spring_security權限應用

web.xml配置如：

<filter>
		<filter-name>springSecurityFilterChain</filter-name>
		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
	</filter>
	<filter-mapping>
		<filter-name>springSecurityFilterChain</filter-name>
		<url-pattern>/*</url-pattern>
	</filter-mapping>

 

 

一般在spring-security.xml的配置：

<!--設置匹配管理員用戶url，登陸頁面和所擁的權限，以及引用adminAuthManager驗證管理 -->
 	<http auto-config="true" pattern="/admin/**" use-expressions="true" authentication-manager-ref="adminAuthManager">
		<form-login login-processing-url="/admin/j_spring_security_check" login-page="/admin_login.html" 
		authentication-failure-url="/common/login/usernameCheckFailed"  default-target-url="/admin/login/adminCheckSuccess"
		always-use-default-target="true"/>

		<!-- <logout logout-url="/module/j_spring_security_logout" logout-success-url="/" /> -->
		<!-- 自定義退出過濾器 -->
		<custom-filter ref="userLogoutFilter" position="LOGOUT_FILTER" />

		<intercept-url pattern="/admin/department/**" access="hasRole('ROLE_ADMIN_DEPARTMENT')" />
		<intercept-url pattern="/admin/processdefinition/**" access="hasRole('ROLE_ADMIN_PROCESSDEFINITION')" />
		<intercept-url pattern="/admin/roleManage/**" access="hasRole('ROLE_ADMIN_ROLEMANAGE')" />
		<intercept-url pattern="/admin/moduleManage/**" access="hasRole('ROLE_ADMIN_MODULEMANAGE')" />
		<intercept-url pattern="/admin/parentModuleManage/**" access="hasRole('ROLE_ADMIN_PARENTMODULEMANAGE')" />
		<intercept-url pattern="/admin/manageUserAccount/**" access="hasRole('ROLE_ADMIN_MANAGEUSERACCOUNT')" />
		<intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')" />
	</http>
	
	<!-- 不須要進行認證的資源，3.0以後才改成這樣配置 -->
	<!-- <http security="none" pattern="/**/index" /> -->
 	<http security="none" pattern="/**/*login.html" />
	<http security="none" pattern="/**/*.jpg" />
	<http security="none" pattern="/**/*.png" />
	<http security="none" pattern="/**/*.gif" />
	<http security="none" pattern="/**/*.css" />
	<http security="none" pattern="/**/*.js" />
	<http security="none" pattern="/*.ico" />
	<http security="none" pattern="/*.jpg" />

	<!--後臺管理用戶驗證管理bean -->
	<authentication-manager id="adminAuthManager">
		<authentication-provider user-service-ref="adminDetailService">
			<password-encoder hash="md5"></password-encoder>
		</authentication-provider>
	</authentication-manager>

  <!-- 普通用戶退出的過濾器配置 -->
   <beans:bean id="userLogoutFilter" class="com.bluedon.cb.util.filter.UserLogoutFilter">
       <!-- 處理退出的虛擬url -->
       <beans:property name="filterProcessesUrl" value="/module/logout" />
       <!-- 退出處理成功後的默認顯示url -->
       <beans:constructor-arg index="0" value="/" />
       <beans:constructor-arg index="1">
             <!-- 退出成功後的handler列表 -->
          <beans:array>
                <!-- 加入了開發人員自定義的退出成功處理 -->
                <beans:bean id="userLogoutSuccessHandler" class="com.bluedon.cb.util.filter.UserLogoutHandler" />
          </beans:array>
      </beans:constructor-arg>
   </beans:bean>

說明：  

lowercase-comparisons：表示URL比較前先轉爲小寫。 
  path-type：表示使用Apache Ant的匹配模式。 
  access-denied-page：訪問拒絕時轉向的頁面。 
  access-decision-manager-ref：指定了自定義的訪問策略管理器。當系統角色名的前綴不是默認的ROLE_時，須要自定義訪問策略管理器。 
  login-page：指定登陸頁面。 
  login-processing-url：指定了客戶在登陸頁面中按下 Sign In 按鈕時要訪問的 URL。與登陸頁面form的action一致。其默認值爲：/j_spring_security_check。 
  authentication-failure-url：指定了身份驗證失敗時跳轉到的頁面。 
  default-target-url：指定了成功進行身份驗證和受權後默認呈現給用戶的頁面。 
  always-use-default-target：指定了是否在身份驗證經過後老是跳轉到default-target-url屬性指定的URL。 
  logout-url：指定了用於響應退出系統請求的URL。其默認值爲：/j_spring_security_logout。 
  logout-success-url：退出系統後轉向的URL。 
  invalidate-session：指定在退出系統時是否要銷燬Session。 
  max-sessions:容許用戶賬號登陸的次數。範例限制用戶只能登陸一次。 
  exception-if-maximum-exceeded: 默認爲false，此值表示：用戶第二次登陸時，前一次的登陸信息都被清空。 
  當exception-if-maximum-exceeded="true"時系統會拒絕第二次登陸。

下面是security，用戶退出的session處理（能夠不寫）:

package com.bluedon.cb.util.filter;

import org.springframework.security.web.authentication.logout.LogoutFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;

/**
 * 
 * 
 * Description:退出過濾器
 * 
 * Time:2016年3月2日下午5:38:04
 * @version 1.0
 * @since 1.0
 */
public class UserLogoutFilter extends LogoutFilter{

	public UserLogoutFilter(String logoutSuccessUrl, LogoutHandler[] handlers) {
		super(logoutSuccessUrl, handlers);
	}

	public UserLogoutFilter(LogoutSuccessHandler logoutSuccessHandler,LogoutHandler[] handlers) {
		super(logoutSuccessHandler, handlers);
	}

}

package com.bluedon.cb.util.filter;

import java.util.Date;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeansException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.logout.LogoutHandler;

import com.bluedon.cb.common.entity.LoginLog;
import com.bluedon.cb.common.service.CommonLogService;
import com.bluedon.cb.util.SpringContextUtil;
import com.bluedon.cb.util.constants.Constants;

/**
 * 
 * 
 * Description:退出成功處理器
 * 
 * Time:2016年3月2日下午5:38:29
 * @version 1.0
 * @since 1.0

 */
public class UserLogoutHandler implements LogoutHandler {
	
	private Logger log = LoggerFactory.getLogger(UserLogoutHandler.class);
	
	public UserLogoutHandler() {}
	
	
	@Override
	public void logout(HttpServletRequest req, HttpServletResponse arg1, Authentication arg2) {
		// TODO Auto-generated method stub
		//modify by qinguidong 添加try catch 爲了防止session超時，而取到的loginLog爲空，報錯。不能返回到登陸頁面
		try {
			HttpSession session = req.getSession();
			LoginLog loginLog =  (LoginLog)session.getAttribute(Constants.LOGIN_LOG);
			CommonLogService commonLogService = (CommonLogService)SpringContextUtil.getBean("commonLogServiceImpl");
			loginLog.setLoloLogoutDate(new Date());//退出時間
			
			//清除session
			if (session != null) {  
			    session.invalidate();  
			}  
			SecurityContextHolder.clearContext();  
			//入庫
			int count = commonLogService.updateLoginLog(loginLog);
			if(count != Constants.SUCCESS){
				log.error("記錄登陸日誌失敗了："+loginLog.getLoloUsroName());
			}
		} catch (BeansException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
	}

}