设这个action需要权限认证），这个请求会进入到实现了FilterInvocationSecurityMetadataSource接口的类里的一个重写的getAttributes方法，将第1步中的资源权限列表map中get出来，返回Collection<ConfigAttribute>类型的结果，共第5部调用。

5，第4步执行完之后会进入实现类AccessDecisionManager接口的类的一个重写decide方法，在这个方法中会将第3步中返回的Authentication和第4步中返回的Collection<ConfigAttribute>进行比对。比对成功则可以访问，比对不成功会跳转一个页面（这个页面也是在spring配置文件中配置）。

至此，已经完成了登陆的验证并成功执行一个action。

当然，你可以在登陆成功后添加一些你自己业务，比如说记录登陆次数和登陆ip，这需要实现security3的一些接口，并配置在spring配置文件里。

下面是所用到的一些关键的类

1、实现了FilterInvocationSecurityMetadataSource接口的类

/**
* @Description : 描述
* @author YangXuan
*@email 364105996@qq.com
* @date Aug 6, 2013 8:56:44 PM
*/
public class MySecurityMetadataSource implements
FilterInvocationSecurityMetadataSource {

public MySecurityMetadataSource(ResourcesDao resourcesDao, RolesDao rolesDao) {
this.resourcesDao = resourcesDao;
this.rolesDao = rolesDao;
this.loadResourceDefine();
}

private ResourcesDao resourcesDao;
private RolesDao rolesDao;
private RequestMatcher requestMatcher;
private String matcher = "ant";

public ResourcesDao getResourcesDao() {
return resourcesDao;
}

public void setResourcesDao(ResourcesDao resourcesDao) {
this.resourcesDao = resourcesDao;
}

public RolesDao getRolesDao() {
return rolesDao;
}

public void setRolesDao(RolesDao rolesDao) {
this.rolesDao = rolesDao;
}

public void setRequestMatcher(RequestMatcher requestMatcher) {
this.requestMatcher = requestMatcher;
}

public void setMatcher(String matcher) {
this.matcher = matcher;
}

// 返回所请求资源所需要的权限
public Collection<ConfigAttribute> getAttributes(Object object)
throws IllegalArgumentException {
HttpServletRequest request = ((FilterInvocation) object).getRequest();
String requestUrl = ((FilterInvocation) object).getRequestUrl();
System.out.println("requestUrl is " + requestUrl);
if (resourceMap == null) {
loadResourceDefine();
}

Set<String> urlMatch = resourceMap.keySet();
for (String url : urlMatch) {
if (matcher.toLowerCase().equals("ant")) {
requestMatcher = new AntPathRequestMatcher(url);
}
if (matcher.toLowerCase().equals("regex")) {
requestMatcher = new RegexRequestMatcher(url,
request.getMethod(), true);
}
if (requestMatcher.matches(request)) {
return resourceMap.get(url);
}
}
return null;
}

public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}

public boolean supports(Class<?> clazz) {
return true;
}

public static Map<String, Collection<ConfigAttribute>> resourceMap = null;

private void loadResourceDefine() {
System.out
.println(">>>>>>>>>>loadResourceDefine()---successfully<<<<<<<<<<");
if (resourceMap == null) {
resourceMap = new HashMap<String, Collection<ConfigAttribute>>();
List<Resources> resources = this.resourcesDao.findAllResources();
for (Resources resource : resources) {
/*System.out.println(resource.getId() + "---" + resource.getUrl()
+ "---" + resource.getDescr() + "---"
+ resource.isEnabled());*/
List<Roles> roles = this.rolesDao
.findRolesByResourcesId(resource.getId());
Collection<ConfigAttribute> configAttributes = new HashSet<ConfigAttribute>();
for (Roles role : roles) {
configAttributes
.add(new SecurityConfig(role.getRoleName()));
}
resourceMap.put(resource.getUrl(), configAttributes);
}
}
}
}

2、继承了UsernamePasswordAuthenticationFilter的类

/**
* @Description : 描述
* @author YangXuan
*@email 364105996@qq.com
* @date Aug 6, 2013 8:57:45 PM
*/
public class MyUsernamePasswordAuthenticationFilter extends
UsernamePasswordAuthenticationFilter {
// 定义从前台接收参数的 属性名称
private String validationParameter = "validation";

public void setValidationParameter(String validationParameter) {
this.validationParameter = validationParameter;
}

private boolean openValidation = true;

public void setOpenValidation(boolean openValidation) {
this.openValidation = openValidation;
}

