SpringSecurity3安全權(quán)限管理手冊(cè)最新

1、spring security 3.0 安全權(quán)限管理手冊(cè)參考文獻(xiàn)：1、中的spring security權(quán)限管理手冊(cè)。2、spring security3.0權(quán)限管理手冊(cè)3、spring的相關(guān)資料。本文檔內(nèi)容僅作為公司權(quán)限管理資料用，對(duì)于企業(yè)來(lái)說(shuō)，權(quán)限管理將是系統(tǒng)中的非常重要的一個(gè)模塊，權(quán)限的設(shè)計(jì)也是參考相關(guān)資料進(jìn)行整理和補(bǔ)充。系統(tǒng)將通過(guò)數(shù)據(jù)庫(kù)進(jìn)行管理用戶權(quán)限。權(quán)限管理搭建要的問(wèn)題：1、區(qū)分authentication（驗(yàn)證）和 authorization（授權(quán)）驗(yàn)證這個(gè)用戶是誰(shuí)？用戶身份可靠嗎？授權(quán)某用戶a是否可以訪問(wèn)資源r某用戶a是否可以執(zhí)行m操作某用戶a是否可以對(duì)資源r執(zhí)行m操作2、ss

2、中的驗(yàn)證特點(diǎn)支持多種驗(yàn)證方式支持多種加密格式支持組件的擴(kuò)展和替換可以本地化輸出信息3、ss中的授權(quán)特點(diǎn)支持多種仲裁方式支持組件的擴(kuò)展和替換支持對(duì)頁(yè)面訪問(wèn)、方法訪問(wèn)、對(duì)象訪問(wèn)的授權(quán)。4、ss核心安全實(shí)現(xiàn)web安全通過(guò)配置servlet filter激活ss中的過(guò)濾器鏈實(shí)現(xiàn)session一致性驗(yàn)證實(shí)現(xiàn)免登陸驗(yàn)證（remember-me驗(yàn)證）提供一系列標(biāo)簽庫(kù)進(jìn)行頁(yè)面元素的安全控制方法安全通過(guò)aop模式實(shí)現(xiàn)安全代理web安全與方法安全均可以使用表達(dá)式語(yǔ)言定義訪問(wèn)規(guī)則5、配置ss配置web.xml，應(yīng)用安全過(guò)濾器配置spring，驗(yàn)證與授權(quán)部分在web頁(yè)面中獲取用戶身份在web頁(yè)面中應(yīng)用安全標(biāo)簽庫(kù)實(shí)現(xiàn)方

3、法級(jí)安全6、配置web.xml7、spring配置文件中設(shè)置命名空間8、通過(guò)數(shù)據(jù)庫(kù)驗(yàn)證用戶身份9、完善web頁(yè)面驗(yàn)證規(guī)則10、自定義驗(yàn)證配置11、本地化消息輸出（國(guó)際化） 根據(jù)公司項(xiàng)目的開(kāi)發(fā)要求和集合spring security3.0功能，公司將通過(guò)數(shù)據(jù)庫(kù)進(jìn)行對(duì)用戶身份驗(yàn)證和授權(quán)，系統(tǒng)將建立5個(gè)基礎(chǔ)表進(jìn)行對(duì)權(quán)利的管理。第一部分 數(shù)據(jù)庫(kù)設(shè)計(jì)1、表設(shè)計(jì)表1：用戶表（pub_users）序號(hào)字段類(lèi)型含義備注1user_idvchar(32)用戶idpk2user_accountvchar(30)登陸用戶名(登陸號(hào))3user_namevchar(40)用戶姓名4user_passwordvchar

4、(100)用戶密碼5enabledint是否被禁用0禁用1正常6issysint是否是超級(jí)用戶0非1是7user_descvchar(100)描述說(shuō)明：pub_users表中的登錄名和密碼用來(lái)控制用戶的登錄。表2：權(quán)限表（pub_authorities）序號(hào)字段類(lèi)型含義備注1authority_idvchar(32)權(quán)限idpk2authority_namevchar(40)權(quán)限名稱3authority_descvchar(100)權(quán)限描述4enabledint是否被禁用0禁用1正常5issysint是否是超級(jí)權(quán)限0非1是說(shuō)明：pub_authorities表中描述的是系統(tǒng)擁有哪些權(quán)限，如果要

