Spring Security 学习(5)

这篇主要的内容 

Spring Security 保护业务代码的执行

 

准备工作 .

1.创建HelloService接口

package zyk.service;

//import org.springframework.security.access.annotation.Secured;

public interface HelloService {

	//@Secured({ "ROLE_USER", "ROLE_ADMIN" })
	public String sayHi(String userName);

	//@Secured({"ROLE_ADMIN"})
	public String sayBye(String userName);
}

 

2.实现类HelloServiceImpl

package zyk.service.impl;

import zyk.service.HelloService;

public class HelloServiceImpl implements HelloService {

	public String sayHi(String userName) {
		return "大家好!我是:" + userName;
	}

	public String sayBye(String userName) {
		return userName + " 跟大家说再见!";
	}

}

 

3.配置applicationContext.xml 使HelloService 交给Spring 管理.

<bean id="helloService" class="zyk.service.impl.HelloServiceImpl" />

 

4.创建 HelloServlet

package zyk.servlet;

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.context.ApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

import zyk.service.HelloService;

public class HelloServlet extends HttpServlet {

	/**
	 * 
	 */
	private static final long serialVersionUID = 1L;

	/**
	 * Constructor of the object.
	 */
	public HelloServlet() {
		super();
	}

	/**
	 * Destruction of the servlet. <br>
	 */
	public void destroy() {
		super.destroy(); // Just puts "destroy" string in log
		// Put your code here
	}

	/**
	 * The doGet method of the servlet. <br>
	 * 
	 * This method is called when a form has its tag value method equals to get.
	 * 
	 * @param request
	 *            the request send by the client to the server
	 * @param response
	 *            the response send by the server to the client
	 * @throws ServletException
	 *             if an error occurred
	 * @throws IOException
	 *             if an error occurred
	 */
	public void doGet(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {

		response.setContentType("text/html;charset=UTF-8");
		response.setCharacterEncoding("UTF-8");
		String userName = request.getParameter("userName");
		String method = request.getParameter("method");
		ApplicationContext ctx = WebApplicationContextUtils
				.getWebApplicationContext(this.getServletContext());
		HelloService helloService = ctx.getBean("helloService",
				HelloService.class);
		PrintWriter out = response.getWriter();
		out.println("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">");
		out.println("<HTML>");
		out.println("  <HEAD><TITLE></TITLE></HEAD>");
		out.println("  <BODY>");
		if (method.equals("sayHi")) {
			out.println(helloService.sayHi(userName));
		} else {
			out.println(helloService.sayBye(userName));
		}
		out.println("  </BODY>");
		out.println("</HTML>");
		out.flush();
		out.close();
	}

	/**
	 * The doPost method of the servlet. <br>
	 * 
	 * This method is called when a form has its tag value method equals to
	 * post.
	 * 
	 * @param request
	 *            the request send by the client to the server
	 * @param response
	 *            the response send by the server to the client
	 * @throws ServletException
	 *             if an error occurred
	 * @throws IOException
	 *             if an error occurred
	 */
	public void doPost(HttpServletRequest request, HttpServletResponse response)
			throws ServletException, IOException {

		doGet(request, response);
	}

	/**
	 * Initialization of the servlet. <br>
	 * 
	 * @throws ServletException
	 *             if an error occurs
	 */
	public void init() throws ServletException {
		// Put your code here
	}

}

 

5.在web.xml 中配置 HelloServlet 的映射路径. 

  <servlet>
    <description>This is the description of my J2EE component</description>
    <display-name>This is the display name of my J2EE component</display-name>
    <servlet-name>HelloServlet</servlet-name>
    <servlet-class>zyk.servlet.HelloServlet</servlet-class>
  </servlet>

  <servlet-mapping>
    <servlet-name>HelloServlet</servlet-name>
    <url-pattern>/hello.action</url-pattern>
  </servlet-mapping>

 

6.在Index.jsp 中添加链接. 

	<a href="${pageContext.request.contextPath}/hello.action?method=sayHi&userName=<sec:authentication property="name" />">SayHi!</a> 
	<br />
	<a href="${pageContext.request.contextPath}/hello.action?method=sayBye&userName=<sec:authentication property="name" />">SayBye!</a>

 

 

第一次测试  User 和 admin 均可以调用 SayHi 和 SayBye 方法.

接下来 要实现的是 

admin 可以 调用 SayHi 和 SayBye 方法.

user  只能 调用 SayHi 方法..

 

A)使用XML的方式

1.在applicationContext.xml 中 配置 

	<!-- XML 的方式 -->
	<security:global-method-security>
		<!--  拥有ROLE_USER或者ROLE_ADMIN 权限的用户 可以访问 包 zyk.service 下的任意个类 里 返回值类型为任意类型 并 方法名为sayHi 的方法-->
		<security:protect-pointcut access="ROLE_USER,ROLE_ADMIN" expression="execution(* zyk.service.*.sayHi(..))"/>
		<!-- 第一个* ：表示返回任意类型
			  第二个 * ：表示任意的类
			 第三个* : 以say开头的任意方法	名
			 对应的是 : 拥有ROLE_ADMIN 权限的用户 可以访问 包 zyk.service 下的任意个类 里 返回值类型为任意类型 并以say开头的方法 (例如 sayHi 和 sayBye)
		 -->
		<security:protect-pointcut access="ROLE_ADMIN" expression="execution(* zyk.service.*.say*(..))"/>
	</security:global-method-security>

 

第二次测试 Ok 。将上面的配置注释掉.换用Annotation 的方式 .

 

B)使用Annotation的方式

 

1.启用Annotation  配置applicationContext.xml

	<!-- 启用annotation -->
	<security:global-method-security
		secured-annotations="enabled" jsr250-annotations="enabled" />

 

 2.给HelloService接口里的方法加上 SpringSecurity的注解.用法很明显.

package zyk.service;

import org.springframework.security.access.annotation.Secured;

public interface HelloService {

	@Secured({ "ROLE_USER", "ROLE_ADMIN" })
	public String sayHi(String userName);

	@Secured({"ROLE_ADMIN"})
	public String sayBye(String userName);
}

 再次测试 Ok。

 

到此学习的资料 全部来自第一篇下的附件.《一步一步教你使用SpringSecurity》

 

 

 

 

 

 

评论

1 楼 futhead 2014-01-13  

您好，能发一份保护业务代码执行的Demo吗？这个我试了好多遍，不管是User还是admin，都能随意访问，换了3.1也一样，不知道哪里出问题了。
邮箱futhead@civilnet.cn，非常感谢！