BlogJava-云自无心水自闲-随笔分类-Spring

Spring Security中指定session超时后跳转的页面

云自无心水自闲 — Tue, 30 Aug 2011 23:25:00 GMT

Spring Security中指定session超时后跳转的页面

在xml配置文件中加入：

云自无心水自闲 2011-08-31 07:25 发表评论

Spring MVC + Spring Security + Spring JDBC中注入dataSource总是为Null的原因和解决

云自无心水自闲 — Fri, 26 Aug 2011 00:57:00 GMT

在applicationContext.xml中定义了一个DataSource：
但是在代码中，使用anotation进行注入的时候，却总是找不到这个dataSource.

   @Autowired
   public void setDataSource(DataSource dataSource) {
       jdbcTemplate = new JdbcTemplate(dataSource);
       jdbcInsert = new SimpleJdbcInsert(dataSource);
   }

最后终于想明白了，原因大概是这样的，使用autowired的时候，默认是根据类型来匹配的，在xml中定义的类型是：BasicDataSource，而不是接口DataSource，所以默认情况下这样是无法自动装配的。解决办法是指令使用名字来进行bean的匹配，也就是用Qualifier指定bean的id.

   @Autowired
   public void setDataSource(@Qualifier("dataSource") DataSource dataSource) {
       jdbcTemplate = new JdbcTemplate(dataSource);
       jdbcInsert = new SimpleJdbcInsert(dataSource);
   }

另外一点，在网上搜索的过程中发现有不少人都有类似的问题，但是他们的原因是没有正确使用spring的注入，而是自己在代码中new了一个Dao的实例，这样的话，spring是无法将dataSource注入到dao的实例中的

云自无心水自闲 2011-08-26 08:57 发表评论

Spring Security - Using custom Authentication Processing Filter

云自无心水自闲 — Fri, 11 Jun 2010 00:12:00 GMT

Recently I got a chance working with Spring security, formerly known as Acegi Security for spring. While working with the framework, I heard comments from friends and colleagues saying that spring security lacks proper documentation. So thought of sharing a little knowledge. By the way, this is first ever blog posting and kindly excuse me and let me know any errors and improvements. Spring security offers a simple configuration based security for your web applications helping you secure your web application with out littering your business logic with any security code. It provides securing URL's based on the Role (Authorities), securing your business methods based on the ACL's. The first step in hooking up the spring security to your web application is by specifying the DelegatingFilterProxy in your web.xml.

springSecurityFilterChain

org.springframework.web.filter.DelegatingFilterProxy

springSecurityFilterChain

REQUEST INCLUDE FORWARD If you want to externalize all of your security related configuration into a separate file, you can do so and add that to your context location param.

contextConfigLocation

/WEB-INF/beans.xml , /WEB-INF/springSecurity.xml

Now comes the part of security configuration for your application, Adding the URL security patterns is pretty simple and straight forward. Add all the URL patterns which you want to secure and add the wild card pattern at the end. You need to have some default principal and role even for non logged in users as you need to give access to pages like log in, register and forgot password kind of functionality even to non logged in users. I tried to add comments to pretty much every element which I am using here. As an example I added just a wild card intercept url which make every page of my application secure. You need to exclude different urls based on the roles.

