亚洲熟妇av一区二区三区漫画,亚洲国产精品一区二区第一页免 ,亚洲乱色熟女一区二区三区蜜臀

Spring Security - Using custom Authentication Processing Filter

Fri, 11 Jun 2010 00:12:00 GMT

Recently I got a chance working with Spring security, formerly known as Acegi Security for spring. While working with the framework, I heard comments from friends and colleagues saying that spring security lacks proper documentation. So thought of sharing a little knowledge. By the way, this is first ever blog posting and kindly excuse me and let me know any errors and improvements. Spring security offers a simple configuration based security for your web applications helping you secure your web application with out littering your business logic with any security code. It provides securing URL's based on the Role (Authorities), securing your business methods based on the ACL's. The first step in hooking up the spring security to your web application is by specifying the DelegatingFilterProxy in your web.xml.

springSecurityFilterChain

org.springframework.web.filter.DelegatingFilterProxy

springSecurityFilterChain

REQUEST INCLUDE FORWARD If you want to externalize all of your security related configuration into a separate file, you can do so and add that to your context location param.

contextConfigLocation

/WEB-INF/beans.xml , /WEB-INF/springSecurity.xml

Now comes the part of security configuration for your application, Adding the URL security patterns is pretty simple and straight forward. Add all the URL patterns which you want to secure and add the wild card pattern at the end. You need to have some default principal and role even for non logged in users as you need to give access to pages like log in, register and forgot password kind of functionality even to non logged in users. I tried to add comments to pretty much every element which I am using here. As an example I added just a wild card intercept url which make every page of my application secure. You need to exclude different urls based on the roles.

Following is my custom implementation of AuthenticationEntryPoint, which currently is not doing any thing except leveraging the commence to its super class which is the spring implementation of AuthenticationProcessingFilterEntryPoint. I hooked it to add any custom logic. public class CustomAuthenticationEntryPoint extends AuthenticationProcessingFilterEntryPoint { private static final Log logger = LogFactory.getLog(CustomAuthenticationEntryPoint.class); @Override public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException) throws IOException, ServletException { super.commence(request, response, authException); } } This is my custom authentication manager which actually does the custom login of the user. It will throw an BadCredentialsException in case of invalid credentials or thorws a AuthenticationServiceException in case of a service error (Database error, SQL error or any other error). public class CustomAuthunticationManager implements AuthenticationManager { @Autowired UserManagerService userManagerService; public Authentication authenticate(Authentication authentication) throws AuthenticationException { if(StringUtils.isBlank((String) authentication.getPrincipal()) || StringUtils.isBlank((String) authentication.getCredentials())){ throw new BadCredentialsException("Invalid username/password"); } User user = null; GrantedAuthority[] grantedAuthorities = null; try{ user = userManagerService.getUser((String) authentication.getPrincipal(), (String) authentication.getCredentials()); } catch(InvalidCredentialsException ex){ throw new BadCredentialsException(ex.getMessage()); } catch(Exception e){ throw new AuthenticationServiceException("Currently we are unable to process your request. Kindly try again later."); } if (user != null) { List roles = user.getAssociatedRoles(); grantedAuthorities = new GrantedAuthority[roles.size()]; for (int i = 0; i < roles.size(); i++) { Role role = roles.get(i); GrantedAuthority authority = new GrantedAuthorityImpl(role.getRoleCode()); grantedAuthorities[i] = authority; } } else{ throw new BadCredentialsException("Invalid username/password"); } return new UsernamePasswordAuthenticationToken(user, authentication.getCredentials(), grantedAuthorities); } } At the client side (jsp), the simple configuration you need to do is post the request to"/j_spring_security_check" with parameters "j_username" and "j_password". That's pretty much all you need to do for enabling spring security to your existing web application. I will try to explain about doing the method security using ACL's and configuring the view using spring security tags in another post.

云自无心水自�?/a> 2010-06-11 08:12 发表评论

Thu, 04 Feb 2010 11:17:00 GMT

在上一��中我们研究了如何实现SpringSecurity中Jsp Tag�?lt;security:authorize ifAllGranted="ROLE_SUPERVISOR">的功能。这一�ơ我们一��L��I�一下如何实现在Tapestry5.1中添加一个Filter来对所有的操作�q�行权限的过滤控制�?br /> 在SpringSecurity中，我们一般是在application-context.xml中，��d��一个SpringSecurity的Filter�Q�然后在另外一个xml中详�l�配�|�如何根据Url的规则进行权限的控制。而Tapestry的哲学是��量减少Xml中的配置�Q�其IOC容器也基本上是借鉴Guice而不Spring的）�Q�所以我们也是在代码中实现权限规则的控制�?br /> ��M��上来看，可以用两�U�方式来实现url规则�Q�一�U�是Request�U�别的Filter�Q�一�U�是��面�l��g�U�别的Filter�Q�如果是Request�U�别的话�Q�可以从Request对象中获取Url路径�Q�这样就与SpringSecurity基本一样了。本文主要介�l�页面组件��别的Filter�Q�从中我们也可以体会到Tapestry5.1中的IOC容器的强大和便利�?/p>

