Spring MVC+BlazeDS+Flex框架实践：Security篇

在Spring MVC+BlazeDS+Flex框架实践：Database篇的基础上，这次要加入的是Spring Security的配置与应用。至于Spring Security的原理及配置详解网上已经有很多可参考的文章，在这里就不再重复了。

一、Spring Security配置

1）添加Application-Security.xml

在J***A工程src下创建Application-Security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
	xmlns="http://www.springframework.org/schema/security" 
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd                   http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd
                   ">
	<http auto-config="true" session-fixation-protection="none" access-denied-page="/modules/common/403.jsp">
		<form-login login-page="/modules/common/Index.html" authentication-failure-url="/modules/common/Index.html"
			default-target-url="/modules/common/Index.html" />
		<logout logout-success-url="/modules/common/index.html" />	
		<intercept-url pattern="/modules/common/**" access="ROLE_ANONYMOUS" />
		<intercept-url pattern="/messagebroker/**" access="ROLE_ANONYMOUS" />
		 <intercept-url pattern="/modules/admin/**" access="ROLE_ADMIN" />		
		<intercept-url pattern="/**" access="ROLE_USER" />
	</http>
	<authentication-manager alias="authenticationManager" />
	
	<authentication-provider user-service-ref="customUserDetailsService">
	</authentication-provider>
	<beans:bean id="loggerListener" class="com.hand.common.security.SecurityLogListener">
		<beans:property name="genericService" ref="genericService" />
	</beans:bean>
	<beans:bean id="customLogoutFilter" class="org.springframework.security.ui.logout.LogoutFilter">
		<custom-filter before="LOGOUT_FILTER" />
		<beans:constructor-arg value="/"></beans:constructor-arg>
		<beans:constructor-arg>
			<beans:list>
				<beans:bean class="com.hand.common.security.SecurityLogoutHandler">
					<beans:property name="genericService" ref="genericService" />
				</beans:bean>
			</beans:list>
		</beans:constructor-arg>
	</beans:bean>
	
	<beans:bean id="customUserDetailsService" class="com.hand.common.security.FlexUserDetailsService">
		<beans:property name="genericService" ref="genericService"></beans:property>
		<beans:property name="userNameProperty">
			<beans:value>userName</beans:value>
		</beans:property>
	</beans:bean>
</beans:beans>

2）修改web.xml

在添加Application-Security.xml后，需要在web.xml中将其添加到初始化加载列表中

修改web.xml以下配置：

<context-param>
		<param-name>contextConfigLocation</param-name>
		<param-value>
			classpath:ApplicationContext.xml,classpath:Application-Flex.xml,classpath:Application-hibernate.xml,classpath:Application-Security.xml
		</param-value>
	</context-param>

二、Security类创建

在J***A工程src下创建package com.common.security

创建SecurityLogListener.java

package com.common.security;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.security.event.authentication.AbstractAuthenticationEvent;
import org.springframework.security.event.authentication.AuthenticationSuccessEvent;
import org.springframework.security.event.authentication.InteractiveAuthenticationSuccessEvent;
import org.springframework.security.ui.WebAuthenticationDetails;
import org.springframework.security.ui.session.HttpSessionApplicationEvent;
import org.springframework.security.ui.session.HttpSessionDestroyedEvent;
import com.common.hibernate.GenericService;
import flex.messaging.FlexContext;
public class SecurityLogListener implements ApplicationListener {
	private static final Log logger = LogFactory.getLog(SecurityLogListener.class);
	GenericService genericService;
	public GenericService getGenericService() {
		return genericService;
	}
	public void setGenericService(GenericService genericService) {
		this.genericService = genericService;
	}
	public void onApplicationEvent(ApplicationEvent event) {
		if (event instanceof AbstractAuthenticationEvent) {
			try {
				AbstractAuthenticationEvent authEvent = (AbstractAuthenticationEvent) event;
				if (event instanceof AuthenticationSuccessEvent) {
					Object obj = authEvent.getAuthentication().getPrincipal();
					if (obj instanceof FlexUserDetails) {
						
