1. 首頁
  2. 問答
  3. 春季安全jdbc配置授權用戶與多個角色

春季安全jdbc配置授權用戶與多個角色

2016-02-26 102 views
0

我目前正在研究基於java的發票應用程序。 我需要的是,授權用戶與多個角色,例如彼得應該有角色ROLE_SETTING,ROLE_REPORT,ROLE_QUOTE,而安妮只有一個角色ROLE_SETTING等...春季安全jdbc配置授權用戶與多個角色

這是我的spring-security-config.xml

<beans:beans xmlns="http://www.springframework.org/schema/security" 
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xsi:schemaLocation="http://www.springframework.org/schema/beans 
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd 
http://www.springframework.org/schema/security 
http://www.springframework.org/schema/security/spring-security-3.2.xsd"> 

<http auto-config="true"> 
    <access-denied-handler error-page="/403page" /> 
    <intercept-url pattern="/makebill*" access="ROLE_ADMIN,ROLE_MAKEBILL" /> 
    <intercept-url pattern="/report*" access="ROLE_ADMIN,ROLE_REPORT" /> 
    <intercept-url pattern="/stock*" access="ROLE_ADMIN,ROLE_STOCK" /> 
    <intercept-url pattern="/customer*" access="ROLE_ADMIN,ROLE_CUSTOMER" /> 
    <!-- <intercept-url pattern="/setting*" access="ROLE_ADMIN,ROLE_SETTING" /> --> 
    <intercept-url pattern="/mainmenu*" access="ROLE_ADMIN,ROLE_MAKEBILL,ROLE_SETTING,ROLE_CUSTOMER,ROLE_REPORT,ROLE_STOCK" /> 
    <form-login 
    login-page='/login' username-parameter="username" 
    password-parameter="password" default-target-url="/mainmenu" 
    authentication-failure-url="/login?authfailed" /> 
    <logout logout-success-url="/login?logout" /> 
</http> 

<authentication-manager> 
    <authentication-provider> 
     <jdbc-user-service 
      data-source-ref="dataSource" 
      users-by-username-query="select username,password, enabled from person where username=?" 
      authorities-by-username-query="select username, role from person, role where username =? " /> 
    </authentication-provider> 
</authentication-manager> 


</beans:beans>

認證管理器目前工作的罰款只有一個角色,我的意思是......當SQL查詢authorities-by-username-query="select username, role from person, role where username =? "運行,如果返回值只是一個角色,如ROLE_REPORT,應用程序工作正常,但如果在db中有一個記錄,如ROLE_REPORT,ROLE_SETTING,ROLE_CUSTOMER,當查詢檢索到這個值時,應用程序將返回我404錯誤,看來我將無法授予用戶m多個角色。

任何人都可以請指出我做錯了什麼。 謝謝。

來源

2016-02-26 seph

+0

有幾個地方,你需要解決。首先,通過用戶名查詢的權限是不正確的。我認爲你是SQL查詢的新手。您正在獲取2個表格而沒有使用任何鍵將它們連接起來。請看看這個 http://stackoverflow.com/questions/20455139/users-by-username-query-returns-no-results。這可能無法解決您的所有問題。讓我知道你是否有另一個不同的問題。 – Tin

+0

你可能會發現這個教程很有用:http://www.mkyong.com/spring-security/spring-security-form-login-using-database/ – Tin

+0

mkyong的嘖嘖是爲一個用戶授予一個角色,我需要的是多個角色爲單個用戶... – seph

回答

0

我找到了自己的解決方案,來實現我自己的UserDetails,這裏的代碼

@Service("assembler") 
public class Assembler { 

    @Transactional(readOnly = true) 
    User buildUserFromUserEntity(Person person) { 

    String username = person.getUsername(); 
    String password = person.getPassword(); 
    boolean enabled = true; 

    List<SimpleGrantedAuthority> authorities = new ArrayList<SimpleGrantedAuthority>(); 
    String[] authStrings = person.getRole().split(","); 
    for(String authString : authStrings) { 
     System.out.println("all auth roles: " + authString); 
     authorities.add(new SimpleGrantedAuthority(authString)); 
    } 


    User user = new User(username, password, enabled, 
     true, true, true, authorities); 

    return user; 
    } 
} 






@Service("userDetailsService") 
public class UserDetailsServiceImpl implements UserDetailsService { 

    @Autowired private PersonService personService; 
    @Autowired private Assembler assembler; 

    @Transactional(readOnly = true) 
    public UserDetails loadUserByUsername(String username) 
     throws UsernameNotFoundException, DataAccessException { 

    UserDetails userDetails = null; 
    Person person = null; 

    List<Person> listPeople = personService.listPeople(); 
    for (Person p: listPeople) { 
     if (p.getUsername().equals(username)) { 
      person = p; 
     } 
    } 

    if (person == null) 
     throw new UsernameNotFoundException("user not found"); 

    return assembler.buildUserFromUserEntity(person); 
    } 
}

,這裏是彈簧安全-config.xml中

<http auto-config="true"> 
    <access-denied-handler error-page="/403page" /> 
    <intercept-url pattern="/makebill*" access="ROLE_ADMIN,ROLE_MAKEBILL" /> 
    <intercept-url pattern="/report*" access="ROLE_ADMIN,ROLE_REPORT" /> 
    <intercept-url pattern="/stock*" access="ROLE_ADMIN,ROLE_STOCK" /> 
    <intercept-url pattern="/customer*" access="ROLE_ADMIN,ROLE_CUSTOMER" /> 
    <intercept-url pattern="/setting*" access="ROLE_ADMIN,ROLE_SETTING" /> 
    <intercept-url pattern="/mainmenu*" access="ROLE_ADMIN,ROLE_MAKEBILL,ROLE_SETTING,ROLE_CUSTOMER,ROLE_REPORT,ROLE_STOCK" /> 
    <form-login 
    login-page='/login' username-parameter="username" 
    password-parameter="password" default-target-url="/mainmenu" 
    authentication-failure-url="/login?authfailed" /> 
    <logout logout-success-url="/login?logout" /> 
</http> 


<beans:bean id="daoAuthenticationProvider" 
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> 
    <beans:property name="userDetailsService" ref="userDetailsService"/> 
</beans:bean> 

<beans:bean id="authenticationManager" 
    class="org.springframework.security.authentication.ProviderManager"> 
    <beans:property name="providers"> 
    <beans:list> 
     <beans:ref local="daoAuthenticationProvider" /> 
    </beans:list> 
    </beans:property> 
</beans:bean> 

<authentication-manager> 
    <authentication-provider user-service-ref="userDetailsService"> 

    </authentication-provider> 
</authentication-manager>

我現在能夠分配完美地爲單個用戶提供多種角色。 感謝您閱讀:)

來源

2016-02-26 16:20:00 seph

相關問題

 相關問題