Remember-Me认证服务:
1.配置RememberMeProcessFilter过滤器,并且为它提供认证管理器和RememberMeService实例
<bean id="rememberMeProcessingFilter" class="org.acegisecurity.ui.rememberme.RememberMeProcessingFilter"> <property name="authenticationManager"><ref local="authenticationManager"/></property> <property name="rememberMeServices"><ref local="rememberMeServices"/></property> </bean> <bean id="rememberMeServices" class="org.acegisecurity.ui.rememberme.TokenBasedRememberMeServices"> <property name="userDetailsService"><ref local="jdbcDaoImpl"/></property> <property name="key"><value>springRocks</value></property> <property name="alwaysRemember" value="true"></property> </bean>
|
2.将上述RememberMeProcessingFilter过滤器定义的名字添加到FilterChainProxy定义中
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,logoutFilter,basicProcessingFilter,rememberMeProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor </value> </property> </bean>
|
3.定义RememberMeAuthenticationProvider认证提供者
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider" /> <ref local="rememberMeAuthenticationProvider" /> </list> </property> </bean> <bean id="rememberMeAuthenticationProvider" class="org.acegisecurity.providers.rememberme.RememberMeAuthenticationProvider"> <property name="key"><value>springRocks</value></property> </bean> 其暴露出来的key属性必须和rememberMeServices中的key属性取值相同
|
4.将上述rememberMeServices定义暴露给BasicProcessingFilter
<bean id="basicProcessingFilter" class="org.acegisecurity.ui.basicauth.BasicProcessingFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationEntryPoint" ref="basicProcessingFilterEntryPoint" /> <property name="rememberMeServices" ref="rememberMeServices"></property> </bean> 默认时,rememberme会借助Cookie技术一同完成客户端和服务端的认证处理 启用了RememberMe服务,在第一次登陆成功后,关闭浏览器,再次登陆就不需要输入用户名和密码,默认是14天!
|
退出服务
点击退出时(j_acegi_logout),就会退出当前的web应用,重新登陆时,必须在输入用户名和密码!(不管是否启用remember-me服务)
1.定义相应的LogoutFilter过滤器
<bean id="logoutFilter" class="org.acegisecurity.ui.logout.LogoutFilter"> <constructor-arg value="/index.jsp"/> <constructor-arg> <list> <ref local="rememberMeServices" /> <bean class="org.acegisecurity.ui.logout.SecurityContextLogoutHandler"/> </list> </constructor-arg> </bean>
|
2.将logoutFilter过滤器添加到FilterChainProxy拦截器链中
<bean id="filterChainProxy" class="org.acegisecurity.util.FilterChainProxy"> <property name="filterInvocationDefinitionSource"> <value> PATTERN_TYPE_APACHE_ANT /**=httpSessionContextIntegrationFilter,logoutFilter,basicProcessingFilter,rememberMeProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor </value> </property> </bean>
|
3.在具体的web应用中,将某些超连接的url置为"j_acegi_logout"
匿名认证服务
在大部分企业应用中,都存在不少不需要用户登陆的web资源,比如登陆页面,退出页面,web应用主页等,鉴于此,acegi提供了匿名登陆服务
1.定义相应的AnonymousProcessingFilter
<bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter"> <property name="key"><value>foobar</value></property> <property name="userAttribute"><value>anonymousUser,ROLE_ANONYMOUS</value></property> </bean> userAttribute属性定义了匿名用户的密码(anonymousUser),权限(ROLE_ANONYMOUS),启用状态(enabled\disabled) key属性指定了用户的名称
|
2.定义AnonymousAuthenticationProvider,并添加到认证管理器中
<bean id="anonymousAuthenticationProvider" class="org.acegisecurity.providers.anonymous.AnonymousAuthenticationProvider"> <property name="key"><value>foobar</value></property> </bean> <bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager"> <property name="providers"> <list> <ref local="daoAuthenticationProvider"/> <ref local="anonymousAuthenticationProvider"/> <ref local="rememberMeAuthenticationProvider" /> </list> </property> </bean>
|
3.定义应用匿名认证的web资源
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"><ref bean="authenticationManager"/></property> <property name="accessDecisionManager"><ref local="httpRequestAccessDecisionManager"/></property> <property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /index.jsp=ROLE_ANONYMOUS,ROLE_USER /hello.htm=ROLE_ANONYMOUS,ROLE_USER /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER /switchuser.jsp=ROLE_SUPERVISOR /j_acegi_switch_user=ROLE_SUPERVISOR /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER /**=ROLE_USER </value> </property> </bean> 由上面定义可以看出来/index.jsp /hello.html /logoff.jsp /acegilogin.jsp* 等url不需要用户登陆!
|
揭开SecurityContextHolder的真相:
用户登陆后,登陆用户的信息会以Authentication对象形式存在,并保存到SecurityContext对象中,
而SecutiryContext对象会存储到SecurityContextHolder中.那么直接借助SecurityContextHolder就可以操作到Authentication对象:
Authentication auth=SecurityContextHolder.getContext().getAuthentication()
Authentication对象默认存储在SecurityContext中,而acegi中内置了很多SecurityContext接口的实现,大部分情况下
acegi内部会直接使用SecurityContextImpl实现类!
由于存在不同的客户类型,而且它们所处的环境都不一样,比如某些是单个用户使用的桌面系统,而另一些使用的
是不同线程间的交互,切换,考虑到这些不同情况,acegi提供了SecurityContextHolderStrategy策略接口.默认时
SecurityContextHolder会将客户的SecurityContext访问请求委派给这个策略接口
其实现类:
ThreadLocalSecurityContextHolderStrategy采用ThreadLocal类型的变量存储SecurityContext对象,默认的!
InheritableThreadLocalSercurityHolderStrategy采用InheritableThreadLocal类型的变量存储SecurityContext对象
GlobalSecurityContextHolderStrategy采用SecurityContext类型的变量(contextHolder)存储SecurityContext对象
为了切换到不同的SecurityContextHolderStrategy实现类,开发者可以借助两种不同的方法:
1.在启动宿主目标应用的JVM时,提供"acegi.security.strategy"JVM系统参数
2.使用acegi前手工调用SecurityContextHolder暴露的setStrategyName()静态方法.
以上都需要提供字符串值:
MODE_THREADLOCAL(ThreadLocalSecurityContextHolderStrategy)
MODE_INHERITABLETHREADLOCAL(InheritableThreadLocalSercurityHolderStrategy)
MODE_GLOBAL(对应GlobalSecurityContextHolderStrategy)
eg:-Dacegi.security.strategy=MODE_INHERITABLETHREADLOCAL
阅读(2559) | 评论(0) | 转发(0) |