SpringMVC + security模塊 框架整合詳解

最近整理一個二手後台管理項目，整體大體可分為 ： Springmvc + mybatis + tiles + easyui + security 這幾個模塊，再用maven做管理。剛拿到手裡面東西實在太多，所以老大讓重新整一個，只挑出骨架。不可否認，架構整體規劃得還是很好的，尤其是前端界面用tiles+easyui ，開發很高效！其實，之前雖然聽說過security，但做過的項目都沒用過security，所以也算是一個新手！整合過程還是很燒腦的。

1、首先是springmvc部分，也是框架的最核心骨架部分。springmvc也是基於servlet框架完成的，所以我們都可以從web.xml入手，然後順藤摸瓜，整理出整個架構。web.xml中主要部分是放置spring的各種配置：

2. <context-param>
3. <param-name>contextConfigLocation</param-name>
4. <param-value>
5. /WEB-INF/spring/appServlet/servlet-context.xml
6. </param-value>
8. </context-param>

和

2. <servlet>
3. <servlet-name>appServlet</servlet-name>
4. <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
5. <init-param>
6. <param-name>contextConfigLocation</param-name>
7. <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
8. </init-param>
9. <load-on-startup>1</load-on-startup>
10. <async-supported>true</async-supported>
11. </servlet>
13. <servlet-mapping>
14. <servlet-name>appServlet</servlet-name>
15. <url-pattern>/</url-pattern>
16. </servlet-mapping>

這兩部分指定了配置文件地址和web請求地址攔截規則。需要注意的是，然後配置文件里就是常用的註解、數據源、之類的，不一而足。

2、然後是security，本文實現了自定義的用戶信息登錄認證，主要部分：spring的security主要注意幾個地方：

1）web.xml中配置security必須的過濾器，注意名字必須是springSecurityFilterChain,這是內置的過濾器；然後將過濾規則設置為/*，表示對所有請求都攔截。

2) 關於security的配置文件必須在<context-param>中加入，因為ContextLoaderListener在載入的時候就會去載入security相關的東西，而此時springmvc（servlet)模塊還沒有初始化。

二者配置如下：

2. <context-param>
3. <param-name>contextConfigLocation</param-name>
4. <param-value>
5. /WEB-INF/spring/appServlet/servlet-context.xml
6. </param-value>
8. </context-param>
10. <!-- Creates the Spring Container shared by all Servlets and Filters -->
11. <listener>
12. <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
13. </listener>
14. <!-- 用戶許可權模塊 -->
15. <filter>
16. <filter-name>springSecurityFilterChain</filter-name>
17. <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
18. </filter>
19. <filter-mapping>
20. <filter-name>springSecurityFilterChain</filter-name>
21. <url-pattern>/*</url-pattern>
22. </filter-mapping>

本文中security配置文件再servlet-context.xml中被引入，形如：

<beans:import resource="spring-security.xml"/>

3）spring-security.xml配置文件：

現在來看這個xml文件：

首先 <http>標籤部分聲明了訪問攔截規則，這是security的關鍵。在這部分，我們先聲明了一些不需要驗證的資源和訪問路徑；然後是地址攔截規則部分：該部分攔截路徑是/**，**表示可以跨目錄結構，因此此處攔截該站點所有請求（除之前聲明security=「none」的以外），然後攔截規則access="isAuthenticated()"，這是SecurityExpressionRoot中的判斷是否認證過的方法之一，跟hasRole()類似，官方描述是Returns true if the user is not anonymous ，也就是用戶認證後返回true。

