首页 新闻 会员 周边 捐助

FilterInvocationSecurityMetadataSource getAttributes 不执行

0
悬赏园豆:10 [已关闭问题] 关闭于 2016-12-20 09:14

FilterInvocationSecurityMetadataSource中的getAttributes 不执行
AccessDecisionManagerye也不执行

 1 @Override
 2     protected void configure(HttpSecurity http) throws Exception {
 3         http
 4         .csrf().disable()
 5         .authorizeRequests()
 6         .antMatchers("/home").permitAll()
 7         .anyRequest().authenticated()
 8         .and()
 9         .formLogin()
10         .loginPage("/login")    
11         .permitAll()
12         .successHandler(loginSuccessHandler())//code3
13         .and()
14         .logout()
15         .logoutSuccessUrl("/home")
16         .permitAll()
17         .invalidateHttpSession(true)
18         .and()
19         .rememberMe()
20         .tokenValiditySeconds(1209600);
21     }
@Service
public class CustomInvocationSecurityMetadataSourceService implements
        FilterInvocationSecurityMetadataSource {

    private SResourceService sResourceService;

    private SRoleService sRoleService;

    private static Map<String, Collection<ConfigAttribute>> resourceMap = null;

    public CustomInvocationSecurityMetadataSourceService(SResourceService sres,SRoleService sR) {
        this.sResourceService = sres;
        this.sRoleService = sR;
        loadResourceDefine();
    }

    private void loadResourceDefine() {
        List<String> query =sRoleService.findByAll();

        /*
         * 应当是资源为key, 权限为value。 资源通常为url, 权限就是那些以ROLE_为前缀的角色。 一个资源可以由多个权限来访问。
         * sparta
         */
        resourceMap = new HashMap<String, Collection<ConfigAttribute>>();

        for (String auth : query) {
            ConfigAttribute ca = new SecurityConfig(auth);
            List<String> query1 = sResourceService.findByRoleName(auth);
            for (String res : query1) {
                String url = res;

                /*
                 * 判断资源文件和权限的对应关系,如果已经存在相关的资源url,则要通过该url为key提取出权限集合,将权限增加到权限集合中。
                 * sparta
                 */
                if (resourceMap.containsKey(url)) {

                    Collection<ConfigAttribute> value = resourceMap.get(url);
                    value.add(ca);
                    resourceMap.put(url, value);
                } else {
                    Collection<ConfigAttribute> atts = new ArrayList<ConfigAttribute>();
                    atts.add(ca);
                    resourceMap.put(url, atts);
                }

            }

        }

    }

    @Override
    public Collection<ConfigAttribute> getAllConfigAttributes() {
        System.out.println("sdfafgaferfgagaergsrtgsrtgsrtger");
        return null;
    }

    // 根据URL,找到相关的权限配置。
    @Override
    public Collection<ConfigAttribute> getAttributes(Object object)
            throws IllegalArgumentException {
        System.out.println("dfergwerheyjhyrururuyjr67"+object);
        // object 是一个URL,被用户请求的url。
        FilterInvocation filterInvocation = (FilterInvocation) object;

        Iterator<String> ite = resourceMap.keySet().iterator();

        while (ite.hasNext()) {
            String resURL = ite.next();
            System.out.println("urlurlurluuuuuuuu"+resURL);
              RequestMatcher requestMatcher = new AntPathRequestMatcher(resURL);
                if(requestMatcher.matches(filterInvocation.getHttpRequest())) {
                if (resourceMap == null) {
                    loadResourceDefine();
                }
                return resourceMap.get(resURL);
            }
        }
         if (resourceMap == null) {
              loadResourceDefine();
         }
         return resourceMap.get("/hello");
    }

    @Override
    public boolean supports(Class<?> arg0) {

        return true;
    }

}
/*
 * @(#) MyFilterSecurityInterceptor.java  2011-3-23 上午07:53:03
 *
 * Copyright 2011 by Sparta 
 */

package cn.paybay.ticketManager.support.authentication;

import java.io.IOException;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;

import org.springframework.security.access.SecurityMetadataSource;
import org.springframework.security.access.intercept.AbstractSecurityInterceptor;
import org.springframework.security.access.intercept.InterceptorStatusToken;
import org.springframework.security.web.FilterInvocation;
import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;

/**
 * 该过滤器的主要作用就是通过spring著名的IoC生成securityMetadataSource。
 * securityMetadataSource相当于本包中自定义的MyInvocationSecurityMetadataSourceService。
 * 该MyInvocationSecurityMetadataSourceService的作用提从数据库提取权限和资源,装配到HashMap中,
 * 供Spring Security使用,用于权限校验。
 * @author sparta 11/3/29
 *
 */

public class CustomFilterSecurityInterceptor 
    extends AbstractSecurityInterceptor
    implements Filter{


    private FilterInvocationSecurityMetadataSource securityMetadataSource;

    public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain)
    throws IOException, ServletException{

        FilterInvocation fi = new FilterInvocation( request, response, chain );
        invoke(fi);

    }

    public FilterInvocationSecurityMetadataSource getSecurityMetadataSource(){
        return this.securityMetadataSource;
    }

    public Class<? extends Object> getSecureObjectClass(){
        return FilterInvocation.class;
    }


    public void invoke( FilterInvocation fi ) throws IOException, ServletException{

        InterceptorStatusToken  token = super.beforeInvocation(fi);

        try{
            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
        }finally{
            super.afterInvocation(token, null);
        }

    }


    @Override
    public SecurityMetadataSource obtainSecurityMetadataSource(){
        return this.securityMetadataSource;
    }


    public void setSecurityMetadataSource(FilterInvocationSecurityMetadataSource securityMetadataSource){
        this.securityMetadataSource = securityMetadataSource;
    }


    public void destroy(){

    }

    public void init( FilterConfig filterconfig ) throws ServletException{

    }


}
/*
 * @(#) MyAccessDecisionManager.java  2011-3-23 下午04:41:12
 *
 * Copyright 2011 by Sparta 
 */

package cn.paybay.ticketManager.support.authentication;

import java.util.Collection;
import java.util.Iterator;

import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.access.SecurityConfig;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;

/**
 *AccessdecisionManager在Spring security中是很重要的。
 *
*/
public class CustomAccessDecisionManager implements AccessDecisionManager {

    public void decide( Authentication authentication, Object object, 
            Collection<ConfigAttribute> configAttributes) 
        throws AccessDeniedException, InsufficientAuthenticationException{
        System.out.println("dededededededededededede");
        if( configAttributes == null ) {
            return ;
        }

        Iterator<ConfigAttribute> ite = configAttributes.iterator();

        while( ite.hasNext()){

            ConfigAttribute ca = ite.next();
            String needRole = ((SecurityConfig)ca).getAttribute();

            //ga 为用户所被赋予的权限。 needRole 为访问相应的资源应该具有的权限。
            for( GrantedAuthority ga: authentication.getAuthorities()){

                if(needRole.trim().equals(ga.getAuthority().trim())){

                    return;
                }

            }

        }

        throw new AccessDeniedException("");

    }

    public boolean supports( ConfigAttribute attribute ){

        return true;

    }

    public boolean supports(Class<?> clazz){
        return true;

    }


}

 

橘子味的阳光的主页 橘子味的阳光 | 菜鸟二级 | 园豆:204
提问于:2016-12-16 15:17
< >
分享
清除回答草稿
   您需要登录以后才能回答,未注册用户请先注册