色噜噜色狠狠狠狠狠综合色一,国产一区二区三区久久久,亚洲二区av

taochen — Mon, 25 Jan 2010 08:29:00 GMT

接着来�?br /> 2.�q��o(h��)器的配置�Q?br /> 我们已经配置�?ji��n)那些过滤器了(ji��n)，但是要跟spring context中的对象对应�Q�于是乎�Q�做�?ji��n)如下配�|�：(x��)
          class="org.springframework.security.web.context.SecurityContextPersistenceFilter">

          class="org.springframework.security.web.authentication.logout.LogoutFilter" >

          class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">



          class="org.springframework.security.web.savedrequest.RequestCacheAwareFilter">

          class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">

          class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">



          class="org.springframework.security.web.session.SessionManagementFilter">

          class="org.springframework.security.web.access.ExceptionTranslationFilter">


          class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">




          class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">

          class="org.springframework.security.core.userdetails.memory.UserAttribute">







          class="org.springframework.security.core.authority.GrantedAuthorityImpl">

          class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">

          class="org.springframework.security.access.vote.AffirmativeBased">






          class="com.saveworld.authentication.web.access.expression.MyWebExpressionVoter">

          class="com.saveworld.authentication.web.access.intercept.MyFilterInvocationSecurityMetadataSource">

ref="expressionHandler" />

class="org.springframework.security.web.util.AntUrlPathMatcher" >

          class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">

�q�里做几点说明：(x��)
   (1) 数据库中的权限相关的表：(x��)
            ROLES
      AUTHORITIES
            USER_AUTHS
            ROLE_AUTHS
            USERS
       �q�里的表�l�构�q��(sh��)��是最�l�的�Q�所以就不发上来误导兄弟姐妹们了(ji��n)�?br />        关键是看我们如何加蝲�q�些持久化的东西�?br />        �q�个��p��看看filterSecurityInterceptor�?ji��n)，它里面��用�?ji��n)一个securityMetadataSource�Q�本地的securityMetadataSource实现代码�Q?br />       public class MyFilterInvocationSecurityMetadataSource extends DefaultFilterInvocationSecurityMetadataSource{
    private final static Log logger = LogFactory.getLog(ExpressionBasedFilterInvocationSecurityMetadataSource.class);
    private DataSource datasource;

    public MyFilterInvocationSecurityMetadataSource(UrlMatcher urlMatcher,
                                                    DataSource datasource,
                                                    WebSecurityExpressionHandler expressionHandler) {
        super(urlMatcher, processMap(initializeFromDb(datasource,null),expressionHandler.getExpressionParser()));
    }

    //This method is usefulless for now!
    //Because this method is used for parsing the expression kind
    private static LinkedHashMap> processMap(
            LinkedHashMap> requestMap, ExpressionParser parser) {
        Assert.notNull(parser, "SecurityExpressionHandler returned a null parser object");

        LinkedHashMap> requestToExpressionAttributesMap =
            new LinkedHashMap>(requestMap);

        for (Map.Entry> entry : requestMap.entrySet()) {
            RequestKey request = entry.getKey();
            Assert.isTrue(entry.getValue().size() == 1, "Expected a single expression attribute for " + request);
            ArrayList attributes = new ArrayList(1);
            String expression = entry.getValue().toArray(new ConfigAttribute[1])[0].getAttribute();
            logger.debug("Adding web access control expression '" + expression + "', for " + request);
            try {
                //Replacing WebExpressionConfigAttribute with MyWebExpressionConfigAttribute
                //which is defined locally!
                attributes.add(new MyWebExpressionConfigAttribute(parser.parseExpression(expression)));
            } catch (ParseException e) {
                throw new IllegalArgumentException("Failed to parse expression '" + expression + "'");
            }

