Pathway from ACEGI to Spring Security 2.0(3)
2008-11-20 08:56
621 查看
OK, so now we have setup the database based resources and now the next step is to get Spring Security to read the user details from the database. The examples that come with Spring Security 2.0 shows you how to keep a list of users and authorities in the configuration file like this:
view plaincopy to clipboardprint?
<authentication-provider>
<user-service>
<user name="rod" password="password" authorities="ROLE_SUPERVISOR, ROLE_USER" />
<user name="dianne" password="password" authorities="ROLE_USER,ROLE_TELLER" />
<user name="scott" password="password" authorities="ROLE_USER" />
<user name="peter" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
You could replace these examples with this configuration so that you can read the user details straight from the database like this:
view plaincopy to clipboardprint?
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>
While this is a very fast and easy way to configure database based security it does mean that you have to conform to a default databases schema. By default, the <jdbc-user-service> requires the following tables: user, authorities, groups, group_members and group_authorities.
In my case this was not going to work as my security schema it not the same as what the <jdbc-user-service> requires, so I was forced to change the <authentication-provider>:
view plaincopy to clipboardprint?
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT U.username, U.password, U.accountEnabled AS 'enabled' FROM User U where U.username=?"
authorities-by-username-query="SELECT U.username, R.name as 'authority' FROM User U JOIN Authority A ON u.id = A.userId JOIN Role R ON R.id = A.roleId WHERE U.username=?"/>
</authentication-provider>
By adding the users-by-username-query and authorities-by-username-query properties you are able to override the default SQL statements with your own. As in ACEGI security you must make sure that the columns that your SQL statement returns is the same as what Spring Security expects. There is a another property group-authorities-by-username-query which I am not using and have therefore left it out of this example, but it works in exactly the same manner as the other two SQL statements.
This feature of the <jdbc-user-service> has only been included in the past month or so and was not available in the pre-release versions of Spring Security. Luckily it has been added as it does make life a lot easier. You can read about this here and here.
The dataSource bean instructs which database to connect to, it is not included in my configuration file as it's not specific to security. Here is an example of a dataSource bean for those who are not sure:
view plaincopy to clipboardprint?
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver"/>
<property name="url" value="jdbc:mysql://localhost/db_name?useUnicode=true&characterEncoding=utf-8"/>
<property name="username" value="root"/>
<property name="password" value="pwd"/>
</bean>
And that is all for the configuration of Spring Security. My last task was to change my current logon screen. In ACEGI you could create your own logon <form> by making sure that you POSTED the correctly named HTML input elements to the correct URL. While you can still do this in Spring Security 2.0, some of the names have changed.
You can still call your username field j_username and your password field j_password as before.
view plaincopy to clipboardprint?
<input type="text" name="j_username" id="j_username"/>
<input type="password" name="j_password" id="j_password"/>
However you must set the action property of your <form> to point to j_spring_security_check and not j_acegi_security_check.
view plaincopy to clipboardprint?
<form method="post" id="loginForm" action="<c:url value='j_spring_security_check'/>"
There are a few places in our application where the user can logout, this is a link that redirects the logout request to the security framework so that it can be handled accordingly. This needs to be changed from j_acegi_logout to j_spring_security_logout.
view plaincopy to clipboardprint?
<a href='<c:url value="j_spring_security_logout"/>'>Logout</a>
One of the benefits of Spring Security 2.0 over ACEGI is the ability to write more consice configuration files, this is clearly shown when I compare my old ACEGI configration (172 lines) file to my new one (42 lines).
Here is my complete securityContext.xml file:
view plaincopy to clipboardprint?
<?xml version="1.0" encoding=
view plaincopy to clipboardprint?
<authentication-provider>
<user-service>
<user name="rod" password="password" authorities="ROLE_SUPERVISOR, ROLE_USER" />
<user name="dianne" password="password" authorities="ROLE_USER,ROLE_TELLER" />
<user name="scott" password="password" authorities="ROLE_USER" />
<user name="peter" password="password" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
<authentication-provider> <user-service> <user name="rod" password="password" authorities="ROLE_SUPERVISOR, ROLE_USER" /> <user name="dianne" password="password" authorities="ROLE_USER,ROLE_TELLER" /> <user name="scott" password="password" authorities="ROLE_USER" /> <user name="peter" password="password" authorities="ROLE_USER" /> </user-service> </authentication-provider>
You could replace these examples with this configuration so that you can read the user details straight from the database like this:
view plaincopy to clipboardprint?
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>
<authentication-provider> <jdbc-user-service data-source-ref="dataSource" /> </authentication-provider>
While this is a very fast and easy way to configure database based security it does mean that you have to conform to a default databases schema. By default, the <jdbc-user-service> requires the following tables: user, authorities, groups, group_members and group_authorities.
In my case this was not going to work as my security schema it not the same as what the <jdbc-user-service> requires, so I was forced to change the <authentication-provider>:
view plaincopy to clipboardprint?
