我在网上创建了这个xml spring安全配置,以便创建动态角色身份验证:
<bean id="filter" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager">
<bean class="org.springframework.security.access.vote.AffirmativeBased">
<property name="decisionVoters" >
<bean class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="ROLE_"/>
</bean>
</property>
</bean>
</property>
<property name="securityMetadataSource" ref="dbFilterInvocationSecurityMetadataSource"/>
</bean>
我正在尝试用注释替换它,为此我创建了这个bean:
@Bean
public FilterSecurityInterceptor filterSecurityInterceptor(AuthenticationManager auth) {
List<AccessDecisionVoter<?>> decisionVoters = new ArrayList<>();
RoleVoter decisionVoter = new RoleVoter();
decisionVoter.setRolePrefix("");
decisionVoters.add(decisionVoter);
FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
filterSecurityInterceptor.setAuthenticationManager(auth);
filterSecurityInterceptor.setAccessDecisionManager(
new AffirmativeBased(decisionVoters));
filterSecurityInterceptor.setSecurityMetadataSource(dbFilterInvocationSecurityMetadataSource);
return filterSecurityInterceptor;
}
这是我的DbFilterInvocationSecurityMetadataSource类:
@Component
public class DbFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource, InitializingBean{
private static final Logger logger = LoggerFactory.getLogger(DbFilterInvocationSecurityMetadataSource.class.getName());
@Autowired
private UUsersService userService;
@Autowired
UrlCache urlCache;
private HashMap<String, List<String>> urlRoles;
@Override
public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
FilterInvocation fi=(FilterInvocation)object;
String url=fi.getRequestUrl();
logger.debug("Request Url====>"+url);
List<String> roles_=urlRoles.get(url);
logger.debug("Ruoli associati all'url :"+roles_);
if(roles_==null){
return null;
}
logger.debug("------------------");
String[] stockArr = new String[roles_.size()];
stockArr = roles_.toArray(stockArr);
return SecurityConfig.createList(stockArr);
}
@Override
public Collection<ConfigAttribute> getAllConfigAttributes() {
return null;
}
@Override
public boolean supports(Class<?> clazz) {
return true;
}
@Override
public void afterPropertiesSet() throws Exception {
userService.getUrlRoles();
this.urlRoles=urlCache.getUrlRoles();
logger.debug("Oggetto ruoli/urls :"+urlRoles);
}
}
现在,所有网址都是从过滤器和与之关联的角色中拦截的,但是我无法理解如何将已记录用户的角色与从请求的网址中检索到的角色相关联。 在我的loadByUsername方法实现中,我以这种方式恢复与loggedUser相关联的角色:
public PMAuthenticationUserDetails loadPMUserByUsername(String username) throws UsernameNotFoundException {
PMAuthenticationUserDetails userDTO = null;
try{
// get anagrafica
UUsers user = usersDao.findUserByUsername(username);
if(user != null){
// get role
List<UAuthorities> authorities = userAuthorityDao.findAuthoritiesByUserId(user.getId());
//get urls
List<UResource> urls = authorityResourceDao.findUrlsByAuthorities(authorities);
logger.info("L'utente con username: " + username + " esiste e ha n° " + authorities.size() + " ruoli associati.");
/** per spring */
Collection<GrantedAuthority> authoritiesDTO = new ArrayList<GrantedAuthority>();
/** lista codici ruoli (Stringhe prive del prefisso spring "ROLE_" */
List<String> codeAuthorities = new ArrayList<String>();
logger.info("Elenco ruoli: ");
for (UAuthorities item : authorities) {
logger.info(AuthenticationType.PREFIX_ROLE + item.getAuthority());
/**
* Quindi creiamo un oggetto di SimpleGrantedAuthority per passare quel ruolo in esso.
*/
authoritiesDTO.add(new SimpleGrantedAuthority(AuthenticationType.PREFIX_ROLE + item.getAuthority()));
/**
* Aggiungo alla lista il codice del ruolo.
*/
codeAuthorities.add(item.getAuthority());
}
/**
* Dopo valorizziamo l' oggetto user personalizzato che avrà il nome utente, le credenziali, ed
* eventuali altri campi come e-mail ecc.
*/
userDTO = new PMAuthenticationUserDetails(user.getUsername(), user.getPassword(), user.isEnabled(), true, true, true, authoritiesDTO);
// set custom property
userDTO.setUserId(String.valueOf(user.getId()));
userDTO.setFirstname(user.getFirstname());
userDTO.setLastname(user.getLastname());
userDTO.setEmail(user.getEmail());
userDTO.setAvatar(user.getAvatar());
userDTO.setRoles(codeAuthorities);
}else
logger.error("L'utente con username: " + username + " >>> NON E' STATO TROVATO IN TABELLA.");
return userDTO;
}catch(Exception e ){
logger.error("loadPMUserByUsername >>> " + e, e);
return userDTO;
}
}
我的配置需要更多内容吗?
`