            requestToExpressionAttributesMap.put(request, attributes);
        }

        return requestToExpressionAttributesMap;
    }

    private static LinkedHashMap> initializeFromDb(DataSource datasource,LinkedHashMap> configMap){
        LinkedHashMap> result =
            new LinkedHashMap>();
        Connection conn = null;
        Statement stmt = null;
        ResultSet rs   = null;
        try {
            conn = datasource.getConnection();
            stmt = conn.createStatement();
            StringBuilder sql = new StringBuilder("SELECT b.AUTHORITYPATTERN ,'hasRole('||chr(39)||a.ROLENAME||chr(39)||')' rolename ")
                                             .append(" FROM ROLES a,AUTHORITIES b,ROLE_AUTHS c ")
                                             .append(" WHERE a.rolename = c.rolename AND b.authorityname = c.authorityname");

            rs = stmt.executeQuery(sql.toString());
            String roles = "";
            RequestKey key = null;
            List value = null;
            while(rs != null && rs.next()){
                key = new RequestKey(rs.getString(1));
                roles = rs.getString(2);
                String[] roleArray = roles.split(",|\\s+|;");
                value = new ArrayList();
                for(String role : roleArray){
                    ConfigAttribute config = new SecurityConfig(role);
                    value.add(config);
                }
                result.put(key, value);
            }
            //just for test
        } catch (SQLException e) {
            e.printStackTrace();
        } finally{
            try{
                rs.close();
                stmt.close();
                conn.close();
            }catch(SQLException e){
                e.printStackTrace();
            }
        }
        return result;
    }



    public boolean supports(Class clazz) {
        return FilterInvocation.class.isAssignableFrom(clazz);
    }

    public DataSource getDatasource() {
        return datasource;
    }

    public void setDatasource(DataSource datasource) {
        this.datasource = datasource;
    }
}
(2) expressionHandler:
     �q�个东西要单独说��_(d��)��我这里用的是表达式来��(g��)��用戯��色的�Q�所以，我用org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler来处理了(ji��n)�Q�还有其他的方式�Q�就是直接用角色�q�行判断�Q�那样会(x��)更好�Q�这里就不描�q�C��(ji��n)�Q?br />

taochen 2010-01-25 16:29 发表评论

SpringSecurity使用记录�Q�六�Q?- 本地配置一

taochen — Mon, 25 Jan 2010 07:56:00 GMT

按照SpringSecurity的文档，我们可以使用namespace的配�|�方式（前篇中已�l�说明）(j��)�?br /> 但是�Q�我们这里的需求有点蹊��P��是通过spring context�q�行权限配置太不方便�Q�你��x(ch��ng)��能让人家客户通过spring xml来配�|�权限吗�Q�不能，坚决不能�Q�所以，我就单步跟踪获取里面的东西（�q�种�Ҏ(gu��)��比直接看代码快点�Q�而且可以知道里面的逻辑�l�构�Q�）(j��)
那就开始吧�Q?br /> 1.配置FilterChainProxy�Q?br /> SpringSecurity的验证过�E�是通过一�p�d��的filter来实现的�?br /> �q�种chain的设计模式比较经典，可以说相当经典！
看看代码实现�Q?br /> 上篇中说�q�，默认的配�|�要�?lt;filter-name>springSecurityFilterChain�Q�那�q�个springSecurityFilterChain是怎么来用的呢�Q?br /> public class DelegatingFilterProxy extends GenericFilterBean {
... ... ...
protected void initFilterBean() throws ServletException {
        // If no target bean name specified, use filter name.
        if (this.targetBeanName == null) {
            this.targetBeanName = getFilterName();
        }

        // Fetch Spring root application context and initialize the delegate early,
        // if possible. If the root application context will be started after this
        // filter proxy, we'll have to resort to lazy initialization.
        synchronized (this.delegateMonitor) {
            WebApplicationContext wac = findWebApplicationContext();
            if (wac != null) {
                this.delegate = initDelegate(wac);
            }
        }
    }
.....
}
不用��_(d��)��你会(x��)猜到我们没有配置�q�targetBeanName�q�个属性，所以，��有�?ji��n)this.targetBeanName = getFilterName();�q�样的话��׃��(x��)配置FilterChainProxy�?ji��n)，因��?f��)FilterChainProxy在springContext中id是springSecurityFilterChain�Q�所以我们要通过自己的数据库方式配置的话�Q�就要琢��这个FilterChainProxy�?ji��n)�?br /> 所以，首先做点�q�样的配�|�吧�Q?br />

