作項目時須要用到角色繼承、ACL和CAS,在網上搜了幾篇文章,寫的實在是誤人子弟,索性翻了翻源碼、文檔與官方示例,作了一份配置,供須要的朋友參考。html
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:context="http://www.springframework.org/schema/context" xmlns:util="http://www.springframework.org/schema/util" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd"> <!-- 方法安全 --> <global-method-security secured-annotations="enabled" pre-post-annotations="enabled" jsr250-annotations="enabled" access-decision-manager-ref="methodAccessDecisionManager"> <expression-handler ref="methodSecurityExpressionHandler"/> <after-invocation-provider ref="postInvocationAdviceProvider"/> </global-method-security> <!-- HTTP安全 --> <http pattern="/proxy.html" security="none" /> <http entry-point-ref="casEntryPoint" use-expressions="true" access-decision-manager-ref="webAccessDecisionManager"> <expression-handler ref="webSecurityExpressionHandler"/> <intercept-url pattern="/" access="hasRole('ROLE_USER')"/> <custom-filter ref="requestSingleLogoutFilter" before="LOGOUT_FILTER"/> <custom-filter ref="singleLogoutFilter" before="CAS_FILTER"/> <custom-filter ref="casFilter" position="CAS_FILTER"/> </http> <!-- ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓受權(Authorization)配置↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓ --> <beans:bean id="aclAuthorizationStrategy" class="org.springframework.security.acls.domain.AclAuthorizationStrategyImpl"> <beans:constructor-arg name="auths"> <beans:list> <beans:ref bean="supervisor"/> <beans:ref bean="supervisor"/> <beans:ref bean="supervisor"/> </beans:list> </beans:constructor-arg> </beans:bean> <beans:bean id="permissionGrantingStrategy" class="org.springframework.security.acls.domain.DefaultPermissionGrantingStrategy"> <beans:constructor-arg name="auditLogger"> <beans:bean class="org.springframework.security.acls.domain.ConsoleAuditLogger"/> </beans:constructor-arg> </beans:bean> <beans:bean id="supervisor" class="org.springframework.security.core.authority.SimpleGrantedAuthority"> <beans:constructor-arg name="role" value="ROLE_SUPERVISOR"/> </beans:bean> <beans:bean id="aclCache" class="org.springframework.security.acls.domain.EhCacheBasedAclCache"> <beans:constructor-arg name="cache"> <beans:bean class="org.springframework.cache.ehcache.EhCacheFactoryBean"> <beans:property name="overflowToDisk" value="true"/> <beans:property name="maxElementsInMemory" value="1024"/> </beans:bean> </beans:constructor-arg> <beans:constructor-arg name="permissionGrantingStrategy" ref="permissionGrantingStrategy"/> <beans:constructor-arg name="aclAuthorizationStrategy" ref="aclAuthorizationStrategy"/> </beans:bean> <beans:bean id="lookupStrategy" class="org.springframework.security.acls.jdbc.BasicLookupStrategy"> <beans:constructor-arg name="dataSource" ref="dataSource"/> <beans:constructor-arg name="aclCache" ref="aclCache"/> <beans:constructor-arg name="aclAuthorizationStrategy" ref="aclAuthorizationStrategy"/> <beans:constructor-arg name="grantingStrategy" ref="permissionGrantingStrategy"/> </beans:bean> <beans:bean id="aclService" class="org.springframework.security.acls.jdbc.JdbcMutableAclService"> <beans:constructor-arg name="dataSource" ref="dataSource"/> <beans:constructor-arg name="lookupStrategy" ref="lookupStrategy"/> <beans:constructor-arg name="aclCache" ref="aclCache"/> <beans:property name="classIdentityQuery" value="select @@identity"/><!-- select @@identity用於得到剛剛插入的自增id select LAST_INSERT_ID() --> <beans:property name="sidIdentityQuery" value="select @@identity"/> </beans:bean> <!-- 經過表達式使用ACL --> <beans:bean id="aclPermissionEvaluator" class="org.springframework.security.acls.AclPermissionEvaluator"> <beans:constructor-arg name="aclService" ref="aclService"/> </beans:bean> <!-- 角色繼承 --> <beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> <beans:property name="hierarchy"> <beans:value> ROLE_DEVELOPER > ROLE_SUPERVISOR ROLE_SUPERVISOR > ROLE_ADMIN ROLE_ADMIN > ROLE_USER </beans:value> </beans:property> </beans:bean> <!-- 用於web的ExpressionHandler --> <beans:bean id="webSecurityExpressionHandler" name="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"> <beans:property name="roleHierarchy" ref="roleHierarchy"/> <beans:property name="permissionEvaluator" ref="aclPermissionEvaluator"/> </beans:bean> <!-- 用於method的ExpressionHandler --> <beans:bean id="methodSecurityExpressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> <beans:property name="roleHierarchy" ref="roleHierarchy"/> <beans:property name="permissionCacheOptimizer"> <beans:bean class="org.springframework.security.acls.AclPermissionCacheOptimizer"> <beans:constructor-arg name="aclService" ref="aclService"/> </beans:bean> </beans:property> <beans:property name="permissionEvaluator" ref="aclPermissionEvaluator"/> </beans:bean> <!-- 用於web(taglib以及url)的AccessDecisionManager --> <beans:bean id="webAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <beans:constructor-arg> <beans:list> <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"> <beans:property name="expressionHandler" ref="webSecurityExpressionHandler"/> </beans:bean> <beans:bean class="org.springframework.security.access.vote.RoleHierarchyVoter"> <beans:constructor-arg ref="roleHierarchy"/> </beans:bean> <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/> </beans:list> </beans:constructor-arg> </beans:bean> <!