5、詳細(xì)分類(lèi)，可以將一個(gè)url定義一個(gè)權(quán)限，那樣就能對(duì)所有資源進(jìn)行管理。表3：角色表（pub_roles）序號(hào)字段類(lèi)型含義備注1role_idvchar(32)角色idpk2role_namevchar(100)角色名稱3role_descvchar(100)角色描述4enabledint是否被禁用0禁用1正常5issysint是否是超級(jí)權(quán)限0非1是說(shuō)明：pub_roles表中描述的是系統(tǒng)按用戶分類(lèi)或按照功能模塊分類(lèi)，將系統(tǒng)進(jìn)行整合歸類(lèi)管理。表4：資源表（pub_resources）序號(hào)字段類(lèi)型含義備注1resource_idvchar(32)資源idpk2resource_namevchar(1

6、00)資源名稱3resource _typevchar(40)資源類(lèi)型url、method4priorityint資源優(yōu)先權(quán)即排序5resource _stringvchar(200)資源鏈接6resource_descvchar(100)資源描述7enabledint是否被禁用0禁用1正常8issysint是否是超級(jí)權(quán)限0非1是說(shuō)明：pub_roles表中描述的是系統(tǒng)需要保護(hù)的資源及（url或方法）。以上四個(gè)表是權(quán)限管理的基礎(chǔ)表（用戶表、權(quán)限表、角色表、資源表）。表5：用戶角色連接表(pub_users_roles)序號(hào)字段類(lèi)型含義備注1idindetityid主鍵pk2user_idvch

7、ar(32)用戶id3role_idvchar(32)角色id說(shuō)明：用來(lái)管理用戶和角色的關(guān)系。表6：角色權(quán)限連接表(pub_roles_authorities)序號(hào)字段類(lèi)型含義備注1idindetityid主鍵pk2role _idvchar(32)角色id3authority_idvchar(32)權(quán)限id說(shuō)明：用來(lái)管理角色和權(quán)限的關(guān)系。表7：權(quán)限資源連接表(pub_authorities_resources)序號(hào)字段類(lèi)型含義備注1idindetityid主鍵pk2authority_idvchar(32)權(quán)限id3resource_idvchar(32)資源id說(shuō)明：用來(lái)管理角色和權(quán)限的關(guān)

8、系。2、建表語(yǔ)句如下（數(shù)據(jù)庫(kù)采用ms sql 2000）：create table pub_users( user_id varchar(32), user_account varchar(30), user_name varchar(40), user_password varchar(100), user_desc varchar(100), enabled int, issys int);alter table pub_users add constraint pk_pub_users primary key(user_id);create table pub_authorities(

9、authority_id varchar(32), authority_name varchar(40), authority_desc varchar(100), enabled int, issys int);alter table pub_authorities add constraint pk_pub_authorities primary key(authority_id);create table pub_roles( role_id varchar(32), role_name varchar(40), role_desc varchar(100), enabled int,

10、issys int);alter table pub_roles add constraint pk_pub_roles primary key(role_id);create table pub_resources( resource_id varchar(32), resource_name varchar(100), resource_desc varchar(100), resource_type varchar(40), resource_string varchar(200), priority int, enabled int, issys int);alter table pu

11、b_resources add constraint pk_pub_resources primary key(resource_id);create table pub_users_roles( id numeric(12,0) identity not null, user_id varchar(32), role_id varchar(32), enabled int);alter table pub_users_roles add constraint pk_pub_users_roles primary key(id);alter table pub_users_roles add

12、constraint fk_users_roles_users foreign key(user_id) references pub_users(user_id);alter table pub_users_roles add constraint fk_users_roles_roles foreign key(role_id) references pub_roles(role_id);create table pub_roles_authorities( id numeric(12,0) identity not null, role_id varchar(32), authority

13、_id varchar(32), enabled int);alter table pub_roles_authorities add constraint pk_pub_roles_authorities primary key(id);alter table pub_roles_authorities add constraint fk_pub_roles_authorities_authorities foreign key(authority_id) references pub_authorities(authority_id);alter table pub_roles_autho

14、rities add constraint fk_pub_roles_authorities_roles foreign key(role_id) references pub_roles(role_id);create table pub_authorities_resources( id numeric(12,0) identity not null, authority_id varchar(32), resource_id varchar(32), enabled int);alter table pub_authorities_resources add constraint pk_