�q�个里面配置的id为myFilterChain�Q�所以要在web.xml里面做相应配�|�：(x��)

myFilterChain

org.springframework.web.filter.DelegatingFilterProxy

myFilterChain

而且�Q�尤为重要的是要配置上这些过滤器�Q?br /> filter-chain pattern="/**" filters="securityContextPersistenceFilter,logoutFilter,
                                             myUsernamePasswordAuthenticationFilter,
                                             basicAuthenticationFilter,
                                             requestCacheAwareFilter,
                                             securityContextHolderAwareRequestFilter,
                                             anonymousAuthenticationFilter,
                                             sessionManagementFilter,
                                             exceptionTranslationFilter,
                                             filterSecurityInterceptor"
针对�q�些�q��o(h��)器的用途，在spring security的文档中有详�l�描�q�ͼ��q�里不多说了(ji��n)�Q�在文档中的具体位置�?.2 FilterChainProxy�Q�看看这一章就�?x��)有感觉了(ji��n)，不过�l�知此事要躬行啊�Q?br /> 完成�q�些配置之后�Q�我们就��是把入口给搭徏好了(ji��n)�Q?br /> 鉴于文档��幅�Q�换��C��接着说�?br />

taochen 2010-01-25 15:56 发表评论

SpringSecurity使用记录�Q�五�Q?- 配置

taochen — Tue, 19 Jan 2010 06:19:00 GMT

研究�?ji��n)好长时��_(d��)��不知道从哪里下手。新的版本，很多东西在网上找不到�Q�只能看他们的文档，当然�q�些文档相当不错�Q�就看是否耐心(j��)的研�I�了(ji��n)�Q��L��有急躁的心(j��)理作��，不能专心(j��)研读�Q�却处处��壁�Q�效率上反而未��N��期效果！
�l�于�Q�在无数�ơ的沮��下，�E�微看到�?ji��n)点光亮�Q�前面的文章太过皮毛�Q�接下来的一些，希望能更加实际的�Q�更加深入的分析每一个过�E�！

一直通过默认配置�q�行讄��Q?br /> namespace(是security 3.0,�|�上也看��C��些兄弟描�q�的�?.0�Q�但是��L��不符合我�q�里的namespace配置):
           xmlns:beans="http://www.springframework.org/schema/beans"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://www.springframework.org/schema/beans
               http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
               http://www.springframework.org/schema/security
               http://www.springframework.org/schema/security/spring-security-3.0.xsd">
按照默认配置的http�Q�这是用来根据namespace讄��的基本的security�q��o(h��)器chain�Q�：(x��)
auto-config=true�Ӟ��q��当于

也就是��用了(ji��n)默认的过滤器�?br /> 我最开始的��x(ch��ng)��是能够把本地的login信息�Q�不是调用spring security的login�Ҏ(gu��)��Q�，传入到spring security的验证过滤器里面�?br /> �q�里有一个比较关键的问题�Q�就是封装他们的�q��o(h��)器（或者仅仅是知道他们到底是哪些过滤器在�v作用�Q�：(x��)
�?

Alias	Filter Class	Namespace Element or Attribute
CHANNEL_FILTER	`ChannelProcessingFilter`	`http/intercept-url@requires-channel`
CONCURRENT_SESSION_FILTER	`ConcurrentSessionFilter`	`session-management/concurrency-control`
SECURITY_CONTEXT_FILTER	`SecurityContextPersistenceFilter`	`http`
LOGOUT_FILTER	`LogoutFilter`	`http/logout`
X509_FILTER	`X509AuthenticationFilter`	`http/x509`
PRE_AUTH_FILTER	`AstractPreAuthenticatedProcessingFilter` Subclasses	N/A
CAS_FILTER	`CasAuthenticationFilter`	N/A
FORM_LOGIN_FILTER	`UsernamePasswordAuthenticationFilter`	`http/form-login`
BASIC_AUTH_FILTER	`BasicAuthenticationFilter`	`http/http-basic`
SERVLET_API_SUPPORT_FILTER	`SecurityContextHolderAwareFilter`	`http/@servlet-api-provision`
REMEMBER_ME_FILTER	`RememberMeAuthenticationFilter`	`http/remember-me`
ANONYMOUS_FILTER	`AnonymousAuthenticationFilter`	`http/anonymous`
SESSION_MANAGEMENT_FILTER	`SessionManagementFilter`	`session-management`
EXCEPTION_TRANSLATION_FILTER	`ExceptionTranslationFilter`	`http`
FILTER_SECURITY_INTERCEPTOR	`FilterSecurityInterceptor`	`http`
SWITCH_USER_FILTER	`SwitchUserFilter`	N/A