						System.out.println("Username: "+((FlexUserDetails) obj).getUsername());
						System.out.println("Login Date: "+new Date());
						System.out.println("Session Id: "+FlexContext.getFlexSession().getId());
					}
				} else if (event instanceof InteractiveAuthenticationSuccessEvent)
					logger.warn("InteractiveAuthenticationSuccessEvent:" + authEvent.getAuthentication().getDetails());
			} catch (Exception e) {
				// TODO Auto-generated catch block
				e.printStackTrace();
			}
		} else if (event instanceof HttpSessionApplicationEvent) {
			HttpSessionApplicationEvent sessionEvent = (HttpSessionApplicationEvent) event;
			if (event instanceof HttpSessionDestroyedEvent) {
				logger.info("[destroy]"+sessionEvent.getSession().getId());
				Map<String, Object> params = new HashMap<String, Object>();
				params.put("sessionId", sessionEvent.getSession().getId());
				System.out.println("Session Id: "+sessionEvent.getSession().getId());
				System.out.println("Session remove date: "+new Date());
				
			}else 
				logger.info("[create]"+sessionEvent.getSession().getId());
		}
	}
}

创建SecurityLogoutHandler.java

package com.common.security;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.Authentication;
import org.springframework.security.ui.logout.SecurityContextLogoutHandler;
import com.common.hibernate.GenericService;
public class SecurityLogoutHandler extends SecurityContextLogoutHandler {
	private static final Log logger = LogFactory.getLog(SecurityLogoutHandler.class);
	GenericService genericService;
	public SecurityLogoutHandler() {
		super();
	}
	public GenericService getGenericService() {
		return genericService;
	}
	public void setGenericService(GenericService genericService) {
		this.genericService = genericService;
	}
	public void logout(HttpServletRequest httpservletrequest, HttpServletResponse httpservletresponse,
			Authentication authentication) {
		try {
			Map<String, Object> params = new HashMap<String, Object>();
			params.put("sessionId", httpservletrequest.getSession().getId());
			
		} catch (Exception e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
		super.logout(httpservletrequest, httpservletresponse, authentication);
	}
}

创建FlexUserDetails.java

此类中的信息与数据库的结构有关

package com.common.security;
import java.util.Date;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.userdetails.UserDetails;
import com.admin.domain.FrameworkUser;
public class FlexUserDetails implements UserDetails {
    private FrameworkUser fu;
    private GrantedAuthority[] authorities;
    public FlexUserDetails(FrameworkUser user,GrantedAuthority[] roles){
    	this.fu=user;
    	this.authorities=roles;
    	
    }
	public GrantedAuthority[] getAuthorities() {
		return authorities;
	}
	public String getPassword() {
		return fu.getUserPassword();
	}
	public String getUsername() {
		// TODO Auto-generated method stub
		return fu.getUserName();
	}
	public boolean isAccountNonExpired() {
     return true;
	}
	public boolean isAccountNonLocked() {
		// TODO Auto-generated method stub
		return true;
	}
	public boolean isCredentialsNonExpired() {
		// TODO Auto-generated method stub
		return true;
	}
	public boolean isEnabled() {
		Date now=new Date();
		return fu.getStartDateActive().before(now)&&(fu.getEndDateActive()==null||fu.getEndDateActive().after(now));
	}
	public FrameworkUser getFu() {
		return fu;
	}
	public void setFu(FrameworkUser fu) {
		this.fu = fu;
	}
	public void setAuthorities(GrantedAuthority[] authorities) {
		this.authorities = authorities;
	}
}