15、pub_authorities_resources primary key(id);alter table pub_authorities_resources add constraint fk_pub_authorities_resources_authorities foreign key(authority_id) references pub_authorities(authority_id);alter table pub_authorities_resources add constraint fk_pub_authorities_resources_resources forei

16、gn key(resource_id) references pub_resources(resource_id);3、e-r圖如下：第二部分 web數(shù)據(jù)庫(kù)整合提示：相關(guān)代碼請(qǐng)參考項(xiàng)目模塊1、將數(shù)據(jù)庫(kù)表結(jié)構(gòu)和hibernate建立映射，本系統(tǒng)采用annotation進(jìn)行對(duì)數(shù)據(jù)庫(kù)進(jìn)行零配置處理（請(qǐng)參考hibernate映射），如圖。2、建立權(quán)限的dao層。3、建立權(quán)限的service層4、配置web.xml <?xml version="1.0" encoding="utf-8"?><web-app version="2.5&q

17、uot; xmlns="xmlns:xsi="/2001/xmlschema-instance"xsi:schemalocation=" <display-name>rstframe</display-name><context-param><param-name>webapprootkey</param-name><param-value>rstframe.root</param-value></context-param>&

18、lt;context-param><param-name>log4jconfiglocation</param-name><param-value>classpath:perties</param-value></context-param><context-param><param-name>log4jrefreshinterval</param-name><param-value>60000</param-value></context-pa

19、ram> <!- spring applicationcontext配置文件的路徑,可使用通配符,多個(gè)路徑用,號(hào)分隔此參數(shù)用于后面的spring context loader -><context-param><param-name>contextconfiglocation</param-name><param-value>classpath*:/applicationcontext.xml,classpath*:/applicationcontext-rstframe.xml</param-value></

20、context-param><!- character encoding filter -><filter><filter-name>encodingfilter</filter-name><filter-class>org.springframework.web.filter.characterencodingfilter</filter-class><init-param><param-name>encoding</param-name><param-value>u

21、tf-8</param-value></init-param></filter><filter-mapping><filter-name>encodingfilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!- springside's hibernate open session in view filter-><filter><filter-name>hibe

22、rnateopensessioninviewfilter</filter-name><filter-class>com.rstco.frame.modules.orm.hibernate.opensessioninviewfilter</filter-class><init-param><param-name>excludesuffixs</param-name><param-value>js,css,jpg,gif</param-value></init-param></filt

23、er><filter-mapping><filter-name>hibernateopensessioninviewfilter</filter-name><url-pattern>/*</url-pattern></filter-mapping><!- springsecurity filter-> <filter> <filter-name>springsecurityfilterchain</filter-name> <filter-class>org

24、.springframework.web.filter.delegatingfilterproxy</filter-class> </filter> <filter-mapping> <filter-name>springsecurityfilterchain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!- struts2 filter, actionpackages -><filter>&l

25、t;filter-name>struts2filter</filter-name><filter-class>org.apache.struts2.dispatcher.ng.filter.strutsprepareandexecutefilter</filter-class></filter><filter-mapping><filter-name>struts2filter</filter-name><url-pattern>/*</url-pattern></filte

26、r-mapping> <!-spring的applicationcontext 載入 -><listener><listener-class>org.springframework.web.context.contextloaderlistener</listener-class></listener><listener><listener-class>org.springframework.web.util.log4jconfiglistener</listener-class></l

27、istener><!- spring 刷新introspector防止內(nèi)存泄露 -><listener><listener-class>org.springframework.web.util.introspectorcleanuplistener</listener-class></listener><!- 防止多人登陸 ,控制一個(gè)用戶只能登錄一次，不能在其他地方重新登錄-> <listener><listener-class>org.springframework.security.web

28、.session.httpsessioneventpublisher </listener-class></listener><!- session超時(shí)定義,單位為分鐘 -><session-config><session-timeout>20</session-timeout></session-config><welcome-file-list><welcome-file>index.jsp</welcome-file></welcome-file-list>

29、<!- error page -><error-page><exception-type>java.lang.throwable</exception-type><location>/common/500.jsp</location></error-page><error-page><error-code>500</error-code><location>/common/500.jsp</location></error-page><

30、;error-page><error-code>404</error-code><location>/common/404.jsp</location></error-page><error-page><error-code>403</error-code><location>/common/403.jsp</location></error-page><jsp-config><taglib><taglib-uri>/we

