Spring Security 2.0 是Spring框架的下一代安全系统。它在上一代Acegi安全系统上又添加了许多新特性。
下载war 文件
http://downloads.sourceforge.net/zkforge/zkspringsec2.war
该示例程序来自于Spring Security 2.0,已经做了修改以保证和ZK一起顺利工作。
部署war 文件
Tomcat 5.5 或更高版本。
将zkspringsec2.war 复制到Tomcat服务器的$Tomcat_Home/webapps/文件夹,然后重启Tomcat。
使用你的浏览器访问:
http://localhost:8080/zkspringsec2/
username/password 为rod/koala
为使Spring Security和ZK一起工作,你需要复制下面的jar到/WEB-INF/lib。
ZK Spring Library jar 文件
zkspring.jar
Spring Security library jar 文件
aopalliance-1.0.jar aspectjrt-1.5.4.jar commons-codec-1.3.jar commons-collections-3.2.jar commons-lang.jar commons-logging-1.1.1.jar jstl-1.1.2.jar log4j-1.2.14.jar spring-security-acl-2.0.3.jar spring-security-core-2.0.3.jar spring-security-core-tiger-2.0.3.jar spring-security-taglibs-2.0.3.jar spring.jar standard-1.1.2.jar
为使Tomcat 和Spring Security一起工作,你需要指明spring-security配置文件的位置,然后定义spring的listener和spring-security 的filter,如下:
<!--
- Location of the XML file that defines the root application context
- Applied by ContextLoaderListener.
-->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
...
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
<!--
- Loads the root application context of this web app at startup.
- The application context is then available via
- WebApplicationContextUtils.getWebApplicationContext(servletContext).
-->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<!--
- Spring Security Filter Chains
-->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
在$myApp/WEB-INF/目录下创建application-security.xml。此文件包含了spring-security所需要的配置(dentitions)。
<!--
- Spring namespace-based configuration
-->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<!--
- Enable the @Secured annotation to secure service layer methods
-->
<global-method-security secured-annotations="enabled">
</global-method-security>
<!--
- Secure the page per the URL pattern
-->
<http auto-config="true">
<intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/secure/**" access="IS_AUTHENTICATED_REMEMBERED" />
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<!-- use own login page rather than the default one -->
<form-login login-page="/login.zul"/>
</http>
<!--
Usernames/Passwords are
rod/koala
dianne/emu
scott/wombat
peter/opal
-->
<authentication-provider>
<password-encoder hash="md5"/>
<user-service>
<user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
<user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
<user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
<user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</beans:beans>
使用Spring Security 注释@Secured来保护商业服务的调用,如下:
public interface BankService {
@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
public Account readAccount(Long id);
@Secured("IS_AUTHENTICATED_ANONYMOUSLY")
public Account[] findAccounts();
@Secured("ROLE_TELLER")
public Account post(Account account, double amount);
}
在/WEB-INF/applicationContext-security.xml内定义zk命名空间需要的配置,并指定哪个ZK事件需要被保护,如下,
<!--
- Spring namespace-based configuration
-->
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:zksp="http://www.zkoss.org/2008/zkspring"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-2.0.1.xsd
http://www.zkoss.org/2008/zkspring
http://www.zkoss.org/2008/zkspring/zkspring.xsd">
<http ...>
...
</http>
...
<!--
- Secure the ZK event processing per the event name and ZK component path pattern
-->
<zksp:zk-event login-template-close-delay="5">
<zksp:intercept-event event="onClick" path="//**/btn_*" access="ROLE_TELLER"/>
<zksp:intercept-event path="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</zksp:zk-event>
</beans:beans>
xmlns:zksp="http://www.zkoss.org/2008/zkspring 告诉Spring Security引擎我们将要使用ZK Spring命名空间配置,并定义命名空间为zksp。
http://www.zkoss.org/2008/zkspring
http://www.zkoss.org/2008/zkspring/zkspring.xsd 告诉Spring Security引擎哪里可以找到这个 ZK Spring命名空间的配置schema。
<zksp:zk-event> 告诉Spring Security引擎我们要保护ZK事件处理。这将会自动配置需要的 listeners,filters和 Spring bean。在这个例子中,login-template-close-delay="5"告诉ZK登录成功5秒后自动关闭这个登录窗口;zero(0)意味着登录成功后立即关闭登录窗口;而一个负数值则意味着要等待用户的操作。
<zksp:intercept-event event="onClick" path="//**/btn_*" access="ROLE_TELLER"/>t告诉Spring Security引擎我们想要保护哪些ZK事件和组件。在这个例子中,例如任何一个id以btn_开头的组件的onClick事件被触发后,它都会被ROLE_TELLER authority 检查。
<zksp:intercept-event path="/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> 表示所有的匿名用户可以访问所有的事件和组件。
在下面的例子中,当他/她企图该改变帐户余额(the balance of account)时,ZK会提示终止用户登录,因为Button组件的onClick事件已经被Spring-Security 保护了。
<?variable-resolver class="org.zkoss.spring.DelegatingVariableResolver"?>
<zk>
<window title="Accouts" border="normal" width="500px">
<zscript><![CDATA[
void adjBalance(Button btn) {
double bal = new Double((String)btn.getAttribute("bal")).doubleValue();
//get the account object
bigbank.Account a = bankService.readAccount(btn.getAttribute("aid"));
//change the account balance
bankService.post(a, bal);
//update the account balance on the browser
btn.getFellow("bal_"+a.getId()).setValue(""+a.getBalance());
}
]]>
</zscript>
<grid>
<rows>
<row forEach="${accounts}">
<label value="${each.id}"/>
<label value="${each.holder}"/>
<label id="bal_${each.id}" value="${each.balance}"/>
<button id="btn_m20_${each.id}" label="-$20" onClick="adjBalance(self)">
<custom-attributes aid="${each.id}" bal="-20"/>
</button>
<button id="btn_m5_${each.id}" label="-$5" onClick="adjBalance(self)">
<custom-attributes aid="${each.id}" bal="-5"/>
</button>
...................
</row>
</rows>
</grid>
</window>
<button label="Home" href="/index.zul"/>
<button label="Logout" href="/j_spring_security_logout"/>
</zk>