�Q�最开始看的时候，把这个表格忽略了(ji��n)�Q�现在看来这些就是我们想要的�Q�）(j��)
我们的验证过�E�，��是按照�q�样的顺序进行的。自上而下�q�行�?br />
如果我们要自己定制相应的验证处理�Ҏ(gu��)��Q�在�q��o(h��)器里面）(j��)�Q�我们就可以对照上面的过滤器�Q�覆盖相应的接口�Ҏ(gu��)��?br /> �Ҏ(gu��)��我的处理�q�程�Q�主要是用户名密码的验证�q�程�Q�我大体描述一下自��q��配置和处理过�E�：(x��)
1.配置namespace的标�{?

�q�里的问题是�Q�要定制自己的过滤器�Q�就要通过�Q�然后对�?�? 中指定的position,覆盖默认的filter�?br /> 2.我的form-login filter配置�Q�这些配�|�都是在application-security.xml文�g中）(j��)为：(x��)
      class="com.saveworld.authentication.filters.MyUsernamePasswordAuthenticationFilter">






NOTE�Q?br /> 在这里有个问题就是：(x��) filter position conflicts!
如果使用�q�样的配�|?br />

自定义的filter对应的position是FORM_LOGIN_FILTER
但是因�ؓ(f��)使用�?ji��n)auto-config='true'�Q�所以默认有�Q�which is on the position FORM_LOGIN_FILTER!
�q�时��׃��(x��)出现position conflicts问题?sh��)��(ji��n)。当�?d��ng)��如果你没有设�|�a(ch��n)uto-config='true'�Q�但是却自己讄��?lt;form-login />�Q�呵呵，�q�个情况��是自己大意�?ji��n)，�q�是有了(ji��n)position conflicts的异常，所以，好好看看上面的表格是相当必要的，看清楚每个position默认都对应那些namespace�Q�都是对应的哪些filter�Q?br />
接着�Q?br /> 我的�c�MyUsernamePasswordAuthenticationFilter实现�Q�我的说明方式就按照哪里需要，哪里加入的方式了(ji��n)�Q�：(x��)
package com.saveworld.authentication.filters;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.event.InteractiveAuthenticationSuccessEvent;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.NullRememberMeServices;
import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.util.TextEscapeUtils;
import org.springframework.util.Assert;

import com.saveworld.authentication.handlers.MySavedRequestAwareAuthenticationSuccessHandler;
import com.saveworld.authentication.handlers.MySimpleUrlAuthenticationFailureHandler;

public class MyUsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter{
    //~ Static fields/initializers =====================================================================================

    public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "username";
    public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "password";
    public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";

    private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
    private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
    private boolean postOnly = true;

    private boolean allowSessionCreation = true;

    private String defaultTargetUrl = "/";
    private String defaultFailureUrl = "/login.jsp";

    private AuthenticationSuccessHandler successHandler = null;
    private AuthenticationFailureHandler failureHandler = null;


    private RememberMeServices rememberMeServices = null;

    //~ Constructors ===================================================================================================

    public MyUsernamePasswordAuthenticationFilter() {
        //初始�?br />         super("/j_spring_security_check");
        this.rememberMeServices = (super.getRememberMeServices() == null)
                                    ? new NullRememberMeServices():super.getRememberMeServices();

    }

    //~ Methods ========================================================================================================