31、b-inf/struts-menu-el.tld</taglib-uri><taglib-location>/web-inf/tlds/struts-menu-el.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/struts-menu.tld</taglib-uri><taglib-location>/web-inf/tlds/struts-menu.tld</taglib-location></taglib&

32、gt;<taglib><taglib-uri>/web-inf/c.tld</taglib-uri><taglib-location>/web-inf/tlds/c.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/fmt.tld</taglib-uri><taglib-location>/web-inf/tlds/fmt.tld</taglib-location></taglib>&

33、lt;taglib><taglib-uri>/web-inf/fn.tld</taglib-uri><taglib-location>/web-inf/tlds/fn.tld</taglib-location></taglib><!-loushang tld-><taglib><taglib-uri>/web-inf/web-date.tld</taglib-uri><taglib-location>/web-inf/tlds/web-date.tld</tagl

34、ib-location></taglib><taglib><taglib-uri>/web-inf/web-flex.tld</taglib-uri><taglib-location>/web-inf/tlds/web-flex.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/web-graph.tld</taglib-uri><taglib-location>/web-inf/tlds/

35、web-graph.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/web-grid.tld</taglib-uri><taglib-location>/web-inf/tlds/web-grid.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/web-html.tld</taglib-uri><taglib-locat

36、ion>/web-inf/tlds/web-html.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/web-list.tld</taglib-uri><taglib-location>/web-inf/tlds/web-list.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/web-loushang.tld</taglib

37、-uri><taglib-location>/web-inf/tlds/web-loushang.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/web-menu.tld</taglib-uri><taglib-location>/web-inf/tlds/web-menu.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf

38、/web-multitab.tld</taglib-uri><taglib-location>/web-inf/tlds/web-multitab.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/web-seltree.tld</taglib-uri><taglib-location>/web-inf/tlds/web-seltree.tld</taglib-location></taglib><ta

39、glib><taglib-uri>/web-inf/web-tab.tld</taglib-uri><taglib-location>/web-inf/tlds/web-tab.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/web-tree.tld</taglib-uri><taglib-location>/web-inf/tlds/web-tree.tld</taglib-location><

40、;/taglib><taglib><taglib-uri>/web-inf/web-widgets.tld</taglib-uri><taglib-location>/web-inf/tlds/web-widgets.tld</taglib-location></taglib><taglib><taglib-uri>/web-inf/web-i18n.tld</taglib-uri><taglib-location>/web-inf/tlds/web-i18n.tld&

41、lt;/taglib-location></taglib><!- loushang end-><taglib><taglib-uri>/web-inf/gystudio.tld</taglib-uri><taglib-location>/web-inf/tlds/gystudio.tld</taglib-location></taglib></jsp-config><mime-mapping><extension>rar</extension>&

42、lt;mime-type>application/rar</mime-type></mime-mapping></web-app>5、配置spring security3.0中的xml文件 文件名：applicationcontext-security.xml<?xml version="1.0" encoding="utf-8"?><beans:beans xmlns="/schema/security" xmlns

43、:beans="/schema/beans" xmlns:xsi="/2001/xmlschema-instance" xsi:schemalocation="/schema/beans /schema/beans/spring-beans-3.0.xsd /schema/securi

44、ty /schema/security/spring-security-3.0.xsd"><beans:description>springsecurity安全配置</beans:description><!- http安全配置 -> <http auto-config="true"><intercept-url pattern="/css/*" filters="none" /><interce

45、pt-url pattern="/images/*" filters="none" /><intercept-url pattern="/js/*" filters="none" /><intercept-url pattern="/login.jsp" filters="none" /><!-<intercept-url pattern="/index.jsp" access="role_user&qu

46、ot;/><intercept-url pattern="/main.jsp" access="role_adamin"/> -><form-login login-page="/login.jsp" default-target-url="/index.jsp" authentication-failure-url="/login.jsp?error=1" /><!- 嘗試訪問(wèn)沒(méi)有權(quán)限的頁(yè)面時(shí)跳轉(zhuǎn)的頁(yè)面 -> <access-denied-

47、handler error-page="/common/403.jsp"/> <logout logout-success-url="/login.jsp" /> <session-management> <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" /> </session-management><!- 增加一個(gè)filter，這點(diǎn)與acegi是不一樣的，不能修

