|
锁定老贴子 主题:Acegi 资源配置动态扩展实现
精华帖 (5) :: 良好帖 (0) :: 新手帖 (0) :: 隐藏帖 (0)
|
|
|---|---|
| 作者 | 正文 |
|
最后更新时间:2006-11-25
本文原出处 : http://starcraft.blogdriver.com/starcraft/1089862.html
Acegi 资源配置动态扩展实现 王 政 (Feiing) 于 2005-12-11 1. 问题提出 在使用 Acegi Security Framework 的过程中, 如果细心的话, 会发现其资源和角色配置是在配置文件中的, 下面是 Appfuse 中相关配置 : [code:1] <bean id="filterInvocationInterceptor" class="net.sf.acegisecurity.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"><ref local="authenticationManager"/></property> <property name="accessDecisionManager"><ref local="accessDecisionManager"/></property> <property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /signup.html=ROLE_ANONYMOUS,admin,tomcat /clickstreams.jsp=admin </value> </property> </bean> [/code:1] 上面的配置从功能上实现了资源与角色的映射, 但用户可能会提出在运行期动态改变权限分配的需求, 配置文件策略可能略显不足, 下面我将提供一种基于数据库的策略解决此问题. 2. E-R 模型 下图是需要的 E-R 模型 
图1 Acegi 标准 RBAC E-R设计 图中的用户与角色不再多做解释, 我们主要关注一下 Permission 表 和 Resource 表, 这里 Resource 表用于存储系统资源, 在 web 层一般来说就是 url, 如果使用 acl, 就是 aclClass, 此时 Permission 表中的 aclMask 用来存储对应的 acl 权限, 考虑到 acl 在 web 项目中使用率不高, 下面我将着重介绍 web 层的权限控制, 对 acl 有兴趣的读者可以自己参阅 Acegi Reference Guide. 3. 如何阻止 acegi 从配置文件读取权限配置 从 Appfuse 中的示例性配置可以看出, acegi 对权限配置的要求是 “ 资源 = 角色1, 角色2 … 角色 n ”, 看过源代码的读者应该知道, 最终这些配置将被组装为 net.sf.acegisecurity.intercept. ObjectDefinitionSource(web 层对应的实现是 net.sf.acegisecurity.intercept.web. FilterInvocationDefinitionSource), 那么我们怎么才能用数据库的数据来组装 FilterInvocationDefinitionSource ? 这里涉及到一个 PropertyEditor 问题, 在 Acegi 中, FilterInvocationDefinitionSource 是通过 net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor 组装的, 假如我们不想让 FilterInvocationDefinitionSourceEditor 从配置文件中读取权限配置, 就需要自己实现一个 ProdertyEditor 来覆盖默认实现, 下面是我的 配置 : 
图2 customerEditorConfigurer 配置 那么, 这个 PropertyEditor 中需要做些什么呢 ? 要做的就是使用一个比较特殊的标记, 当遇到这个特殊标记的时候直接略过解析, 我这里使用的标记是 “DONT_USE_ME”, 然后在 PropertyEditor 中简单的如下实现即可: [code:1] /* * Copyright 2004-2005 wangz. * Project shufe_newsroom */ package com.skyon.um.security.acegi.intercept.web; import java.beans.PropertyEditorSupport; import java.io.BufferedReader; import java.io.IOException; import java.io.StringReader; import net.sf.acegisecurity.ConfigAttributeDefinition; import net.sf.acegisecurity.ConfigAttributeEditor; import net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionMap; import net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap; import net.sf.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; /** * @since 2005-8-4 * @author 王政 * @version $Id: FilterInvocationDefinitionSourceDynamicExtentionEditor.java,v 1.2 2005/11/04 15:55:07 wangzheng Exp $ */ public class FilterInvocationDefinitionSourceDynamicExtentionEditor extends PropertyEditorSupport { public static final String ANT_PATH_KEY = "PATTERN_TYPE_APACHE_ANT"; public static final String LOWER_CASE_URL_KEY = "CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON"; public static final String DONT_USE_ME_KEY = "DONT_USE_ME"; public static final String STAND_DELIM_CHARACTER = ","; private static final Log logger = LogFactory.getLog(FilterInvocationDefinitionSourceDynamicExtentionEditor.class); /** * @see java.beans.PropertyEditorSupport#setAsText(java.lang.String) */ public void setAsText(String text) throws IllegalArgumentException { FilterInvocationDefinitionMap source = new RegExpBasedFilterInvocationDefinitionMap(); if (StringUtils.isBlank(text)) { // Leave target object empty } else { // Check if we need to override the default definition map if (text.lastIndexOf(ANT_PATH_KEY) != -1) { source = new PathBasedFilterInvocationDefinitionMap(); if (logger.isDebugEnabled()) { logger.debug(("Detected PATTERN_TYPE_APACHE_ANT directive; using Apache Ant style path expressions")); } } if (text.lastIndexOf(LOWER_CASE_URL_KEY) != -1) { if (logger.isDebugEnabled()) { logger.debug("Instructing mapper to convert URLs to lowercase before comparison"); } source.setConvertUrlToLowercaseBeforeComparison(true); } if (text.indexOf(DONT_USE_ME_KEY) != -1) { if (logger.isDebugEnabled()) { logger.debug("DETECTED " + DONT_USE_ME_KEY + " directive; skip parse, Use " + EhCacheBasedFilterInvocationDefinitionSourceCache.class + " to parse!"); } addSecureUrl(source, "/dontuseme", "dontuseme"); } else { BufferedReader br = new BufferedReader(new StringReader(text)); int counter = 0; String line; while (true) { counter++; try { line = br.readLine(); } catch (IOException ioe) { throw new IllegalArgumentException(ioe.getMessage()); } if (line == null) { break; } line = line.trim(); if (logger.isDebugEnabled()) { logger.debug("Line " + counter + ": " + line); } if (line.startsWith("//")) { continue; } if (line.equals(LOWER_CASE_URL_KEY)) { continue; } if (line.lastIndexOf('=') == -1) { continue; } // Tokenize the line into its name/value tokens String[] nameValue = org.springframework.util.StringUtils.delimitedListToStringArray(line, "="); String name = nameValue[0]; String value = nameValue[1]; addSecureUrl(source, name, value); } } } setValue(source); } /** * @param source * @param name * @param value * @throws IllegalArgumentException */ private void addSecureUrl(FilterInvocationDefinitionMap source, String name, String value) throws IllegalArgumentException { // Convert value to series of security configuration attributes ConfigAttributeEditor configAttribEd = new ConfigAttributeEditor(); configAttribEd.setAsText(value); ConfigAttributeDefinition attr = (ConfigAttributeDefinition) configAttribEd.getValue(); // Register the regular expression and its attribute source.addSecureUrl(name, attr); } } [/code:1] Ok, 现在 FilterInvocationDefinitionSourceDynamicExtentionEditor 遇到配置文件中的 “DONT_USE_ME” 时将直接略过, 下面是我的 filterInvocationInterceptor 配置: 
图3 filterInvocationInterceptor 配置 现在, 我们已经成功阻止 acegi 从配置文件读取权限配置, 下一个问题就是: 4. 如何从表中数据组装 FilterInvocationDefinitionSource 为了实现此功能, 需要一个自定义的资源定义接口来提供 FilterInvocationDefinitionSource, 此接口可能会是这样 : [code:1] /* * Copyright 2005-2010 the original author or autors * * http://www.skyon.com.cn * * Project { SkyonFramwork } */ package com.skyon.um.security.acegi.intercept.web; import net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionSource; import org.springframework.beans.factory.FactoryBean; import com.skyon.framework.spring.ehcache.FlushableCache; /** * <class>FilterInvocationDefinitionSourceCache</class> use to hold the global FilterInvocationDefinitionSource, * it keeps a static variable , if the source been changed(generally the database data), the reload method should be called * * @see com.skyon.um.security.acegi.intercept.event.FilterInvocationDefinitionSourceChangedEvent * @see com.skyon.um.security.acegi.intercept.event.FilterInvocationDefinitionSourceListener * @see com.skyon.um.security.acegi.intercept.web.SecurityEnforcementDynamicExtensionFilter * @since 