项目中用到了security,用到的功能比较简单,是自己研究的,如下:


spring-security.xml


<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<security:global-method-security pre-post-annotations="enabled" />

<security:http auto-config="true" use-expressions="true" access-denied-page="/auth/denied" >
<!-- 下面的过滤器会覆盖该标签,所以该行不用写了。-->
<security:form-login
login-page="/auth/login"
authentication-failure-url="/auth/login?error=true"
default-target-url="/auth/common"/>
<!-- 自定义过滤器,FORM_LOGIN_FILTER 别名 对应类 UsernamePasswordAuthenticationFilter
该过滤器会覆盖掉 http/form-login 中的 authentication-failure-url default-target-url 这两个属性 -->
<security:custom-filter ref="appSessionProcessingFilter" before="FORM_LOGIN_FILTER" />

<security:logout
invalidate-session="true"
logout-success-url="/auth/login"
logout-url="/auth/logout"/>

<!-- session 超时后的跳转地址,如果使用该配置,则不能记住上一次的url。 -->
<!--<security:session-management invalid-session-url="/auth/login"/>-->
</security:http>

<!-- Declare an authentication-manager to use a custom userDetailsService -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="myUserDetailsService"/>
</security:authentication-manager>
<bean id="myUserDetailsService" class="com.vmware.sop.service.security.UserDetailsService"/>

<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>

<!-- 成功和失败处理自定义过滤器,该过滤器会令 form-login 标签的部分属性 失效,所以要重新赋值,注意:该filter的3个property必须全部赋值。 -->
<bean id="appSessionProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="authenticationSuccessHandler">
<bean class="com.vmware.sop.service.security.AppSessionSuccessHandler">
<property name="defaultTargetUrl" value="/" />
</bean>
</property>
<property name="authenticationFailureHandler">
<bean class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<property name="defaultFailureUrl" value="/auth/login?error=true"/>
</bean>
</property>
</bean>

</beans>



权限的核心类,用于获取用户的权限列表。


package com.vmware.sop.service.security;

import java.util.ArrayList;
import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.dao.DataAccessException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.GrantedAuthorityImpl;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.util.CollectionUtils;

import com.vmware.sop.dao.management.IUserDao;
import com.vmware.sop.entity.Privilege;
import com.vmware.sop.entity.User;

/**
* 自定义的服务,处理用户的权限
*
* @author 张国明
* @version 2012-5-24 下午2:29:03
*
*/
public class UserDetailsService implements
org.springframework.security.core.userdetails.UserDetailsService {
@Autowired
private IUserDao userDao;

/*
* (non-Javadoc)
*
* @see org.springframework.security.core.userdetails.UserDetailsService#
* loadUserByUsername(java.lang.String)
*/
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException, DataAccessException {
User user = userDao.queryByName(username);
if (!hasUserPrivilege(user)) {
return null;
}

List<GrantedAuthority> grantedAuthorityList = assembleGrantedAuthorityList(user);

return new org.springframework.security.core.userdetails.User(
user.getName(), user.getPassword(), true, true, true, true,
grantedAuthorityList);
}

/** 组装用户的权限
* @param user 当前的登录用户
* @return 当前用户的权限列表
*/
private List<GrantedAuthority> assembleGrantedAuthorityList(User user) {
List<GrantedAuthority> grantedAuthorityList = new ArrayList<GrantedAuthority>();

List<Privilege> privilegeList = user.getUserGroup().getPrivileges();
for (Privilege privilege : privilegeList) {
String privilegeId = String.valueOf(privilege.getPrivilegeid());
grantedAuthorityList.add(new GrantedAuthorityImpl(privilegeId));
}

return grantedAuthorityList;
}

/**
* @param sopUser
* 登录的用户
*
* @return 是否有权限
*/
private boolean hasUserPrivilege(User sopUser) {
if (sopUser == null) {
return false;
}
if (sopUser.getUserGroup() == null) {
return false;
}
if (CollectionUtils.isEmpty(sopUser.getUserGroup().getPrivileges())) {
return false;
}

return true;
}
}



用户登录成功后的过滤器,我用它来处理session。


package com.vmware.sop.service.security;

import com.vmware.sop.dao.management.IUserDao;
import com.vmware.sop.entity.User;
import com.vmware.sop.utils.SessionUtil;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;

/**
* 验证成功处理,处理应用中的session信息。
*
* @author 张国明 guomingzhang2008@163.com
* @version 2012-6-5 下午2:11
*/
public class AppSessionSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
@Autowired
private IUserDao userDao;

@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
HttpSession session = request.getSession();
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
User user = userDao.queryByName(userDetails.getUsername());
session.setAttribute(SessionUtil.USER, user);

super.onAuthenticationSuccess(request, response, authentication);
}
}