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }

        String username = obtainUsername(request);
        String password = obtainPassword(request);

        if (username == null) {
            username = "";
        }

        if (password == null) {
            password = "";
        }

        username = username.trim();

        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

        // Place the last username attempted into HttpSession for views
        HttpSession session = request.getSession(false);

        if (session != null || getAllowSessionCreation()) {
            request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, TextEscapeUtils.escapeEntities(username));
        }

        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);

        return this.getAuthenticationManager().authenticate(authRequest);
    }



    public void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
            Authentication authResult) throws IOException, ServletException {

        if (logger.isDebugEnabled()) {
            logger.debug("Authentication success. Updating SecurityContextHolder to contain: " + authResult);
        }

        SecurityContextHolder.getContext().setAuthentication(authResult);

        rememberMeServices.loginSuccess(request, response, authResult);

        // Fire event
        if (this.eventPublisher != null) {
            eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
        }
        if(successHandler == null){
            successHandler = new MySavedRequestAwareAuthenticationSuccessHandler(getDefaultTargetUrl());
        }
        successHandler.onAuthenticationSuccess(request, response, authResult);
    }

    public void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException failed) throws IOException, ServletException {
        SecurityContextHolder.clearContext();

        if(failureHandler == null){
            failureHandler = new MySimpleUrlAuthenticationFailureHandler(getDefaultFailureUrl());
        }

        if (logger.isDebugEnabled()) {
            logger.debug("Authentication request failed: " + failed.toString());
            logger.debug("Updated SecurityContextHolder to contain null Authentication");
            logger.debug("Delegating to authentication failure handler" + failureHandler);
        }

        HttpSession session = request.getSession(false);

        if (session != null || allowSessionCreation) {
            request.getSession().setAttribute(SPRING_SECURITY_LAST_EXCEPTION_KEY, failed);
        }

        rememberMeServices.loginFail(request, response);

        failureHandler.onAuthenticationFailure(request, response, failed);
    }


    /**
     * Enables subclasses to override the composition of the password, such as by including additional values
     * and a separator.

This might be used for example if a postcode/zipcode was required in addition to the
* password. A delimiter such as a pipe (|) should be used to separate the password and extended value(s). The
* AuthenticationDao will need to generate the expected password in a corresponding manner.

     *
     * @param request so that request attributes can be retrieved
     *
     * @return the password that will be presented in the Authentication request token to the
     *         AuthenticationManager
     */
    protected String obtainPassword(HttpServletRequest request) {
        return request.getParameter(passwordParameter);
    }

    /**
     * Enables subclasses to override the composition of the username, such as by including additional values
     * and a separator.
     *
     * @param request so that request attributes can be retrieved
     *
     * @return the username that will be presented in the Authentication request token to the
     *         AuthenticationManager
     */
    protected String obtainUsername(HttpServletRequest request) {
        return request.getParameter(usernameParameter);
    }

    /**
     * Provided so that subclasses may configure what is put into the authentication request's details
     * property.
     *
     * @param request that an authentication request is being created for
     * @param authRequest the authentication request object that should have its details set
     */
    protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
        authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
    }

    /**
     * Sets the parameter name which will be used to obtain the username from the login request.
     *
     * @param usernameParameter the parameter name. Defaults to "j_username".
     */
    public void setUsernameParameter(String usernameParameter) {
        Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
        this.usernameParameter = usernameParameter;
    }

    /**
     * Sets the parameter name which will be used to obtain the password from the login request..
     *
     * @param passwordParameter the parameter name. Defaults to "j_password".
     */
    public void setPasswordParameter(String passwordParameter) {
        Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
        this.passwordParameter = passwordParameter;
    }

    /**
     * Defines whether only HTTP POST requests will be allowed by this filter.
     * If set to true, and an authentication request is received which is not a POST request, an exception will
     * be raised immediately and authentication will not be attempted. The unsuccessfulAuthentication() method
     * will be called as if handling a failed authentication.
     *