2005-8-7 * @author 王政 * @version $Id: FilterInvocationDefinitionSourceCache.java,v 1.1 2005/11/04 15:55:07 wangzheng Exp $ */ public interface FilterInvocationDefinitionSourceCache extends FactoryBean, FlushableCache { /** The Perl5 expression */ int REOURCE_EXPRESSION_PERL5_REG_EXP = 1; /** The ant path expression */ int RESOURCE_EXPRESSION_ANT_PATH_KEY = 2; /** * Set resource expression, the value must be {@link #REOURCE_EXPRESSION_PERL5_REG_EXP} or {@link #RESOURCE_EXPRESSION_ANT_PATH_KEY} * @see #REOURCE_EXPRESSION_PERL5_REG_EXP * @see #RESOURCE_EXPRESSION_ANT_PATH_KEY * @param resourceExpression the resource expression */ void setResourceExpression(int resourceExpression); /** * Set whether convert url to lowercase before comparison * @param convertUrlToLowercaseBeforeComparison whether convertUrlToLowercaseBeforeComparison */ void setConvertUrlToLowercaseBeforeComparison(boolean convertUrlToLowercaseBeforeComparison); /** * Get the defination source, generally from a database schema * @return the defination source */ FilterInvocationDefinitionSource getFilterInvocationDefinitionSource(); } [/code:1] 其核心方法是 FilterInvocationDefinitionSource getFilterInvocationDefinitionSource(), 此方法将代替配置文件提供资源和角色的配置, 下面是实现 [code:1] /* * Copyright 2005-2010 the original author or autors * * http://www.skyon.com.cn * * Project { SkyonFramwork } */ package com.skyon.um.security.acegi.intercept.web; import net.sf.acegisecurity.ConfigAttributeDefinition; import net.sf.acegisecurity.ConfigAttributeEditor; import net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionMap; import net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionSource; import net.sf.acegisecurity.intercept.web.PathBasedFilterInvocationDefinitionMap; import net.sf.acegisecurity.intercept.web.RegExpBasedFilterInvocationDefinitionMap; import net.sf.ehcache.Cache; import net.sf.ehcache.Element; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.beans.factory.InitializingBean; import org.springframework.util.Assert; import com.skyon.framework.spring.ehcache.CacheUtils; import com.skyon.framework.spring.ehcache.SerializableObjectProvider; import com.skyon.framework.spring.support.MandatorySingletonBeanSupport; /** * @since 2005-8-7 * @author 王政 * @version $Id: EhCacheBasedFilterInvocationDefinitionSourceCache.java,v 1.2 2005/11/17 09:38:25 wangzheng Exp $ */ public class EhCacheBasedFilterInvocationDefinitionSourceCache extends MandatorySingletonBeanSupport implements FilterInvocationDefinitionSourceCache, InitializingBean { private static final Log logger = LogFactory.getLog(EhCacheBasedFilterInvocationDefinitionSourceCache.class); private int resourceExpression; private boolean convertUrlToLowercaseBeforeComparison = false; private ResourceMappingProvider resourceMappingProvider; private Cache cache; private Object lock = new Object(); /** * @see com.skyon.um.security.acegi.intercept.web.FilterInvocationDefinitionSourceCache#getFilterInvocationDefinitionSource() */ public FilterInvocationDefinitionSource getFilterInvocationDefinitionSource() { synchronized (lock) { Element element = CacheUtils.get(getCache(), "key"); if (element == null) { FilterInvocationDefinitionSource definitionSource = (FilterInvocationDefinitionSource) getFilterInvocationDefinitionSourceFromBackend(); element = new Element("key", new