BlogJava-云自无心水自闲-随笔分类-Spring Security

Spring Security - Using custom Authentication Processing Filter

云自无心水自闲 — Fri, 11 Jun 2010 00:12:00 GMT

Recently I got a chance working with Spring security, formerly known as Acegi Security for spring. While working with the framework, I heard comments from friends and colleagues saying that spring security lacks proper documentation. So thought of sharing a little knowledge. By the way, this is first ever blog posting and kindly excuse me and let me know any errors and improvements. Spring security offers a simple configuration based security for your web applications helping you secure your web application with out littering your business logic with any security code. It provides securing URL's based on the Role (Authorities), securing your business methods based on the ACL's. The first step in hooking up the spring security to your web application is by specifying the DelegatingFilterProxy in your web.xml.

springSecurityFilterChain

org.springframework.web.filter.DelegatingFilterProxy

springSecurityFilterChain

REQUEST INCLUDE FORWARD If you want to externalize all of your security related configuration into a separate file, you can do so and add that to your context location param.

contextConfigLocation

/WEB-INF/beans.xml , /WEB-INF/springSecurity.xml

Now comes the part of security configuration for your application, Adding the URL security patterns is pretty simple and straight forward. Add all the URL patterns which you want to secure and add the wild card pattern at the end. You need to have some default principal and role even for non logged in users as you need to give access to pages like log in, register and forgot password kind of functionality even to non logged in users. I tried to add comments to pretty much every element which I am using here. As an example I added just a wild card intercept url which make every page of my application secure. You need to exclude different urls based on the roles.

Following is my custom implementation of AuthenticationEntryPoint, which currently is not doing any thing except leveraging the commence to its super class which is the spring implementation of AuthenticationProcessingFilterEntryPoint. I hooked it to add any custom logic. public class CustomAuthenticationEntryPoint extends AuthenticationProcessingFilterEntryPoint { private static final Log logger = LogFactory.getLog(CustomAuthenticationEntryPoint.class); @Override public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException) throws IOException, ServletException { super.commence(request, response, authException); } } This is my custom authentication manager which actually does the custom login of the user. It will throw an BadCredentialsException in case of invalid credentials or thorws a AuthenticationServiceException in case of a service error (Database error, SQL error or any other error). public class CustomAuthunticationManager implements AuthenticationManager { @Autowired UserManagerService userManagerService; public Authentication authenticate(Authentication authentication) throws AuthenticationException { if(StringUtils.isBlank((String) authentication.getPrincipal()) || StringUtils.isBlank((String) authentication.getCredentials())){ throw new BadCredentialsException("Invalid username/password"); } User user = null; GrantedAuthority[] grantedAuthorities = null; try{ user = userManagerService.getUser((String) authentication.getPrincipal(), (String) authentication.getCredentials()); } catch(InvalidCredentialsException ex){ throw new BadCredentialsException(ex.getMessage()); } catch(Exception e){ throw new AuthenticationServiceException("Currently we are unable to process your request. Kindly try again later."); } if (user != null) { List roles = user.getAssociatedRoles(); grantedAuthorities = new GrantedAuthority[roles.size()]; for (int i = 0; i < roles.size(); i++) { Role role = roles.get(i); GrantedAuthority authority = new GrantedAuthorityImpl(role.getRoleCode()); grantedAuthorities[i] = authority; } } else{ throw new BadCredentialsException("Invalid username/password"); } return new UsernamePasswordAuthenticationToken(user, authentication.getCredentials(), grantedAuthorities); } } At the client side (jsp), the simple configuration you need to do is post the request to"/j_spring_security_check" with parameters "j_username" and "j_password". That's pretty much all you need to do for enabling spring security to your existing web application. I will try to explain about doing the method security using ACL's and configuring the view using spring security tags in another post.

云自无心水自闲 2010-06-11 08:12 发表评论

Tapestry最新版5.1.0.5教程（九）：权限控制框架的实现-进阶篇

云自无心水自闲 — Thu, 04 Feb 2010 11:17:00 GMT

在上一篇中我们研究了如何实现SpringSecurity中Jsp Tag的的功能。这一次我们一起研究一下如何实现在Tapestry5.1中添加一个Filter来对所有的操作进行权限的过滤控制。
在SpringSecurity中，我们一般是在application-context.xml中，添加一个SpringSecurity的Filter，然后在另外一个xml中详细配置如何根据Url的规则进行权限的控制。而Tapestry的哲学是尽量减少Xml中的配置（其IOC容器也基本上是借鉴Guice而不Spring的），所以我们也是在代码中实现权限规则的控制。
总体上来看，可以用两种方式来实现url规则，一种是Request级别的Filter，一种是页面组件级别的Filter，如果是Request级别的话，可以从Request对象中获取Url路径，这样就与SpringSecurity基本一样了。本文主要介绍页面组件级别的Filter，从中我们也可以体会到Tapestry5.1中的IOC容器的强大和便利。