Following is my custom implementation of AuthenticationEntryPoint, which currently is not doing any thing except leveraging the commence to its super class which is the spring implementation of AuthenticationProcessingFilterEntryPoint. I hooked it to add any custom logic. public class CustomAuthenticationEntryPoint extends AuthenticationProcessingFilterEntryPoint { private static final Log logger = LogFactory.getLog(CustomAuthenticationEntryPoint.class); @Override public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException) throws IOException, ServletException { super.commence(request, response, authException); } } This is my custom authentication manager which actually does the custom login of the user. It will throw an BadCredentialsException in case of invalid credentials or thorws a AuthenticationServiceException in case of a service error (Database error, SQL error or any other error). public class CustomAuthunticationManager implements AuthenticationManager { @Autowired UserManagerService userManagerService; public Authentication authenticate(Authentication authentication) throws AuthenticationException { if(StringUtils.isBlank((String) authentication.getPrincipal()) || StringUtils.isBlank((String) authentication.getCredentials())){ throw new BadCredentialsException("Invalid username/password"); } User user = null; GrantedAuthority[] grantedAuthorities = null; try{ user = userManagerService.getUser((String) authentication.getPrincipal(), (String) authentication.getCredentials()); } catch(InvalidCredentialsException ex){ throw new BadCredentialsException(ex.getMessage()); } catch(Exception e){ throw new AuthenticationServiceException("Currently we are unable to process your request. Kindly try again later."); } if (user != null) { List roles = user.getAssociatedRoles(); grantedAuthorities = new GrantedAuthority[roles.size()]; for (int i = 0; i < roles.size(); i++) { Role role = roles.get(i); GrantedAuthority authority = new GrantedAuthorityImpl(role.getRoleCode()); grantedAuthorities[i] = authority; } } else{ throw new BadCredentialsException("Invalid username/password"); } return new UsernamePasswordAuthenticationToken(user, authentication.getCredentials(), grantedAuthorities); } } At the client side (jsp), the simple configuration you need to do is post the request to"/j_spring_security_check" with parameters "j_username" and "j_password". That's pretty much all you need to do for enabling spring security to your existing web application. I will try to explain about doing the method security using ACL's and configuring the view using spring security tags in another post.

云自无心水自闲 2010-06-11 08:12 发表评论

如何使用spring的autowire为servlet注入Bean

云自无心水自闲 — Fri, 04 Sep 2009 06:19:00 GMT

在应用中一般普通的JavaPojo都是由Spring来管理的，所以使用autowire注解来进行注入不会产生问题，但是有两个东西是例外的，一个是Filter，一个是Servlet，这两样东西都是由Servlet容器来维护管理的，所以如果想和其他的Bean一样使用Autowire来注入的话，是需要做一些额外的功夫的。
对于Filter，Spring提供了DelegatingFilterProxy，所以本文主要讲述Servlet的解决。
1、比较直观但是不大优雅的做法是重写init()方法，在里面使用AutowireCapableBeanFactory来手工告诉Spring：我这个Servlet是需要这样的一个Bean的。具体写法：
public void init(ServletConfig servletConfig) throws ServletException {
    ServletContext servletContext = servletConfig.getServletContext();
    WebApplicationContext webApplicationContext = WebApplicationContextUtils.getWebApplicationContext(servletContext);
    AutowireCapableBeanFactory autowireCapableBeanFactory = webApplicationContext.getAutowireCapableBeanFactory();
    autowireCapableBeanFactory.configureBean(this, BEAN_NAME);
}
其中，BEAN_NAME就是需要注入的Bean在spring中注册的名字.
这样写的主要问题是就是那个BEAN_NAME,这样写有点主动查找，而不是依赖注入的感觉。

2、创建一个类似于DelegatingFilterProxy那样的代理，通过代理根据配置来找到实际的Servlet，完成业务逻辑功能。
假定我们有一个Servlet名字叫UserServlet，需要注入一个UserManager，伪代码如下：
public class UserServlet extends HttpServlet {
    @Autowired(required = true)
    private UserManager userManager;
}
第一步:
public class DelegatingServletProxy extends GenericServlet {
    private String targetBean;
    private Servlet proxy;

    @Override
    public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException {
        proxy.service(req, res);
    }

    @Override
    public void init() throws ServletException {
        this.targetBean = getServletName();
        getServletBean();
        proxy.init(getServletConfig());
    }

    private void getServletBean() {
        WebApplicationContext wac = WebApplicationContextUtils.getRequiredWebApplicationContext(getServletContext());
        this.proxy = (Servlet) wac.getBean(targetBean);
    }
}
第二步：
配置web.xml文件，原来UserServlet的配置大致是这样的：

userServlet

com.sample.UserServlet

userServlet

/userServlet

现在修改为

userServlet

com.sample.DelegatingServletProxy

userServlet

/userServlet

注意,spring是根据Servlet的名字来查找被代理的Servlet的，所以，首先我们要在UserServlet类前面加上@Component,来告诉Srping：我也是一个Bean。如果名称和Web.xml里面定义的不一样的话，可以在这里指定Bean的名字，比如： @Component("userServlet")

云自无心水自闲 2009-09-04 14:19 发表评论