2008年4月12日 edited by dingdangxiaoma
acegi安全是一個(gè)強(qiáng)大的,靈活的安全解決方案的企業(yè)軟件,并特別著重于應(yīng)用,利用spring。用acegi安全,為用戶的應(yīng)用與全面的認(rèn)證,授權(quán),例如基于職務(wù)的訪問控制,通道安全和人類用戶檢測(cè)能力。(google 對(duì)acegid的翻譯)
參考資料:http://www.tfo-eservices.eu/wb_tutorials/media/SpringAcegiTutorial/HTML/SpringAcegiTutorial-1_1-html.html
里面有一個(gè)例子:SpringAcegiTutorial,可以進(jìn)行下載,并運(yùn)行,做為一個(gè)實(shí)例,已經(jīng)相當(dāng)不錯(cuò)了。
講述了admin ,user的登錄問題。及權(quán)限控件,acegi 的配置。
這個(gè)例子是spring mvc + spring acegi 的例子,閱讀前最好有spring mvc 的基礎(chǔ)。這里只摘錄簡(jiǎn)單的配置說明。
<!-- ****** START ACEGI Security Configuration *******-->
<!-- ======================== FILTER CHAIN ======================= -->
<!-- if you wish to use channel security, add "channelProcessingFilter," in front
of "httpSessionContextIntegrationFilter" in the list below -->
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,formAuthenticationProcessingFilter,exceptionTranslationFilter,filterSecurityInterceptor
</value>
</property>
</bean>
<!-- Start Security filter config -->
<bean id="exceptionTranslationFilter"
class="org.acegisecurity.ui.ExceptionTranslationFilter">
<property name="authenticationEntryPoint">
<ref bean="formLoginAuthenticationEntryPoint" />
</property>
</bean>
<!-- Define filter to handle BASIC authentication -->
<bean id="basicProcessingFilter"
class="org.acegisecurity.ui.basicauth.BasicProcessingFilter">
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="authenticationEntryPoint">
<ref bean="authenticationEntryPoint" />
</property>
</bean>
<!-- Define realm for BASIC login-->
<bean id="authenticationEntryPoint"
class="org.acegisecurity.ui.basicauth.BasicProcessingFilterEntryPoint">
<property name="realmName">
<value>Spring Web Realm</value>
</property>
</bean>
<!-- Define filter to handle FORM authentication -->
<bean id="formAuthenticationProcessingFilter"
class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
<property name="filterProcessesUrl">
<value>/j_acegi_security_check</value>
</property>
<property name="authenticationFailureUrl">
<value>/loginFailed.html</value>
</property>
<property name="defaultTargetUrl">
<value>/</value>
</property>
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
</bean>
<!-- Define realm for FORM login-->
<bean id="formLoginAuthenticationEntryPoint"
class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilterEntryPoint">
<property name="loginFormUrl">
<value>/login.jsp</value>
</property>
<property name="forceHttps">
<value>false</value>
</property>
</bean>
<bean id="httpSessionContextIntegrationFilter"
class="org.acegisecurity.context.HttpSessionContextIntegrationFilter">
</bean>
<!-- End Security filter config -->
<!-- Start Security interceptor config -->
<!-- Define authentication manager, decision manager and secure URL patterns -->
<bean id="filterSecurityInterceptor"
class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
<property name="authenticationManager">
<ref bean="authenticationManager" />
</property>
<property name="accessDecisionManager">
<ref bean="accessDecisionManager" />
</property>
<property name="objectDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/secure/admin/*=ROLE_ADMIN
/secure/app/*=ROLE_USER
</value>
</property>
</bean>
<!-- End Security interceptor config -->
<!-- Start authentication config -->
<bean id="authenticationManager"
class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="daoAuthenticationProvider" />
</list>
</property>
</bean>
<bean id="daoAuthenticationProvider"
class="org.acegisecurity.providers.dao.DaoAuthenticationProvider">
<property name="userDetailsService">
<ref bean="userDetailsService" />
</property>
</bean>
<!-- Authentication using In-memory Dao -->
<bean id="userDetailsService"
class="org.acegisecurity.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
jklaassen=4moreyears,ROLE_ADMIN
bouerj=ineedsleep,ROLE_USER
</value>
</property>
</bean>
<!-- Authentication using JDBC Dao -->
<!--
<bean id="userDetailsService"
class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
</bean>
-->
<!-- End authentication config -->
<!-- Start authorization config -->
<bean id="accessDecisionManager"
class="org.acegisecurity.vote.UnanimousBased">
<property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property>
</bean>
<bean id="roleVoter" class="org.acegisecurity.vote.RoleVoter">
<property name="rolePrefix">
<value>ROLE_</value>
</property>
</bean>
<!-- End authorization config -->
<!-- ****** END ACEGI Security Configuration *******-->
以上就是所有的源代碼配置在spring 的配置文件中。詳細(xì)的說明在官方的文檔上。
在上面的配置文件的方式是以in-memory 的方法,也就是在配置文件中指定登錄的用戶名及密碼。在實(shí)際的應(yīng)用中,應(yīng)用到數(shù)據(jù)庫(kù)或其它技術(shù)。
<bean id="userDetailsService"
class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource">
<ref bean="dataSource"/>
</property>
</bean>
<bean id="dataSource"
class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName">
<value>com.mysql.jdbc.Driver</value>
</property>
<property name="url">
<value>jdbc:mysql://localhost:3306/test</value>
</property>
<property name="username">
<value>root</value>
</property>
<property name="password">
<value>1</value>
</property>
</bean>
以上兩個(gè)bean的代碼就是把信息存儲(chǔ)到數(shù)據(jù)庫(kù)中。
sql 語(yǔ)句如下:
CREATE TABLE `users` (
`username` varchar(50) NOT NULL,
`password` varchar(50) NOT NULL,
`enabled` varchar(50) NOT NULL,
PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `users` VALUES ('dianne','emu','true');
INSERT INTO `users` VALUES ('marissa','koala','true');
INSERT INTO `users` VALUES ('peter','opal','true');
INSERT INTO `users` VALUES ('scott','wombat','true');
CREATE TABLE `authorities` (
`username` varchar(50) NOT NULL,
`authority` varchar(50) NOT NULL,
UNIQUE KEY `ix_auth_username` (`username`,`authority`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;
INSERT INTO `authorities` VALUES ('dianne','ROLE_ADMIN');
INSERT INTO `authorities` VALUES ('marissa','ROLE_ADMIN');
INSERT INTO `authorities` VALUES ('marissa','ROLE_USER');
INSERT INTO `authorities` VALUES ('peter','ROLE_USER');
INSERT INTO `authorities` VALUES ('scott','ROLE_ADMIN');
ALTER TABLE `authorities`
ADD FOREIGN KEY (`username`) REFERENCES `users` (`username`);
所有的配置就是這些:
理解一下原理:
1。acegi的添加,可以在程序?qū)懲曛笤偬砑樱渲渺`活但并不簡(jiǎn)單。
2.四個(gè)步驟:
安全是實(shí)施這四項(xiàng)檢查:
1 限制出入檢查(是以資源擔(dān)保? ) ;
2 現(xiàn)有的認(rèn)證檢查(有用戶被認(rèn)證? ) ;
3 如果沒有有效的登錄用戶:認(rèn)證要求退房(都是正確的用戶名和密碼提供? ) ;
4 授權(quán)入住(不含用戶擁有所需的角色? ) ;
3.對(duì)于授權(quán)的處理,未授權(quán)的用戶無法進(jìn)行訪問。應(yīng)該設(shè)置 403.jsp未授權(quán)頁(yè)面。