这就是Filter的代码，这个Filter必须实现ComponentRequestFilter接口。值得注意的是其构造函数所需要用到的4个参数，这4个参数都是Tapestry5本身自有的服务，所以我们什么也不用做，Tapestry5自动会将服务的实例注入进来，这就是Tapestry-IOC的威力。
ComponentRequestFilter接口一共有4个方法需要实现，具体代码如下：

1 public class RequiresLoginFilter implements ComponentRequestFilter {
2
3     private final PageRenderLinkSource renderLinkSource;
4
5     private final ComponentSource componentSource;
6
7     private final Response response;
8
9     private final ApplicationStateManager appStateManager;
10
11     public RequiresLoginFilter(PageRenderLinkSource renderLinkSource,
12             ComponentSource componentSource, Response response,
13             ApplicationStateManager appStateManager
14             ) {
15         this.renderLinkSource = renderLinkSource;
16         this.componentSource = componentSource;
17         this.response = response;
18         this.appStateManager = appStateManager;
19     }
20
21     public void handleComponentEvent(
22             ComponentEventRequestParameters parameters,
23             ComponentRequestHandler handler) throws IOException {
24
25         if (dispatchedToLoginPage(parameters.getActivePageName())) {
26             return;
27         }
28
29         handler.handleComponentEvent(parameters);
30
31     }
32
33     public void handlePageRender(PageRenderRequestParameters parameters,
34             ComponentRequestHandler handler) throws IOException {
35         if (dispatchedToLoginPage(parameters.getLogicalPageName())) {
36             return;
37         }
38         handler.handlePageRender(parameters);
39
40     }
41
42     private boolean dispatchedToLoginPage(String pageName) {
43         Component page = componentSource.getPage(pageName);
44
45         if (page.getClass().isAnnotationPresent(RequiresLogin.class)) {
46             if ( ! appStateManager.exists(Authentication.class)) {
47                 redirect();
48                 return true;
49             }
50             Authentication auth = appStateManager.get(Authentication.class);
51             if ( auth == null ) {
52                 redirect();
53                 return true;
54             }
55
56              if ( ! auth.isLoggedIn()) {
57                  redirect();
58                  return true;
59              }
60
61             RequiresLogin requireLogin = page.getClass().getAnnotation(
62                     RequiresLogin.class);
63             String ifNotGranted = requireLogin.ifNotGranted();
64             String ifAllGranted = requireLogin.ifAllGranted();
65             String ifAnyGranted = requireLogin.ifAnyGranted();
66             boolean permitted = auth.checkPermission(ifNotGranted, ifAllGranted, ifAnyGranted);
67             if ( ! permitted ) {
68                 return true;
69             }
70         }
71
72         return false;
73     }
74
75     private void redirect() {
76          Link link = renderLinkSource.createPageRenderLink("Logout");
77
78          try {
79              response.sendRedirect(link);
80          } catch (Exception e) {
81          }
82     }
83
84 }

在ComponentRequestFilter中，我们无法使用@SessionState注解来直接注入Session中的变量，但是我们可以通过ApplicationStateManager来取得。

现在我们需要把刚定义的Filter注册到系统中，很简单，只要在AppModule中添加以下函数就行了：

1 public static void contributeComponentRequestHandler(
2 OrderedConfiguration<ComponentRequestFilter> configuration) {
3 configuration.addInstance("RequiresLogin", RequiresLoginFilter.class);
4 }
5