-- 用於method的AccessDecisionManager --> <beans:bean id="methodAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <beans:constructor-arg> <beans:list> <beans:bean class="org.springframework.security.access.vote.RoleHierarchyVoter"> <beans:constructor-arg ref="roleHierarchy"/> </beans:bean> <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/> <beans:bean class="org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter"> <beans:constructor-arg name="pre"> <beans:bean class="org.springframework.security.access.expression.method.ExpressionBasedPreInvocationAdvice"> <beans:property name="expressionHandler" ref="methodSecurityExpressionHandler"/> </beans:bean> </beans:constructor-arg> </beans:bean> <beans:bean class="org.springframework.security.access.annotation.Jsr250Voter"/> </beans:list> </beans:constructor-arg> </beans:bean> <!-- 後置過濾 --> <beans:bean id="postInvocationAdviceProvider" class="org.springframework.security.access.prepost.PostInvocationAdviceProvider"> <beans:constructor-arg name="postAdvice"> <beans:bean class="org.springframework.security.access.expression.method.ExpressionBasedPostInvocationAdvice"> <beans:constructor-arg name="expressionHandler" ref="methodSecurityExpressionHandler"/> </beans:bean> </beans:constructor-arg> </beans:bean> <!-- ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑/受權(Authorization)配置↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑ --> <!-- ↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓認證(Authentication)配置↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓↓ --> <authentication-manager alias="authManager"> <authentication-provider ref="casAuthProvider"/> </authentication-manager> <beans:bean id="userService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <beans:property name="enableGroups" value="true"/> <beans:property name="dataSource" ref="dataSource"/> </beans:bean> <!-- This filter handles a Single Logout Request from the CAS Server --> <beans:bean id="singleLogoutFilter" class="org.jasig.cas.client.session.SingleSignOutFilter"/> <!-- This filter redirects to the CAS Server to signal Single Logout should be performed --> <beans:bean id="requestSingleLogoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter"> <beans:property name="filterProcessesUrl" value="/j_spring_cas_security_logout"/> <beans:constructor-arg name="logoutSuccessUrl" value="https://${cas.server}/logout"/> <beans:constructor-arg name="handlers"> <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/> </beans:constructor-arg> </beans:bean> <beans:bean id="serviceProperties" class="org.springframework.security.cas.ServiceProperties"> <beans:property name="service" value="https://${cas.service}/j_spring_cas_security_check"/> </beans:bean> <beans:bean id="casEntryPoint" class="org.springframework.security.cas.web.CasAuthenticationEntryPoint"> <beans:property name="serviceProperties" ref="serviceProperties"/> <beans:property name="loginUrl" value="https://${cas.server}/login"/> </beans:bean> <beans:bean id="casFilter" class="org.springframework.security.cas.web.CasAuthenticationFilter"> <beans:property name="authenticationManager" ref="authManager"/> <beans:property name="serviceProperties" ref="serviceProperties"/> <beans:property name="authenticationDetailsSource"> <beans:bean class="org.springframework.security.cas.web.authentication.ServiceAuthenticationDetailsSource"/> </beans:property> <beans:property name="authenticationFailureHandler"> <beans:bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"/> </beans:property> </beans:bean> <!-- NOTE: In a real application you should not use an in memory implementation. You will also want to ensure to clean up expired tickets by calling ProxyGrantingTicketStorage.cleanup() --> <beans:bean id="casAuthProvider" class="org.springframework.security.cas.authentication.CasAuthenticationProvider"> <beans:property name="serviceProperties" ref="serviceProperties"/> <beans:property name="key" value="${cas.key}"/> <beans:property name="authenticationUserDetailsService"> <beans:bean class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper"> <beans:constructor-arg ref="userService"/> </beans:bean> </beans:property> <beans:property name="ticketValidator"> <beans:bean class="org.jasig.cas.client.validation.Cas20ProxyTicketValidator"> <beans:constructor-arg value="https://${cas.server}"/> </beans:bean> </beans:property> </beans:bean> <!-- Configuration for the environment can be overriden by system properties --> <context:property-placeholder system-properties-mode="OVERRIDE" properties-ref="environment"/> <util:properties id="environment"> <beans:prop key="cas.service">localhost:8444/user</beans:prop> <beans:prop key="cas.server">localhost:8443/cas</beans:prop> <beans:prop key="cas.key">CAS_KEY_ADMIN.USER</beans:prop> </util:properties> <!-- ↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑/認證(Authentication)配置↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑↑ --> </beans:beans>