创建FlexUserDetailsService.java

此类中具体执行了用户登录时的授权等操作，其中明确了当用户为"admin"时，为其授予ROLE_ADMIN、ROLE_USER、ROLE_ANONYMOUS权限；而其他用户则只有ROLE_USER、ROLE_ANONYMOUS权限。不同权限的访问范围在Application-Security.xml中进行控制。本例中只有ROLE_ADMIN权限的角色才能访问modules/admin下的页面。

package com.common.security;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.log4j.Logger;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.dao.DataAccessException;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.GrantedAuthorityImpl;
import org.springframework.security.SpringSecurityMessageSource;
import org.springframework.security.userdetails.UserDetails;
import org.springframework.security.userdetails.UserDetailsService;
import org.springframework.security.userdetails.UsernameNotFoundException;
import com.admin.domain.FrameworkUser;
import com.common.hibernate.GenericService;
public class FlexUserDetailsService implements UserDetailsService {
	private static final Logger logger = Logger.getLogger(AuthenticationHelper.class);
	private GenericService genericService;
	private String userNameProperty;
	protected MessageSourceAccessor messages;
	private String authoritiesbyUsernameQuery;
	public FlexUserDetailsService() {
		messages = SpringSecurityMessageSource.getAccessor();
	}
	public GenericService getGenericService() {
		return genericService;
	}
	public void setGenericService(GenericService genericService) {
		this.genericService = genericService;
	}
	public String getUserNameProperty() {
		return userNameProperty;
	}
	public void setUserNameProperty(String userNameProperty) {
		this.userNameProperty = userNameProperty;
	}
	public String getAuthoritiesbyUsernameQuery() {
		return authoritiesbyUsernameQuery;
	}
	public void setAuthoritiesbyUsernameQuery(String authoritiesbyUsernameQuery) {
		this.authoritiesbyUsernameQuery = authoritiesbyUsernameQuery;
	}
	public UserDetails loadUserByUsername(String name) throws UsernameNotFoundException, DataAccessException {
		System.out.println("UserDetails: loadUserByUsername");
		List users = new ArrayList();
		try {
			users = this.loadUsersByUsername(name);
		} catch (Exception e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
		if (users.size() == 0)
			throw new UsernameNotFoundException(messages.getMessage("JdbcDaoImpl.notFound", new Object[] { name },
					"Username {0} not found"), name);
		FrameworkUser user = (FrameworkUser) users.get(0);
		GrantedAuthority[] roles = loadUserAuthorities(name);
		if (roles == null)
			throw new UsernameNotFoundException(messages.getMessage("JdbcDaoImpl.noAuthority", new Object[] { name },
					"User {0} has no GrantedAuthority"), name);
		logger.info("roles " + roles.length);
		logger.info("login in success," + user.getUserName());
		return new FlexUserDetails(user, roles);
	}
	private List<Object> loadUsersByUsername(String name) throws Exception {
		System.out.println("List<Object>: loadUserByUsername");
		Map<String, Object> params = new HashMap<String, Object>();
		params.put(this.userNameProperty, name);
		return genericService.findByProperty(FrameworkUser.class.getName(), params);
	}
	private GrantedAuthority[] loadUserAuthorities(String name) {
		Map params = new HashMap();
		params.put("userName", name);
		
		List<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();
		
		if(name.equals("admin")){
			roles.add(new GrantedAuthorityImpl(name));
			roles.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS"));
			roles.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
			roles.add(new GrantedAuthorityImpl("ROLE_USER"));
			System.out.println("授权: ROLE_ADMIN,ROLE_ANONYMOUS");
		}else{
			roles.add(new GrantedAuthorityImpl(name));
			roles.add(new GrantedAuthorityImpl("ROLE_ANONYMOUS"));
			roles.add(new GrantedAuthorityImpl("ROLE_USER"));
			System.out.println("授权: ROLE_USER,ROLE_ANONYMOUS");
		}		
		GrantedAuthority[] authoritiesarray = new GrantedAuthority[roles.size()];
		roles.toArray(authoritiesarray);
		return authoritiesarray;
	}
}