从本例子中我们可以看到Tapesty Ioc容器使用的便利性，也认识到了Ioc容器在Tapestry体系中的重要性

云自无心水自闲 2010-02-04 19:17 发表评论

Tapestry最新版5.1.0.5教程（八）：权限控制框架的实现-基础篇

云自无心水自闲 — Tue, 12 Jan 2010 12:17:00 GMT

Tapestry中并没有类似于Spring Security这样的专门的权限框架。对此Tapestry的作者Lewis认为主要是用户对于权限的要求实在太多变化了。他认为很难抽象出一个通用的权限框架来满足所有的用户，所以他干脆就不费事去做这件事了。但其实我们很容易就能利用Tapestry已有的工具来完成类似于SpringSecurity的功能。
本文主要介绍如何实现类似于SpringSecurity的jsp tag的功能。在Tapestry中，利用Components实现这一点非常容易。
其基本原理是Tapestry5中一个页面或者组件的渲染生成过程是基于一个状态机和队列完成的。这样，渲染生成过程就被细分成了很多个小模块，我们可以非常容易地覆写这些小模块。具体内容详见官方文档：http://tapestry.apache.org/tapestry5.1/guide/rendering.html。如果权限校验不通过，我们就可以控制不显示组件的内容。
我们这里就是主要依赖这个过程来实现在页面这一层面对权限进行校验和控制。
代码主要包含两大部分，一个组件和一个用于权限控制的服务。
参考了Tapestry-Spring-Security的实现，我也将组件命名为IfRole（当然，我们也可以和Tapestry-Spring-Security一样，也再生成一个IfLoggedIn组件）。权限控制的服务我命名为：AuthenticationService。
主要的实现思路：
将AuthenticationService申明为SessionState变量。这样这个变量就可以在所有的页面和组件之间很方便地共享了。一般情况下，是在登录页面对AuthenticationService进行赋值，而在退出页面清空AuthenticationService这个变量。
代码（这部分代码完全根据应用的需求进自行更改）：
AuthenticationService的代码：

public class AuthenticationService {
    private List<String> privilegeList;
    // privilegeList 的getter and setter

    public boolean checkPermission(String ifNotGranted, String ifAllGranted,
            String ifAnyGranted) {
        if (((null == ifAllGranted) || "".equals(ifAllGranted))
                && ((null == ifAnyGranted) || "".equals(ifAnyGranted))
                && ((null == ifNotGranted) || "".equals(ifNotGranted))) {
            return false;
        }

        if ((null != ifNotGranted) && !"".equals(ifNotGranted)) {
            StringTokenizer st = new StringTokenizer(ifNotGranted, ",");
            while (st.hasMoreTokens()) {
                String value = st.nextToken();
                if (privilegeList.contains(value)) {
                    return false;
                }
            }
        }

        if ((null != ifAllGranted) && !"".equals(ifAllGranted)) {
            StringTokenizer st = new StringTokenizer(ifAllGranted, ",");
            while (st.hasMoreTokens()) {
                String value = st.nextToken();
                if (!privilegeList.contains(value)) {
                    return false;
                }
            }
        }

        if ((null != ifAnyGranted) && !"".equals(ifAnyGranted)) {
            StringTokenizer st = new StringTokenizer(ifAnyGranted, ",");
            while (st.hasMoreTokens()) {
                String value = st.nextToken();
                if (privilegeList.contains(value)) {
                    return true;
                }
            }
            return false;
        }

        return true;
    }
}

IfRole的代码（这个类需要放在Components目录下）：

public class IfRole {
    /**
     * A comma-separated list of roles is supplied to one or more of the
     * following parameters. If none are supplied, the default behavior is to
     * forbid access. Behavior should be self-explanatory.
     */
    @Parameter(required = false, defaultPrefix = "literal")
    private String ifAllGranted;

    @Parameter(required = false, defaultPrefix = "literal")
    private String ifAnyGranted;

    @Parameter(required = false, defaultPrefix = "literal")
    private String ifNotGranted;

    /**
     * An alternate {@link Block} to render if the test parameter is false. The default, null, means
     * render nothing in that situation.
     */
    @Parameter(name = "else")
    private Block elseBlock;

    private boolean test;

    @SessionState
    private AuthenticationService auth;

    private boolean checkPermission() {
        return auth.checkPermission(ifNotGranted, ifAllGranted, ifAnyGranted);
    }

    void setupRender() {
        test = checkPermission();
    }

    /**
     * Returns null if the test method returns true, which allows normal
     * rendering (of the body). If the test parameter is false, returns the else
     * parameter (this may also be null).
     */
    Object beginRender() {
        return test ? null : elseBlock;
    }

    /**
     * If the test method returns true, then the body is rendered, otherwise not. The component does
     * not have a template or do any other rendering besides its body.
     */
    boolean beforeRenderBody() {
        return test;
    }

}

示例：
1. 在登录页面：
@SessionState
private Authentication auth;

......

// if user name and password is valid:
auth.setPrivliegeList(.....);

2. 在需要权限控制的页面模板中：

administrator can see this block

云自无心水自闲 2010-01-12 20:17 发表评论