48、改默認(rèn)的filter了，這個(gè)filter位于filter_security_interceptor之前 -> <custom-filter ref="myfilter" before="filter_security_interceptor"/> </http><!- 一個(gè)自定義的filter，必須包含authenticationmanager,accessdecisionmanager,securitymetadatasource三個(gè)屬性， 我們的所有控制將在這三個(gè)類(lèi)中實(shí)現(xiàn)，解釋詳見(jiàn)具體配置 -> <be

49、ans:bean id="myfilter" class="erceptor.myfiltersecurityinterceptor"> <beans:property name="authenticationmanager" ref="authenticationmanager" /> <beans:property name="accessdecisionmanager" ref="myacce

50、ssdecisionmanagerbean" /> <beans:property name="securitymetadatasource" ref="mysecuritymetadatasource" /> </beans:bean> <!- 驗(yàn)證配置 ， 認(rèn)證管理器，實(shí)現(xiàn)用戶認(rèn)證的入口，主要實(shí)現(xiàn)userdetailsservice接口即可 -> <authentication-manager alias="authenticationmanager"> <au

51、thentication-provider user-service-ref="userdetailsservice"> <!-<s:password-encoder hash="sha" /> -></authentication-provider> </authentication-manager><!- 項(xiàng)目實(shí)現(xiàn)的用戶查詢服務(wù),將用戶信息查詢出來(lái) -><beans:bean id="userdetailsservice" class="com.rs

52、tco.frame.pub.security.support.myuserdetailservice" /><!- 訪問(wèn)決策器，決定某個(gè)用戶具有的角色，是否有足夠的權(quán)限去訪問(wèn)某個(gè)資源 -> <beans:bean id="myaccessdecisionmanagerbean" class="com.rstco.frame.pub.security.support.myaccessdecisionmanager"> </beans:bean> <!- 資源源數(shù)據(jù)定義，將所有的資源和權(quán)限對(duì)應(yīng)關(guān)系建立

53、起來(lái)，即定義某一資源可以被哪些角色訪問(wèn) -> <beans:bean id="mysecuritymetadatasource" class="com.rstco.frame.pub.security.support.myinvocationsecuritymetadatasourceservice"> </beans:bean> <!- 定義國(guó)際化 -> <beans:bean id="messagesource" class="org.springframework.con

54、text.support.reloadableresourcebundlemessagesource"> <beans:property name="basename" value="classpath:org/springframework/security/messages_zh_cn"/></beans:bean></beans:beans>第三部分 ss3.0的實(shí)現(xiàn)這是項(xiàng)目的主體部分：這四個(gè)類(lèi)說(shuō)明如下。一、 用來(lái)獲得用戶驗(yàn)證信息（myuserdetailservice）代碼如下：package

55、com.rstco.frame.pub.security.support;import java.util.arraylist;import java.util.collection;import java.util.list;import org.springframework.beans.factory.annotation.autowired;import org.springframework.dao.dataaccessexception;import org.springframework.security.core.grantedauthority;import org.spri

56、ngframework.security.core.userdetails.user;import org.springframework.security.core.userdetails.userdetails;import org.springframework.security.core.userdetails.userdetailsservice;import org.springframework.security.core.userdetails.usernamenotfoundexception;import org.springframework.stereotype.ser

57、vice;import com.rstco.frame.pub.security.dao.pubauthoritiesresourcesdao;import com.rstco.frame.pub.security.dao.pubusersdao;import com.rstco.frame.pub.security.entity.pubauthorities;import com.rstco.frame.pub.security.entity.pubauthoritiesresources;/你就可以從數(shù)據(jù)庫(kù)中讀入用戶的密碼，角色信息，是否鎖定，賬號(hào)是否過(guò)期servicepublic cla

58、ss myuserdetailservice implements userdetailsservice autowiredprivate pubusersdao pubusersdao;autowiredprivate pubauthoritiesresourcesdao pubauthoritiesresourcesdao; public userdetails loaduserbyusername(string username)throws usernamenotfoundexception, dataaccessexception collection<grantedautho

59、rity> auths=new arraylist<grantedauthority>();/取得用戶的權(quán)限list<pubauthorities> auth=pubusersdao.findauthbyusername(username);string password=null;/取得用戶的密碼password=pubusersdao.finduserbyname(username).get(0).getuserpassword();list<pubauthoritiesresources> aaa=pubauthoritiesresourcesdao.getall(); user user = new use