@Override
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (!request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: "
+ request.getMethod());
}

String username = obtainUsername(request).trim();
String password = obtainPassword(request).trim();

// 验证码validation是否正确
if (openValidation) {
checkValidateCode(request);
}

// 实现 Authentication,这里装进去的password会通过spring的MD5加密,然后实现校验
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
// 允许子类设置详细属性
setDetails(request, authRequest);

// 运行UserDetailsService的loadUserByUsername 再次封装Authentication
return this.getAuthenticationManager().authenticate(authRequest);
}

@Override
protected String obtainUsername(HttpServletRequest request) {
Object obj = request.getParameter(getUsernameParameter());
return null == obj ? "" : obj.toString();
}

@Override
protected String obtainPassword(HttpServletRequest request) {
Object obj = request.getParameter(getPasswordParameter());
return null == obj ? "" : obj.toString();
}

protected String obtainValidationString(HttpServletRequest request) {
Object obj = request.getParameter(validationParameter);
return null == obj ? "" : obj.toString();
}

public void checkValidateCode(HttpServletRequest request) {

String jcaptchaCode = obtainValidationString(request).trim()
.toUpperCase();		//获取前台的验证码输入值
if (null == jcaptchaCode || jcaptchaCode.equals(""))
throw new BadCredentialsException("验证码超时！！！");

boolean b = CaptchaServiceSingleton.getInstance()
.validateResponseForID(request.getSession().getId(),
jcaptchaCode);
if (!b)
throw new BadCredentialsException("验证码不匹配！！！");
}

}

3、实现了UserDetailsService接口的类

/**
* @Description : 描述
* @author YangXuan
*@email 364105996@qq.com
* @date Aug 6, 2013 8:58:30 PM
*/
public class MyUserDetailServiceImpl implements UserDetailsService {

private UsersDao usersDao;
private RolesDao rolesDao;

public UsersDao getUsersDao() {
return usersDao;
}

public void setUsersDao(UsersDao usersDao) {
this.usersDao = usersDao;
}

public RolesDao getRolesDao() {
return rolesDao;
}

public void setRolesDao(RolesDao rolesDao) {
this.rolesDao = rolesDao;
}

public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {

Users users = this.usersDao.findByName(username);
Set<GrantedAuthority> grantedAuths = obtionGrantedAuthorities(users);
users.setAuthorities(grantedAuths);

return users;
}

private Set<GrantedAuthority> obtionGrantedAuthorities(Users user) {
Set<GrantedAuthority> grantedAuthorities = new HashSet<GrantedAuthority>();
List<Roles> roles = this.rolesDao.findRolesByUsersId(user.getId());
for (Roles role : roles) {
grantedAuthorities.add(new SimpleGrantedAuthority(role
.getRoleName()));
}
return grantedAuthorities;
}
}

4、实现了AccessDecisionManager接口的类

/**
* @Description : 描述
* @author YangXuan
*@email 364105996@qq.com
* @date Aug 6, 2013 8:59:02 PM
*/
public class MyAccessDecisionManager implements AccessDecisionManager {

public void decide(Authentication authentication, Object object,
Collection<ConfigAttribute> configAttributes)
throws AccessDeniedException, InsufficientAuthenticationException {
if (configAttributes == null) {
return;
}
Iterator<ConfigAttribute> iterator = configAttributes.iterator();
while (iterator.hasNext()) {
ConfigAttribute configAttribute = iterator.next();
String needPermission = configAttribute.getAttribute();
for (GrantedAuthority ga : authentication.getAuthorities()) {
if (needPermission.equals(ga.getAuthority())) {
return;
}
}
}
// 没有权限让我们去捕捉
throw new AccessDeniedException(" No authority to access！");
}

public boolean supports(ConfigAttribute attribute) {
return true;
}

public boolean supports(Class<?> clazz) {
return true;
}

}

敲这些文字敲得好辛苦啊……不喜勿喷哈