SerializableObjectProvider(definitionSource)); getCache().put(element); } return (FilterInvocationDefinitionSource) ((SerializableObjectProvider) element.getValue()).getSourceObject(); } } public void flushCache() { CacheUtils.flushCache(getCache()); getFilterInvocationDefinitionSource(); } private FilterInvocationDefinitionMap getFilterInvocationDefinitionSourceFromBackend() { logger.info(" 开始加载系统资源权限数据到缓存... "); FilterInvocationDefinitionMap definitionSource = null; switch (resourceExpression) { case REOURCE_EXPRESSION_PERL5_REG_EXP : { definitionSource = new RegExpBasedFilterInvocationDefinitionMap(); break; } case RESOURCE_EXPRESSION_ANT_PATH_KEY : { definitionSource = new PathBasedFilterInvocationDefinitionMap(); break; } default : { throwException(); } } definitionSource.setConvertUrlToLowercaseBeforeComparison(isConvertUrlToLowercaseBeforeComparison()); ResourceMapping[] mappings = getResourceMappingProvider().getResourceMappings(); if (mappings == null || mappings.length ==0) { return definitionSource; } for (int i = 0; i < mappings.length; i++) { ResourceMapping mapping = mappings[i]; String[] recipents = mapping.getRecipients(); if (recipents == null || recipents.length == 0) { if (logger.isErrorEnabled()) { logger.error("Notice, the resource : " + mapping.getResourcePath() + " has no recipents, it will access by any one ! "); } continue; } StringBuffer valueBuffer = new StringBuffer(); for (int j = 0; j < recipents.length; j++) { valueBuffer.append(recipents[j]); if (j < recipents.length - 1) { valueBuffer.append(FilterInvocationDefinitionSourceDynamicExtentionEditor.STAND_DELIM_CHARACTER); } } String value = valueBuffer.toString(); addSecureUrl(definitionSource, mapping.getResourcePath(), value); } logger.info(" 成功加载系统资源权限数据到缓存 ! "); return definitionSource; } /** * @param source * @param name * @param value * @throws IllegalArgumentException */ private synchronized void addSecureUrl(FilterInvocationDefinitionMap source, String name, String value) throws IllegalArgumentException { // Convert value to series of security configuration attributes ConfigAttributeEditor configAttribEd = new ConfigAttributeEditor(); configAttribEd.setAsText(value); ConfigAttributeDefinition attr = (ConfigAttributeDefinition) configAttribEd.getValue(); // Register the regular expression and its attribute source.addSecureUrl(name, attr); } public void afterPropertiesSet() throws Exception { if (resourceExpression != REOURCE_EXPRESSION_PERL5_REG_EXP && resourceExpression != RESOURCE_EXPRESSION_ANT_PATH_KEY) { throwException(); } Assert.notNull(getResourceMappingProvider(), " resourceMappingProvider must be specified"); Assert.notNull(getCache(), " cache must be specified"); } /** * @throws IllegalArgumentException */ private void throwException() throws IllegalArgumentException { throw new IllegalArgumentException("wrong resourceExpression value"); } /** * @return Returns the resourceMappingProvider. */ public ResourceMappingProvider getResourceMappingProvider() { return resourceMappingProvider; } /** * @param resourceMappingProvider The resourceMappingProvider to set. */ public void setResourceMappingProvider(ResourceMappingProvider resourceMappingProvider) { this.resourceMappingProvider = resourceMappingProvider; } /** * @return Returns the convertUrlToLowercaseBeforeComparison. */ public boolean isConvertUrlToLowercaseBeforeComparison() { return