2. <?xml version="1.0" encoding="UTF-8"?>
3. <beans:beans xmlns="http://www.springframework.org/schema/security"
4. xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
5. xmlns:security="http://www.springframework.org/schema/security"
6. xsi:schemaLocation="http://www.springframework.org/schema/beans
7. http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
8. http://www.springframework.org/schema/security
9. http://www.springframework.org/schema/security/spring-security-3.2.xsd">
11. <!-- For Web security -->
12. <http pattern="/js/**" security="none"/>
13. <http pattern="/images/**" security="none"/>
14. <http pattern="/mgmt/**" security="none"/>
15. <http pattern="/image_sys/**" security="none"/>
16. <http pattern="/style/**" security="none"/>
17. <http pattern="/view/login.jsp" security="none"/>
18. <http pattern="/view/login/forgotPassword.jsp" security="none"/>
19. <http pattern="/securityCodeImage.html" security="none"/>
20. <http pattern="/checkSecurityCode.html" security="none"/>
21. <http pattern="/admin/validateMobile.html" security="none"/>
22. <http pattern="/verifycode/sendVerifyCode.html" security="none"/>
23. <http pattern="/admin/resetPassword.html" security="none"/>
26. <http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint" access-denied-page="/view/403.jsp">
27. <intercept-url pattern="/**" access="isAuthenticated()" />
28. <remember-me />
29. <!-- <expression-handler ref="webSecurityExpressionHandler"/> -->
30. <custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
31. <logout logout-url="/j_spring_security_logout" logout-success-url="/view/login.jsp" delete-cookies="JSESSIONID"/>
32. </http>
34. <!-- 未登錄的切入點 -->
35. <beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
36. <beans:property name="loginFormUrl" value="/view/login.jsp"></beans:property>
37. </beans:bean>
39. <!-- 登錄體系loginFilter -->
40. <beans:bean id="loginFilter"
41. class="com.security.AdminUsernamePasswordAuthenticationFilter">
42. <beans:property name="filterProcessesUrl" value="/j_spring_security_check"></beans:property>
43. <beans:property name="authenticationSuccessHandler" ref="myAuthenticationSuccessHandler"></beans:property>
44. <beans:property name="authenticationFailureHandler" ref="myAuthenticationFailureHandler"></beans:property>
45. <beans:property name="authenticationManager" ref="authenticationManager"></beans:property>
46. </beans:bean>
48. <!-- 驗證失敗顯示頁面 -->
49. <beans:bean id="myAuthenticationFailureHandler"
50. class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
51. <beans:property name="defaultFailureUrl" value="/view/login.jsp?error=true" />
52. </beans:bean>
53. <!-- 驗證成功默認顯示頁面 -->
54. <beans:bean id="myAuthenticationSuccessHandler"
55. class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
56. <beans:property name="alwaysUseDefaultTargetUrl" value="true" />
57. <!--此處可以請求登錄首頁的action地址 -->
58. <beans:property name="defaultTargetUrl" value="/index/homepage" />
59. </beans:bean>
61. <!-- authentication體系 -->
62. <authentication-manager alias="authenticationManager" erase-credentials="false">
63. <authentication-provider ref="authenticationProvider" />
64. </authentication-manager>
65. <beans:bean id="authenticationProvider"
66. class="com.security.AdminAuthenticationProvider">
67. <beans:property name="userDetailsService" ref="userDetailsService" />
68. </beans:bean>
69. <beans:bean id="userDetailsService"
70. class="com.security.AdminUserDetailsService">
71. <beans:property name="adminService" ref="adminServiceImpl"></beans:property>
72. </beans:bean>

</beans:beans>

然後聲明了自定義的用戶登錄的攔截器loginFilter，用於在登錄時實現security認證。spring的登錄認證模塊執行順序為：

1、UsernamePasswordAuthenticationFilter的attemptAuthentication（）方法，此部分可以做用戶名密碼的判斷，正確後繼續執行；

2、接下來調用AuthenticationManager的authenticate（）方法（中途具體怎麼調用此處不深究），一個Mannager對應了多個authenticationProvider，其實最終是通過調用provider的authenticate（）方法來進行認證的，只要provider的supports方法返回true即可聲明該provider或可進行認證，最後將被manager調用。在authenticate（）方法中，調用UserDetails的loadUserByUserName()方法來載入登錄用戶信息，包括許可權信息，最後封裝成AbstractAuthenticationToken,這個對象就是security模塊認證後的用戶完整信息。