创建AuthenticationHelper.java

此类在用户登录时被调用

package com.common.security;
import java.util.HashMap;
import java.util.Map;
import org.apache.log4j.Logger;
import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationManager;
import org.springframework.security.GrantedAuthority;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.providers.UsernamePasswordAuthenticationToken;
import org.springframework.security.userdetails.UserDetails;
import flex.messaging.FlexContext;
public class AuthenticationHelper {
	private static final Logger logger = Logger.getLogger(AuthenticationHelper.class);
	private AuthenticationManager authenticationManager;
	public AuthenticationManager getAuthenticationManager() {
		return authenticationManager;
	}
	public void setAuthenticationManager(AuthenticationManager authenticationManager) {
		this.authenticationManager = authenticationManager;
	}
	public void authenticatePrincipal(String username, String password) {
		//try{
		logger.info("user login system! username:" + username);
		UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
				username, password);
		Authentication authentication = authenticationManager.authenticate(usernamePasswordAuthenticationToken);
		SecurityContextHolder.getContext().setAuthentication(authentication);
		GrantedAuthority[] authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
		int numAuthorities = authorities.length;
		String[] grantedRoles = new String[numAuthorities];
		for (int counter = 0; counter < numAuthorities; counter++) {
			grantedRoles[counter] = authorities[counter].getAuthority();
		}
		String name = SecurityContextHolder.getContext().getAuthentication().getName();
		logger.info("登录成功!");
		//}catch(Exception e){e.printStackTrace();}
	}
	public Map getCurrentUser() {
		if (SecurityContextHolder.getContext() == null
				|| SecurityContextHolder.getContext().getAuthentication() == null
				|| SecurityContextHolder.getContext().getAuthentication().getPrincipal() == null) {
			Map temp = new HashMap();
			temp.put("userName", "System");
			temp.put("userId", 0);
			return temp;
		}
		Map user = new HashMap();
		Object obj = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
		if (obj instanceof UserDetails) {
			user.put("userDescription", ((FlexUserDetails) obj).getFu().getUserDescription());
			user.put("userId", ((FlexUserDetails) obj).getFu().getUserId());
			user.put("userName", ((FlexUserDetails) obj).getUsername());
		} else {
			user.put("userName", obj.toString());
			user.put("userId", -100);
		}
		logger.info(user);
		return user;
	}
	public Long getCurrentUserId() {
		if (this.getCurrentUser().get("userId") != null)
			return Long.valueOf(this.getCurrentUser().get("userId").toString());
		return new Long(-100);
	}
}

三、配置AuthenticationHelper

1）发布AuthenticationHelper

在Application-Flex.xml中添加如下配置：

<bean id="authenticationHelper" class="com.hand.common.security.AuthenticationHelper">
		<property name="authenticationManager" ref="authenticationManager"></property>
		<flex:remoting-destination />
	</bean>

2）创建CommonModule.mxml

在FLEX工程modules/common目录下创建CommonModule.mxml，用以实现Security验证

<?xml version="1.0" encoding="utf-8"?>
<mx:Module xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute" width="500" height="300">
	<mx:RichTextEditor x="0" y="0" title="Title" width="100%" height="100%">
	</mx:RichTextEditor>
</mx:Module>

3）引用authenticationHelper

在FLEX工程remoting-config.xml中添加如下配置：

<destination id="authenticationHelper">
		<properties>
			<source>authenticationHelper</source>
		</properties>
	</destination>

3）修改Index.mxml

在Index.mxml中调用authenticationHelper，修改后的Index.mxml内容如下：

<?xml version="1.0" encoding="utf-8"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" 
	            layout="vertical"
	            horizontalAlign="center"
	            creationComplete="initApp()" 
	            fontSize="15" >
	
