spring_security3入门教程

SpringSecurity3.x完整入门教程作者：未知文章来源：网络点击数：353更新时间：2010-7-15SpringSecurity3.x出来一段时间了，跟Acegi是大不同了，与2.x的版本也有一些小小的区别，网上有一些文档，也有人翻译SpringSecurity3.x的guide，但通过阅读guide，无法马上就能很容易的实现一个完整的实例。我花了点儿时间，根据以前的实战经验，整理了一份完整的入门教程，供需要的朋友们参考。1，建一个webproject，并导入所有需要的lib，这步就不多讲了。2，配置web.xml，使用Spring的机制装载：?xmlversion=1.0encoding=UTF-8?web-appversion=2.4xmlns=:xsi=:schemaLocation=://java.sun.com/xml/ns/j2ee/web-app_2_4.xsdcontext-paramparam-namecontextConfigLocation/param-nameparam-valueclasspath:applicationContext*.xml/param-value/context-paramlistenerlistener-classorg.springframework.web.context.ContextLoaderListener/listener-class/listenerfilterfilter-namespringSecurityFilterChain/filter-namefilter-classorg.springframework.web.filter.DelegatingFilterProxy/filter-class/filterfilter-mappingfilter-namespringSecurityFilterChain/filter-nameurl-pattern/*/url-pattern/filter-mappingwelcome-file-listwelcome-filelogin.jsp/welcome-file/welcome-file-list/web-app这个文件中的内容我相信大家都很熟悉了，不再多说了。2，来看看applicationContext-security.xml这个配置文件，关于SpringSecurity的配置均在其中：?xmlversion=1.0encoding=UTF-8?beans:beansxmlns=:beans=:xsi=:schemaLocation=://://://=/403.jsp!--当访问被拒绝时，会转到403.jsp--intercept-urlpattern=/login.jspfilters=none/form-loginlogin-page=/login.jspauthentication-failure-url=/login.jsp?error=truedefault-target-url=/index.jsp/logoutlogout-success-url=/login.jsp/http-basic/!--增加一个filter，这点与Acegi是不一样的，不能修改默认的filter了，这个filter位于FILTER_SECURITY_INTERCEPTOR之前--custom-filterbefore=FILTER_SECURITY_INTERCEPTORref=myFilter//http!--一个自定义的filter，必须包含authenticationManager,accessDecisionManager,securityMetadataSource三个属性，我们的所有控制将在这三个类中实现，解释详见具体配置--beans:beanid=myFilterclass=com.robin.erp.fwk.security.MyFilterSecurityInterceptorbeans:propertyname=authenticationManagerref=authenticationManager/beans:propertyname=accessDecisionManagerref=myAccessDecisionManagerBean/beans:propertyname=securityMetadataSourceref=securityMetadataSource//beans:bean!--认证管理器，实现用户认证的入口，主要实现UserDetailsService接口即可--authentication-manageralias=authenticationManagerauthentication-provideruser-service-ref=myUserDetailService!--如果用户的密码采用加密的话，可以加点“盐”password-encoderhash=md5/--/authentication-provider/authentication-managerbeans:beanid=myUserDetailServiceclass=com.robin.erp.fwk.security.MyUserDetailService/!--访问决策器，决定某个用户具有的角色，是否有足够的权限去访问某个资源--beans:beanid=myAccessDecisionManagerBeanclass=com.robin.erp.fwk.security.MyAccessDecisionManager/beans:bean!--资源源数据定义，即定义某一资源可以被哪些角色访问--beans:beanid=securityMetadataSourceclass=com.robin.erp.fwk.security.MyInvocationSecurityMetadataSource//beans:beans3，来看看自定义filter的实现：packagecom.robin.erp.fwk.security;importjava.io.IOException;importjavax.servlet.Filter;importjavax.servlet.FilterChain;importjavax.servlet.FilterConfig;importjavax.servlet.ServletException;importjavax.servlet.ServletRequest;importjavax.servlet.ServletResponse;importorg.springframework.security.access.SecurityMetadataSource;importorg.springframework.security.access.intercept.AbstractSecurityInterceptor;importorg.springframework.security.access.intercept.InterceptorStatusToken;importorg.springframework.security.web.FilterInvocation;importorg.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;publicclassMyFilterSecurityInterceptorextendsAbstractSecurityInterceptorimplementsFilter{privateFilterInvocationSecurityMetadataSourcesecurityMetadataSource;//~Methods//========================================================================================================/***Methodthatisactuallycalledbythefilterchain.Simplydelegatesto*the{@link#invoke(FilterInvocation)}method.**@paramrequest*theservletrequest*@paramresponse*theservletresponse*@paramchain*thefilterchain**@throwsIOException*ifthefilterchainfails*@throwsServletException*ifthefilterchainfails*/publicvoiddoFilter(ServletRequestrequest,ServletResponseresponse,FilterChainchain)throwsIOException,ServletException{FilterInvocationfi=newFilterInvocation(request,response,chain);invoke(fi);}publicFilterInvocationSecurityMetadataSourcegetSecurityMetadataSource(){returnthis.securityMetadataSource;}publicClass?extendsObjectgetSecureObjectClass(){returnFilterInvocation.class;}publicvoidinvoke(FilterInvocationfi)throwsIOException,ServletException{InterceptorStatusTokentoken=super.beforeInvocation(fi);try{fi.getChain().doFilter(fi.getRequest(),fi.getResponse());}finally{super.afterInvocation(token,null);}}publicSecurityMetadata