自定義認證主要類如下：

2. /**
3. * 用戶登錄驗證步驟一：attemptAutentication（）
4. */
5. public class AdminUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
7. public static final String VALIDATE_CODE = "validateCode";
8. public static final String USERNAME = "j_username";
9. public static final String PASSWORD = "j_password";
10. public static final String EMPLOYEENO = "j_employeeNo";
12. @Resource
13. private AdminService adminService;
15. @Override
16. public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
17. throws AuthenticationException {
18. if (!request.getMethod().equals("POST")) {
19. throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
20. }
22. // 判斷用戶信息
24. // UsernamePasswordAuthenticationToken實現 Authentication
25. UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
26. adminModel.getAdminId(), password);
28. // 允許子類設置詳細屬性
29. setDetails(request, authRequest);
31. // 運行UserDetailsService的loadUserByUsername 再次封裝Authentication
32. return this.getAuthenticationManager().authenticate(authRequest);
33. }
34. @Override
35. protected String obtainUsername(HttpServletRequest request) {
36. Object obj = request.getParameter(USERNAME);
37. return null == obj ? "" : obj.toString();
38. }
39. @Override
40. protected String obtainPassword(HttpServletRequest request) {
41. Object obj = request.getParameter(PASSWORD);
42. return null == obj ? "" : obj.toString();
43. }
44. }

2. /**
3. * <span stylex="font-family: Arial, Helvetica, sans-serif;">用戶登錄驗證步驟二：</span><span stylex="font-family: Arial, Helvetica, sans-serif;">authenticate</span><span stylex="font-family: Arial, Helvetica, sans-serif;">（）</span><span stylex="font-family: Arial, Helvetica, sans-serif;">
4. </span> */
5. public class AdminAuthenticationProvider implements AuthenticationProvider {
6. protected Logger logger = LoggerFactory.getLogger(this.getClass());
8. private UserDetailsService userDetailsService = null;
10. public AdminAuthenticationProvider() {
11. super();
12. }
13. /**
14. * @param userDetailsService
15. */
16. public AdminAuthenticationProvider(UserDetailsService userDetailsService) {
17. super();
18. this.userDetailsService = userDetailsService;
19. }
21. public UserDetailsService getUserDetailsService() {
22. return userDetailsService;
23. }
25. public void setUserDetailsService(UserDetailsService userDetailsService) {
26. this.userDetailsService = userDetailsService;
27. }
29. /**
30. * provider的authenticate()方法，用於登錄驗證
31. */
32. @SuppressWarnings("unchecked")
33. public Authentication authenticate(Authentication authentication) throws AuthenticationException {
35. // 1. Check username and password
36. try {
37. doLogin(authentication);
38. } catch (Exception e) {
39. if (e instanceof AuthenticationException) {
40. throw (AuthenticationException) e;
41. }
42. logger.error("failure to doLogin", e);
43. }
45. // 2. Get UserDetails
46. UserDetails userDetails = null;
47. try {
48. userDetails = this.userDetailsService.loadUserByUsername(authentication.getName());
49. } catch (Exception e) {
50. if (e instanceof AuthenticationException) {
51. throw (AuthenticationException) e;
52. }
53. logger.error("failure to get user detail", e);
54. }
55. // 3. Check and get all of admin roles and contexts.
56. Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) userDetails.getAuthorities();
57. if (authorities != null && !authorities.isEmpty()) {
58. AdminAuthenticationToken token = new AdminAuthenticationToken(authentication.getName(),
59. authentication.getCredentials(), authorities);
60. token.setDetails(userDetails);
61. return token;
62. }
63. throw new BadCredentialsException("沒有分配許可權");
64. }
65. protected void doLogin(Authentication authentication) throws AuthenticationException {
67. }
68. @Override
69. public boolean supports(Class<?> authentication) {
70. // TODO Auto-generated method stub
71. return true;
72. }
73. }