     * Defaults to true but may be overridden by subclasses.
     */
    public void setPostOnly(boolean postOnly) {
        this.postOnly = postOnly;
    }

    public final String getUsernameParameter() {
        return usernameParameter;
    }

    public final String getPasswordParameter() {
        return passwordParameter;
    }

    public String getDefaultTargetUrl() {
        return defaultTargetUrl;
    }

    public void setDefaultTargetUrl(String defaultTargetUrl) {
        this.defaultTargetUrl = defaultTargetUrl;
    }

    public String getDefaultFailureUrl() {
        return defaultFailureUrl;
    }

    public void setDefaultFailureUrl(String defaultFailureUrl) {
        this.defaultFailureUrl = defaultFailureUrl;
    }


}

�q�里要关注的��是几个字段�Q?br />

�q�两个字�D�|��指定验证成功或失败后转向的页面，�q�里要注意是�?#8220;/”开��_(d��)��否则在AbstractAuthenticationTargetUrlRequestHandler中调用setDefaultTargetUrl�Ҏ(gu��)��时会(x��)抛出"defaultTarget must start with '/' or with 'http(s)'"的异常！
默认情况下，FORM_LOGIN_FILTER对应的target url和failure url都是通过中的default-target-url,authentication-failure-url指定�Q�也可以通过指定authentication-success-handler-ref�?/strong>authentication-failure-handler-ref来实现认证成功和��p�|之后的处理方�?在我的filter中，是自定义�?ji��n)两个handler分别对应成功的和��p�|的验证�?br />
3.用户信息获取和验证：(x��)



�q�个指定的authentication-manager是��用默认的ProviderManager�Q�这个manager是在哪里使用的呢�Q?br /> 看看MyUsernamePasswordAuthenticationFilter中的attemptAuthentication�Ҏ(gu��)��的最后一行，�q�里是获取指定的authentication-manager。getAuthenticationManager是从父类AbstractAuthenticationProcessingFilter�l�承�q�来的。所以，我们�?lt;authentication-manager alias="authenticationManager">中就指定�?ji��n)一个别名authenticationManager�Q�在myfilter中设�|�属性的引用�Q�然后我们就可以通过Provider引用我们自己的用户信息验证service�?ji��n)（eg:用户信息获取和验证）(j��)�Q�这里实际是使用�?ji��n)Method Template模式�Q�AbstractAuthenticationManager中设定模板函数doAuthentication�Q�ProviderManager中做�?ji��n)实玎ͼ?j��)�?br /> �q�里隑օ�要说明一下，我们的Service是如何被调用的，我们做了(ji��n)配置
指定�?ji��n)我们的UserDetailsService�Q�类实现(��Z��(ji��n)��试和理解，The easier the better!)�Q?br /> package com.saveworld.userdetails;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;

import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

public class MyUserDetailsService implements UserDetailsService{

    private HashMap userDetails = new HashMap();
    private HashMap> userAuthorities = new HashMap>();

    public MyUserDetailsService(){
        //Make up a user named 'rod' with 'rod' as his password!
        //
        String username = "rod";
        String password = "1";
        boolean enabled = true;
        //purview for rod
        GrantedAuthority specAuth = new GrantedAuthorityImpl("ROLE_MY");
        List rodsAuthsList = new ArrayList();
        rodsAuthsList.add(specAuth);
//        userAuthorities.put("rod", rodsAuthsList);
        userDetails.put("rod", new User(username, password, enabled, true, true, true, rodsAuthsList));
    }


    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException, DataAccessException {
        System.out.println("验证从此地过�?ji��n)一�?);
        return userDetails.get(username);
    }

}
通过DaoAuthenticationProvider中的userDetailsService兌��我们的UserDetailsService�Q�不得不提的是，AbstractUserDetailsAuthenticationProvider中有讑֮��?ji��n)模板函数retrieveUser�Q�DaoAuthenticationProvider�q�行�?ji��n)实玎ͼ�通过retrieveUser�Ҏ(gu��)��调用UserDetailsService.loadUserByUsername�Q�然后在AbstractUserDetailsAuthenticationProvider.authenticate�Ҏ(gu��)��q�行验证�Q��?br /> 接下来就是看验证的结果了(ji��n)�Q�是否成功，�q�入filter chain中�?br /> �q�一切就�q�么有条不紊的进行了(ji��n)�Q�呵呵，�ȝ��是有�Ҏ(gu��)��果了(ji��n)�Q�有�?ji��n)一点点感性的认识�?ji��n)！上面的描�q�C��隑օ��?x��)有些�؜乱，但是��量是哪里需要，哪里��做说明�Q?br />
下篇中说明entrypoint的用处吧�Q?br />