convertUrlToLowercaseBeforeComparison; } /** * @param convertUrlToLowercaseBeforeComparison The convertUrlToLowercaseBeforeComparison to set. */ public void setConvertUrlToLowercaseBeforeComparison( boolean convertUrlToLowercaseBeforeComparison) { this.convertUrlToLowercaseBeforeComparison = convertUrlToLowercaseBeforeComparison; } /** * @return Returns the resourceExpression. */ public int getResourceExpression() { return resourceExpression; } /** * @param resourceExpression The resourceExpression to set. */ public void setResourceExpression(int resourceExpression) { this.resourceExpression = resourceExpression; } /** * @return Returns the cache. */ public Cache getCache() { return cache; } /** * @param cache The cache to set. */ public void setCache(Cache cache) { this.cache = cache; } } [/code:1] 实现采用 EhCache 缓存资源权限配置, 这样如果资源权限数据发生变化, 可以 flush Cache 从数据库重新读取. 至于代码中的 ResourceMapingProvider 实现, 简单的把 Resource 表和 Role 表中的数据读取过来即可, 这里不再赘述. 5. 如何将数据库中的权限配置传递给 FilterInvocationInterceptor 完成以上步骤后, 最后一步就是如何把 FilterInvocationDefinitionSourceCache 中的 FilterInvocationDefinitionSource 传递给 FilterInvocationInterceptor, Simple implemention : [code:1] public class SecurityEnforcementDynamicExtensionFilter extends SecurityEnforcementFilter implements InitializingBean { … 略去 public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { // get the defination source form soure holder getFilterSecurityInterceptor().setObjectDefinitionSource(getDefinitionSourceCache().getFilterInvocationDefinitionSource()); } } [/code:1] 配置: It’s Over Now. 本文引用代码及配置文件参见附件.[/url] 声明:JavaEye文章版权属于作者,受法律保护。没有作者书面许可不得转载。
|
| 返回顶楼 | |
|
最后更新时间:2005-12-16
貌似一次只能传 3 个附件?
|
| 返回顶楼 | |
|
最后更新时间:2005-12-13
only扩展一个数据库的实现,也要这么多代码? 晕倒。
|
| 返回顶楼 | |
|
最后更新时间:2005-12-13
firebody 写道 only扩展一个数据库的实现,也要这么多代码? 晕倒。
呵呵, 我感觉这已经是最少的代码量了, 有更便捷的实现吗? |
| 返回顶楼 | |
|
最后更新时间:2005-12-14
Thanks feiing.............
如果是这样. 用acegi会不会反而把开发难度增大了呢~~~~~~~ |
| 返回顶楼 | |
|
最后更新时间:2005-12-14
Jstar 写道 Thanks feiing.............
如果是这样. 用acegi会不会反而把开发难度增大了呢~~~~~~~ 这个难度增大只限于实现本身, 对客户端调用完全透明, 我们用 AOP 做权限控制就是为了把控制逻辑完全从 business 中分离, 在我的项目中, 权限模块与业务模块的接口只有一个, 除了这个 RemoteUserContextUtils , 业务模块完全不需要知道使用了 Acegi, 要做的只是分配好 Role 和 Resource 即可 [code:1] /* * Copyright 2005-2010 the original author or authors. * * http://www.skyon.com.cn * * Project cardAssistant */ package com.skyon.cams.security.acegi; import java.util.Iterator; import java.util.List; import net.sf.acegisecurity.AccessDecisionManager; import net.sf.acegisecurity.Authentication; import net.sf.acegisecurity.GrantedAuthority; import net.sf.acegisecurity.GrantedAuthorityImpl; import net.sf.acegisecurity.context.SecurityContext; import net.sf.acegisecurity.context.SecurityContextHolder; import net.sf.acegisecurity.providers.cas.CasAuthenticationToken; import net.sf.acegisecurity.providers.dao.UsernameNotFoundException; import org.apache.commons.lang.StringUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.util.Assert; import org.springframework.util.ObjectUtils; import com.skyon.cams.entity.Organization; import com.skyon.cams.entity.User; import com.skyon.cams.security.acegi.providers.dao.hibernate.AuthenticationDaoHibernate; import com.skyon.cams.security.um.OrganizationRelationship; import com.skyon.cams.security.um.manager.OrganizationManager; import com.skyon.framework.core.WhenCrackException; /** * @since 2005-9-7 * @author 王政 * @version $Id: RemoteUserContextUtils.java,v 1.11 2005/12/01 09:19:59 wangzheng Exp $ */ public abstract class RemoteUserContextUtils { private static final Log logger = LogFactory.getLog(RemoteUserContextUtils.class); /** * 得到当前登录用户 * @return 当前登录用户 */ public static UserDetails getRemoteUser() { SecurityContext securityContext = SecurityContextHolder.getContext(); Authentication authentication = securityContext.getAuthentication(); Object principal = authentication.getPrincipal(); if (principal == null) { throw new UsernameNotFoundException(" The user doesn't exists ! "); } if (UserDetails.class.isInstance(principal)) { // use Local Authentication return (UserDetails) principal; } else if (principal.equals(UserDetails.ANONYMOUS_USERNAME)){ return getAnonymousUser(); } else if (CasAuthenticationToken.class.isInstance(authentication)) { // use Yale Central Authentication Service (CAS) Single Sign On net.sf.acegisecurity.UserDetails userDetails = ((CasAuthenticationToken) authentication).getUserDetails(); Assert.isInstanceOf(UserDetails.class, userDetails, getErrorMessage(userDetails.getClass())); return (UserDetails) userDetails; } String errorMessage = getErrorMessage(principal.getClass()); if (logger.isInfoEnabled()) { logger.info(errorMessage); } throw new IllegalStateException(errorMessage); } /** * @param detailClass * @return */ private static String getErrorMessage(Class detailClass) { StringBuffer sb = new StringBuffer(); sb.append(" UserDetails Should be "); sb.append(UserDetails.class); sb.append(" , but it is "); sb.append(detailClass); sb.append(" now, please make sure the custom dao "); sb.append(AuthenticationDaoHibernate.class); sb.append(" has been used. "); return sb.toString(); } /** * Returns a boolean indicating whether the authenticated user is included * in the specified logical "role". Roles and role membership can be * defined using deployment descriptors. If the user has not been * authenticated, the method returns <code>false</code>. * * @see javax.servlet.http.HttpServletRequest#isUserInRole(java.lang.String) * @param role a <code>String</code> specifying the name of the role * @return a <code>boolean</code> indicating whether * the remote user belongs to a given role; * <code>false</code> if the user has not been * authenticated */ public static boolean isUserInRole(String role) { UserDetails userDetails = getRemoteUser(); GrantedAuthority[] authorities = userDetails.getAuthorities(); if (authorities == null) { throw new UsernameNotFoundException("User has no GrantedAuthority"); } for (int i = 0; i < authorities.length; i++) { if (ObjectUtils.nullSafeEquals(authorities[i], role)) { return true; } } return false; } } [/code:1] |
| 返回顶楼 | |
|
最后更新时间:2005-12-15
弱弱的问一下,acegi没有给业务对象提供userDetailUtil之类的东西么?要是这样的话,acegi真的有必要加上这块。
|
| 返回顶楼 | |
|
最后更新时间:2006-10-09
差沙 写道 弱弱的问一下,acegi没有给业务对象提供userDetailUtil之类的东西么?要是这样的话,acegi真的有必要加上这块。
ContextHolder 已经做得这么好了, 可以让你随时随地的取, 还能怎么做? |
| 返回顶楼 | |
|
最后更新时间:2006-10-09
在 Acegi 中, FilterInvocationDefinitionSource 是通过 net.sf.acegisecurity.intercept.web.FilterInvocationDefinitionSourceEditor 组装的
acegi是什么时候在哪配置的让FilterInvocationDefinitionSourceEditor 来组装的呢? |
| 返回顶楼 | |
|
最后更新时间:2006-10-09
噢,我自己找到了,不好意思问这个问题。
一个class的PropertyEditor如果被恰当地命名并且放在与它提供支持的class同一个包内,那么Java标准的JavaBeans PropertyEditor查找机制就会自动地查找到这个PropertyEditor。 |
| 返回顶楼 | |