2. /**用戶詳細信息獲取
3. */
4. public class AdminUserDetailsService implements UserDetailsService {
5. private Logger logger = LoggerFactory.getLogger(AdminUserDetailsService.class);
6. private AdminService adminService;
8. @Override
9. public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
11. AdminUserDetails userDetails = new AdminUserDetails();
12. userDetails.setAdminId(username);
14. ///載入用戶基本信息
15. AdminModel adminModel = adminService.getAdminByAdminId(username);
16. try {
17. PropertyUtils.copyProperties(userDetails, adminModel);
18. } catch (IllegalAccessException e) {
19. logger.error("用戶信息複製到userDetails出錯",e);
20. } catch (InvocationTargetException e) {
21. logger.error("用戶信息複製到userDetails出錯",e);
22. } catch (NoSuchMethodException e) {
23. logger.error("用戶信息複製到userDetails出錯",e);
24. }
25. //載入許可權信息
26. List<AdminRoleGrantedAuthority> authorities = this.adminService.getAuthorityByUserId(username);
27. if (authorities == null || authorities.size() == 0) {////如果為普通用戶
28. if (isCommonUserRequest()) {
29. AdminRoleGrantedAuthority authority =
30. new AdminRoleGrantedAuthority(AdminRoleGrantedAuthority.ADMIN_ROLE_TYPE_COMMON_USER);
31. userDetails.getAuthorities().add(authority);
32. } else {
33. logger.warn("person authorities is empty, personId is [{}]", username);
34. }
35. }
36. //載入用戶許可權
37. userDetails.getAuthorities().addAll(authorities);
39. ///這個就是許可權系統最後的用戶信息
40. return userDetails;
41. }
43. private boolean isCommonUserRequest() {
44. // TODO Auto-generated method stub
45. return true;
46. }
48. public AdminService getAdminService() {
49. return adminService;
50. }
52. public void setAdminService(AdminService adminService) {
53. this.adminService = adminService;
54. }
56. }

2. public class AdminAuthenticationToken extends AbstractAuthenticationToken {
4. /**
5. *
6. */
7. private static final long serialVersionUID = 5976309306377973996L;
9. private final Object principal;
10. private Object credentials;
12. public AdminAuthenticationToken(Object principal, Object credentials) {
13. super(null);
14. this.principal = principal;
15. this.credentials = credentials;
16. setAuthenticated(false);
17. }
19. c AdminAuthenticationToken(Object principal, Object credentials, Collection<? extends GrantedAuthority> authorities) {
20. super(authorities);
21. this.principal = principal;
22. this.credentials = credentials;
23. super.setAuthenticated(true); //注意，這裡設置為true了！ must use super, as we override
24. }
26. public Object getCredentials() {
27. return this.credentials;
28. }
30. public Object getPrincipal() {
31. return this.principal;
32. }
34. public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {
35. if (isAuthenticated) {
36. throw new IllegalArgumentException("Cannot set this token to trusted - use constructor which takes a GrantedAuthority list instead");
37. }
38. super.setAuthenticated(false);
39. }
41. @Override
42. public void eraseCredentials() {
43. super.eraseCredentials();
44. credentials = null;
45. }
46. }

到這裡基本就完成了spring security的設置，

4）最後就是jsp頁面部分，頁面主要是表單的action地址必須為：path+/j_spring_security_check,其中path是項目路徑，然後登錄的時候就可以使用security模塊了！

至於文章中可能涉及到的一些bean或者service，這裡就不貼代碼了，畢竟項目較為完善，涉及東西太多，另外每個項目業務邏輯也不一樣。

在整個框架整合過程中，遇到了很多奇怪的問題，很多是因為版本不一致引起的，建議用maven進行jar等依賴包的統一管理。

喜歡這篇文章嗎？立刻分享出去讓更多人知道吧！