taochen 2010-01-19 14:19 发表评论

taochen — Fri, 25 Dec 2009 07:53:00 GMT
不得不再感叹一下，�{�略模式在SpringSecurity中用的地方太多了(ji��n)�Q?br />
? SecurityContextHolder, to provide access to the SecurityContext.
? SecurityContext, to hold the Authentication and possibly request-specific security
information.
? Authentication, to represent the principal in a Spring Security-specific manner.
? GrantedAuthority, to reflect the application-wide permissions granted to a principal.
? UserDetails, to provide the necessary information to build an Authentication object from your
application's DAOs or other source source of security data.
? UserDetailsService, to create a UserDetails when passed in a String-based username
(or certificate ID or the like).
�Q�以上是从文档里面抄出来的！�Q?br /> �q�就是权限的核心(j��)�?ji��n)！�Q�（持箋(hu��)修改中。。。。。。）(j��)

taochen 2009-12-25 15:53 发表评论

taochen — Thu, 24 Dec 2009 12:05:00 GMT
�W�一�ơ配�|�和使用SpringSecurity�Q��L��要碰很多�ơ墙�Q?br /> 先说说个人理解的它里面比较有意义的架构�?br /> 里面有好多设计模式的影子�Q�策略模式，代理模式�Q�工厂模式，链条模式=====�Q�看到这些模式（除了(ji��n)工厂或单例）(j��)�?j��)里��L��?x��)有些兴奋，�ȝ��是看��C��(ji��n)模式的真正练兵场�Q�跟兄弟们好好分享一�?(才看�?ji��n)一天！有不对之处，�q�望各位斧正�Q?
�{�略模式�Q�Strategy Pattern�Q?
主要说一下session相关的这个策略模式，以SessionAuthenticationStrategy接口的策略划分，�Ҏ(gu��)��我们的session安全�{�略�Q�指定不同的�{�略�Q�现在看是这�U�布局�Q?br />

��层接口 SessionAuthenticationStrategy

具体实现 SessionFixationProtectionStrategy
�Q�直接默认实玎ͼ�(j��) NullAuthenticatedSessionStrategy
�Q�空实现�Q?br />

二��实现 ConcurrentSessionControlStrategy

��d��比较�ȝ��(ch��)�Q�各位还是凑合着看吧�Q�说明一下：(x��)��层接口被下�?#8220;具体实现”两个�c�d��玎ͼ��?#8220;二��实现”实现SessionFixationProtectionStrategy。具体采用哪�U�策略要看我们的配置�?ji��n)�?br /> 代理模式�Q�Proxy�Q�：(x��)
很明昄��代理�c�，DelegatingFilterProxy和FilterChainProxy�Q�这两个�cȝ��着�?j��)里都痒痒的�Q�呵呵，�q�_��L��看代理模式呀什么的�Q�即时看着例子也不�t�实�Q�现在看到这两个东西�Q�心(j��)里突然有�U��^�?r��n)的�Ȁ动！
�q�两个代理类以FilterChainProxy��Z��说明一下吧�Q�FilterChainProxy代理�?ji��n)权限验证Filters的工作，通过它来讉K��整个�q��o(h��)器串里面的过滤器�?br /> Chain模式�Q�这个也应该以FilterChainProxy�q�个�c�d��口来分析�Q�呵呵，有兴��的各位��通过�q�个来看看吧�Q?br />

taochen 2009-12-24 20:05 发表评论

��层接口	SessionAuthenticationStrategy
具体实现	SessionFixationProtectionStrategy �Q�直接默认实玎ͼ�(j��)	NullAuthenticatedSessionStrategy �Q�空实现�Q?br />
二��实现	ConcurrentSessionControlStrategy