�q�就是Filter的代码，�q�个Filter必须实现ComponentRequestFilter接口。值得注意的是其构造函数所需要用到的4个参敎ͼ��q?个参数都是Tapestry5本��n自有的服务，所以我们什么也不用做，Tapestry5自动会将服务的实例注入进来，�q�就是Tapestry-IOC的威力�?br /> ComponentRequestFilter接口一共有4个方法需要实玎ͼ�具体代码如下�Q?/p>

1 public class RequiresLoginFilter implements ComponentRequestFilter {
2
3     private final PageRenderLinkSource renderLinkSource;
4
5     private final ComponentSource componentSource;
6
7     private final Response response;
8
9     private final ApplicationStateManager appStateManager;
10
11     public RequiresLoginFilter(PageRenderLinkSource renderLinkSource,
12             ComponentSource componentSource, Response response,
13             ApplicationStateManager appStateManager
14             ) {
15         this.renderLinkSource = renderLinkSource;
16         this.componentSource = componentSource;
17         this.response = response;
18         this.appStateManager = appStateManager;
19     }
20
21     public void handleComponentEvent(
22             ComponentEventRequestParameters parameters,
23             ComponentRequestHandler handler) throws IOException {
24
25         if (dispatchedToLoginPage(parameters.getActivePageName())) {
26             return;
27         }
28
29         handler.handleComponentEvent(parameters);
30
31     }
32
33     public void handlePageRender(PageRenderRequestParameters parameters,
34             ComponentRequestHandler handler) throws IOException {
35         if (dispatchedToLoginPage(parameters.getLogicalPageName())) {
36             return;
37         }
38         handler.handlePageRender(parameters);
39
40     }
41
42     private boolean dispatchedToLoginPage(String pageName) {
43         Component page = componentSource.getPage(pageName);
44
45         if (page.getClass().isAnnotationPresent(RequiresLogin.class)) {
46             if ( ! appStateManager.exists(Authentication.class)) {
47                 redirect();
48                 return true;
49             }
50             Authentication auth = appStateManager.get(Authentication.class);
51             if ( auth == null ) {
52                 redirect();
53                 return true;
54             }
55
56              if ( ! auth.isLoggedIn()) {
57                  redirect();
58                  return true;
59              }
60
61             RequiresLogin requireLogin = page.getClass().getAnnotation(
62                     RequiresLogin.class);
63             String ifNotGranted = requireLogin.ifNotGranted();
64             String ifAllGranted = requireLogin.ifAllGranted();
65             String ifAnyGranted = requireLogin.ifAnyGranted();
66             boolean permitted = auth.checkPermission(ifNotGranted, ifAllGranted, ifAnyGranted);
67             if ( ! permitted ) {
68                 return true;
69             }
70         }
71
72         return false;
73     }
74
75     private void redirect() {
76          Link link = renderLinkSource.createPageRenderLink("Logout");
77
78          try {
79              response.sendRedirect(link);
80          } catch (Exception e) {
81          }
82     }
83
84 }

在ComponentRequestFilter中，我们无法使用@SessionState注解来直接注入Session中的变量�Q�但是我们可以通过ApplicationStateManager来取得�?/p>

现在我们需要把刚定义的Filter注册到系�l�中�Q�很��单，只要在AppModule中添加以下函数就行了�Q?/p>

1 public static void contributeComponentRequestHandler(
2 OrderedConfiguration<ComponentRequestFilter> configuration) {
3 configuration.addInstance("RequiresLogin", RequiresLoginFilter.class);
4 }
5

从本例子中我们可以看到Tapesty Ioc容器使用的便利性，也认识到了Ioc容器在Tapestry体系中的重要�?img src ="http://m.tkk7.com/usherlight/aggbug/312016.html" width = "1" height = "1" />