	<mx:Script>
		<!--[CDATA[
			import mx.rpc.events.FaultEvent;
			import mx.rpc.events.ResultEvent;
			import mx.controls.Alert;
			
			private function initApp():void{
				
				UserService.getMessage();
				UserService.getMessage.addEventListener(ResultEvent.RESULT, getMessageHandler);
			}
			private function getMessageHandler(evt:ResultEvent):void{
				UserService.getMessage.removeEventListener(ResultEvent.RESULT, getMessageHandler);
				initText.text = evt.result as String;
			}
			private function login():void{
				//添加登录成功监听器
				authenticationHelper.authenticatePrincipal.addEventListener(ResultEvent.RESULT, loginSuccess);
				//添加登录失败监听器
				authenticationHelper.authenticatePrincipal.addEventListener(FaultEvent.FAULT, loginFailure);
				//向服务器发送登录请求
				authenticationHelper.authenticatePrincipal(username.text, password.text);
			}
			
			private function loginSuccess(event:Event):void
			{
				authenticationHelper.authenticatePrincipal.removeEventListener(ResultEvent.RESULT, loginSuccess);
				this.currentState='loginSuccess';
			}
			
			private function loginFailure(event:FaultEvent):void
			{
				Alert.show("登录不成功！"+event.fault.faultString);
				authenticationHelper.removeEventListener(FaultEvent.FAULT, loginFailure);
			}
			private function changeState(sign:String):void{
				currentState = 'moduleState';
				if(sign=='A'){
					currentState = 'moduleState';
					moduleLoader.url = '../admin/UserModule.swf';
				}else{
					currentState = 'moduleState';
					moduleLoader.url = '../common/CommonModule.swf';
				}
			}
			private function logout():void{
				navigateToURL(new URLRequest("javascript:location.href='TestProject/j_spring_security_logout';"), "_self");
			}
			
		]]-->
	</mx:Script>
	<mx:RemoteObject id="UserService" destination="UserService"/>
	<mx:RemoteObject id="authenticationHelper" destination="authenticationHelper"/>
	<mx:states>
		<mx:State name="loginSuccess">
			<mx:RemoveChild target="{vbox1}"/>
			<mx:AddChild position="lastChild">
				<mx:VBox width="50%" height="30%" horizontalAlign="center" verticalAlign="middle">
					<mx:LinkButton label="admin.mxml" click="changeState('A')"/>
					<mx:LinkButton label="common.mxml" click="changeState('B')"/>
				</mx:VBox>
			</mx:AddChild>
		</mx:State>
		<mx:State name="moduleState">
			<mx:RemoveChild target="{vbox1}"/>
			<mx:AddChild position="lastChild">
				<mx:ModuleLoader width="50%" height="50%" id="moduleLoader" url="../admin/UserModule.swf"/>
			</mx:AddChild>
			<mx:AddChild position="lastChild">
				<mx:LinkButton label="返回" click="currentState='loginSuccess'"/>
			</mx:AddChild>
			<mx:AddChild position="lastChild">
				<mx:LinkButton label="退出" click="logout()"/>
			</mx:AddChild>
		</mx:State>
	</mx:states>
	<mx:Label text="Welcome" id="initText" fontWeight="bold"/>
	<mx:VBox width="50%" height="50%" horizontalAlign="center" verticalAlign="middle" id="vbox1"> 
	  <mx:FormItem label="用户名" labelWidth="100">
	  	<mx:TextInput id="username" width="200"/>
	  </mx:FormItem>
	  <mx:FormItem label="密码" labelWidth="100">
	  	<mx:TextInput id="password" width="200"  displayAsPassword="true"/>
	  </mx:FormItem>
	  <mx:Button label="登录" width="80" click="login()"/>
	</mx:VBox>
</mx:Application>

四、编译运行

1）编译FLEX工程

选择Project—>Clean—>TestProject

2）拷贝FLEX编译目录bin-debug/modules到J***A工程WebRoot下

3）启动本地数据库

4）启动服务器

5）服务器正常启动后，在浏览器内输入(其中9090为服务器端口号)

http://localhost:9090/TestProject/modules/common/Index.html



运行结果：

以Sky用户登录





登录首页





查看modules/admin/UserModule.swf，由于权限控制将无法访问





查看modules/common/CommonModule.swf





以admin用户登录





查看modules/admin/UserModule/swf，由于已经为该用户授予了权限，因此可以访问





查看modules/common/CommonModule.swf







到此Spring MVC+BlzeDS+Flex框架的搭建三个过程都已经结束，如果今后还有新的内容我会及时和大家分享。