<authentication-provider>
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT U.username, U.password, U.accountEnabled AS 'enabled' FROM User U where U.username=?"
authorities-by-username-query="SELECT U.username, R.name as 'authority' FROM User U JOIN Authority A ON u.id = A.userId JOIN Role R ON R.id = A.roleId WHERE U.username=?"/>
</authentication-provider>
<authentication-provider> <jdbc-user-service data-source-ref="dataSource" users-by-username-query="SELECT U.username, U.password, U.accountEnabled AS 'enabled' FROM User U where U.username=?" authorities-by-username-query="SELECT U.username, R.name as 'authority' FROM User U JOIN Authority A ON u.id = A.userId JOIN Role R ON R.id = A.roleId WHERE U.username=?"/> </authentication-provider>
By adding the users-by-username-query and authorities-by-username-query properties you are able to override the default SQL statements with your own. As in ACEGI security you must make sure that the columns that your SQL statement returns is the same as what Spring Security expects. There is a another property group-authorities-by-username-query which I am not using and have therefore left it out of this example, but it works in exactly the same manner as the other two SQL statements.
This feature of the <jdbc-user-service> has only been included in the past month or so and was not available in the pre-release versions of Spring Security. Luckily it has been added as it does make life a lot easier. You can read about this here and here.
The dataSource bean instructs which database to connect to, it is not included in my configuration file as it's not specific to security. Here is an example of a dataSource bean for those who are not sure:
view plaincopy to clipboardprint?
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
<property name="driverClassName" value="com.mysql.jdbc.Driver"/>
<property name="url" value="jdbc:mysql://localhost/db_name?useUnicode=true&characterEncoding=utf-8"/>
<property name="username" value="root"/>
<property name="password" value="pwd"/>
</bean>
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName" value="com.mysql.jdbc.Driver"/> <property name="url" value="jdbc:mysql://localhost/db_name?useUnicode=true&characterEncoding=utf-8"/> <property name="username" value="root"/> <property name="password" value="pwd"/> </bean>
And that is all for the configuration of Spring Security. My last task was to change my current logon screen. In ACEGI you could create your own logon <form> by making sure that you POSTED the correctly named HTML input elements to the correct URL. While you can still do this in Spring Security 2.0, some of the names have changed.
You can still call your username field j_username and your password field j_password as before.
view plaincopy to clipboardprint?
<input type="text" name="j_username" id="j_username"/>
<input type="password" name="j_password" id="j_password"/>
<input type="text" name="j_username" id="j_username"/> <input type="password" name="j_password" id="j_password"/>
However you must set the action property of your <form> to point to j_spring_security_check and not j_acegi_security_check.
view plaincopy to clipboardprint?
<form method="post" id="loginForm" action="<c:url value='j_spring_security_check'/>"
<form method="post" id="loginForm" action="<c:url value='j_spring_security_check'/>"
There are a few places in our application where the user can logout, this is a link that redirects the logout request to the security framework so that it can be handled accordingly. This needs to be changed from j_acegi_logout to j_spring_security_logout.
view plaincopy to clipboardprint?
<a href='<c:url value="j_spring_security_logout"/>'>Logout</a>
<a href='<c:url value="j_spring_security_logout"/>'>Logout</a>
Conclusion
This short guide on how to configure Spring Security 2.0 with access to resources stored in a database does not come close to illustrating the host of new features that are available in Spring Security 2.0, however I think that it does show some of the most commonly used abilities of the framework and I hope that you will find it useful.One of the benefits of Spring Security 2.0 over ACEGI is the ability to write more consice configuration files, this is clearly shown when I compare my old ACEGI configration (172 lines) file to my new one (42 lines).
Here is my complete securityContext.xml file:
view plaincopy to clipboardprint?
<?xml version="1.0" encoding=
相关文章推荐
- Pathway from ACEGI to Spring Security 2.0
- Pathway from ACEGI to Spring Security 2.0(2)
- Upgrading to Spring Security 2.0(zz)
- spring 安全模块 acegi2.0
- Network Security Assessment: From Vulnerability to Patch [ILLUSTRATED]
- Maven使用package打包Spring Boot时出现:Unable to find a single main class from the following candidates的问题解决
- Beginning ASP.NET 2.0 Databases: From Novice to Professional
- How to check “hasRole” in Java Code with Spring Security?
- Fiddler之makecert.exe提示Failed to acquire a security provider from issuer's centificate问题解决
- Web Parts: From SharePoint to ASP.NET 2.0
- Springboot repackage failed: Unable to find a single main class from the following candidates
- JSF2.0+SPRING target unreachable identifier resolved to null
- Spring framework + Acegi Security captcha layer + JCaptcha integration
- Beginning ASP.NET 2.0 in C# 2005: From Novice to Professional (Beginning: from Novice to Professiona
- Redirect to different pages after Login with Spring Security
- 解决Spring Boot OTS parsing error: Failed to convert WOFF 2.0
- How to create custom methods for use in spring security expression language annotations
- Beginning ASP.NET 2.0 in VB 2005: From Novice to Professional
- org.springframework.beans.FatalBeanException: Unable to load schema mappings from location [META-INF/spring.schemas]
- 【spring-security】Unable to locate Spring NamespaceHandler for XML schema namespace [http://www.sprin