云自无心水自�?/a> 2010-02-04 19:17 发表评论

Tue, 12 Jan 2010 12:17:00 GMT

Tapestry中�ƈ没有�c�M��于Spring Security�q�样的专门的权限框架。对此Tapestry的作者Lewis认�ؓ主要是用户对于权限的要求实在太多变化了。他认�ؓ很难抽象��Z��个通用的权限框架来满��所有的用户�Q�所以他�q�脆��׃��费事��d��q��g事了。但其实我们很容易就能利用Tapestry已有的工��h��完成�c�M��于SpringSecurity的功能�?br /> 本文主要介绍如何实现�c�M��于SpringSecurity的jsp tag的功能。在Tapestry中，利用Components实现�q�一炚w��常容易�?br /> 其基本原理是Tapestry5中一个页面或者组件的渲染生成�q�程是基于一个状态机和队列完成的。这��P��渲染生成�q�程��p��l�分成了很多个小模块�Q�我们可以非常容易地覆写�q�些��模块。具体内容详见官�Ҏ��档：http://tapestry.apache.org/tapestry5.1/guide/rendering.html。如果权限校验不通过�Q�我们就可以控制不显�C�组件的内容�?br /> 我们�q�里��是主要依赖�q�个�q�程来实现在��面�q�一层面�Ҏ��限进行校验和控制�?br /> 代码主要包含两大部分�Q�一个组件和一个用于权限控制的服务�?br /> 参考了Tapestry-Spring-Security的实玎ͼ�我也��组件命名�ؓIfRole�Q�当�Ӟ��我们也可以和Tapestry-Spring-Security一��P��也再生成一个IfLoggedIn�l��g�Q�。权限控制的服务我命名�ؓ�Q�AuthenticationService�?br /> 主要的实现思�\�Q?br /> ��AuthenticationService��x��为SessionState变量。这栯��个变量就可以在所有的��面和组件之间很方便地共享了。一般情况下�Q�是在登录页面对AuthenticationService�q�行赋��|��而在退出页面清�I�AuthenticationService�q�个变量�?br /> 代码�Q�这部分代码完全�Ҏ��应用的需求进自行更改�Q�：
AuthenticationService的代码：

public class AuthenticationService {
    private List<String> privilegeList;
    // privilegeList 的getter and setter

    public boolean checkPermission(String ifNotGranted, String ifAllGranted,
            String ifAnyGranted) {
        if (((null == ifAllGranted) || "".equals(ifAllGranted))
                && ((null == ifAnyGranted) || "".equals(ifAnyGranted))
                && ((null == ifNotGranted) || "".equals(ifNotGranted))) {
            return false;
        }

        if ((null != ifNotGranted) && !"".equals(ifNotGranted)) {
            StringTokenizer st = new StringTokenizer(ifNotGranted, ",");
            while (st.hasMoreTokens()) {
                String value = st.nextToken();
                if (privilegeList.contains(value)) {
                    return false;
                }
            }
        }

        if ((null != ifAllGranted) && !"".equals(ifAllGranted)) {
            StringTokenizer st = new StringTokenizer(ifAllGranted, ",");
            while (st.hasMoreTokens()) {
                String value = st.nextToken();
                if (!privilegeList.contains(value)) {
                    return false;
                }
            }
        }

        if ((null != ifAnyGranted) && !"".equals(ifAnyGranted)) {
            StringTokenizer st = new StringTokenizer(ifAnyGranted, ",");
            while (st.hasMoreTokens()) {
                String value = st.nextToken();
                if (privilegeList.contains(value)) {
                    return true;
                }
            }
            return false;
        }

        return true;
    }
}

IfRole的代码（�q�个�c�需要放在Components目录下）�Q?br />

public class IfRole {
    /**
     * A comma-separated list of roles is supplied to one or more of the
     * following parameters. If none are supplied, the default behavior is to
     * forbid access. Behavior should be self-explanatory.
     */
    @Parameter(required = false, defaultPrefix = "literal")
    private String ifAllGranted;

    @Parameter(required = false, defaultPrefix = "literal")
    private String ifAnyGranted;

    @Parameter(required = false, defaultPrefix = "literal")
    private String ifNotGranted;

    /**
     * An alternate {@link Block} to render if the test parameter is false. The default, null, means
     * render nothing in that situation.
     */
    @Parameter(name = "else")
    private Block elseBlock;

    private boolean test;

    @SessionState
    private AuthenticationService auth;

    private boolean checkPermission() {
        return auth.checkPermission(ifNotGranted, ifAllGranted, ifAnyGranted);
    }

    void setupRender() {
        test = checkPermission();
    }

    /**
     * Returns null if the test method returns true, which allows normal
     * rendering (of the body). If the test parameter is false, returns the else
     * parameter (this may also be null).
     */
    Object beginRender() {
        return test ? null : elseBlock;
    }

    /**
     * If the test method returns true, then the body is rendered, otherwise not. The component does
     * not have a template or do any other rendering besides its body.
     */
    boolean beforeRenderBody() {
        return test;
    }

}

�C�Z��Q?br /> 1. 在登录页面：
@SessionState
private Authentication auth;

......

// if user name and password is valid:
auth.setPrivliegeList(.....);

2. 在需要权限控制的��面模板中：

administrator can see this block

云自无心水自�?/a> 2010-01-12 20:17 发表评论