Spring Security 3 证书登录

阅读更多

默认情况下ss3的标签只会取证书主题作为验证条件，如果想要自己指定证书的某一部分作为验证条件需要手动实现X509PrincipalExtractor接口：

import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;

public class MyX509PrincipalExtractor implements X509PrincipalExtractor{

	Logger logger = LoggerFactory.getLogger(this.getClass());
	
	/**
	 * 获取证书序列号
	 * @param cert x509证书对象
	 */
	@Override
	public Object extractPrincipal(X509Certificate cert) {
		String serialNumber = cert.getSerialNumber().toString(16);//取证书序列号作为判断条件
		return serialNumber;
	}

}

 实现用户描述接口：

public class MyUserAuthority implements UserDetails{
……
}

 

载入用户信息：

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.AuthenticationUserDetailsService;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;

/**
 * 
 * Company: xxx公司 

 *
 * Description:  用户信息载入服务
 *
 * 
Copyright: Copyright (c) 2010 - 2015
 *
 * 
Author: JLCON 
 * 
Created:2010-9-17
 *
 * 
Modified:2010-9-17
 *
 * 
version：V1.0
 */
public class MyUserDetailService implements AuthenticationUserDetailsService{

	Logger logger = LoggerFactory.getLogger(this.getClass());
	

    //载入用户信息
	@Autowired
	private UserAuthorityInfo userinfo;
	

	/**
	 * 用户信息载入
	 * @param token 认证token
	 */
	@Override
	public UserDetails loadUserDetails(Authentication token)
			throws UsernameNotFoundException {//这里得到的就是刚才返回的证书ID
		return userinfo.getUserDetails(token.getPrincipal().toString());
	}

}

 通过URL获取该URL具有的访问属性：

public class X509securityMetadataSource implements FilterInvocationSecurityMetadataSource{

import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
…………

	@Override
	public Collection getAttributes(Object object)
			throws IllegalArgumentException {
		String url = ((FilterInvocation)object).getRequestUrl();

		………………

		return list;
	}

	@Override
	public boolean supports(Class clazz) {
		return true;
	}

}

 认证访问控制器：

public class X509AccessDecisionManager implements AccessDecisionManager{

	Logger logger = LoggerFactory.getLogger(this.getClass());
	
	/**
	 * 决定是否有权限访问资源
	 * @param authentication 登录用户权限信息
	 * @param object 访问的资源对象
	 * @param configAttributes 资源对象具有的配置属性
	 * @exception AccessDeniedException 访问被拒绝
	 */
	@Override
	public void decide(Authentication authentication, Object object,
			Collection configAttributes)
			throws AccessDeniedException, InsufficientAuthenticationException {
		FilterInvocation filterInvocation = (FilterInvocation)object;
		for(ConfigAttribute configAttribute:configAttributes)
		{
			for(GrantedAuthority grantedAuthority:authentication.getAuthorities())
			{
				if(configAttribute.getAttribute().equalsIgnoreCase(grantedAuthority.getAuthority()))
				{
					logger.debug("访问success! - {}",filterInvocation.getFullRequestUrl());
					return;
				}
			}
		}
		logger.debug("无权访问! - {}",filterInvocation.getFullRequestUrl());

		throw new AccessDeniedException("无权限！");
	}

	@Override
	public boolean supports(ConfigAttribute attribute) {
		return true;
	}

	@Override
	public boolean supports(Class clazz) {
		return true;
	}

}

  最后上配置：

 web.xml

。。。。。

        springSecurityFilterChain
        org.springframework.web.filter.DelegatingFilterProxy
    

    
      springSecurityFilterChain
      /manager/*
    

。。。。。

补充UserAuthorityInfo代码：

 

ABCUserAuthority:

public class ABCUserAuthority implements UserDetails{

	private static final long serialVersionUID = -6394802605626145354L;
	。。。。。
}

 

UserAuthorityInfo:

 

@Repository
public class UserAuthorityInfoImp implements UserAuthorityInfo {

	Logger logger = LoggerFactory.getLogger(this.getClass());
	@Autowired
	private SessionFactory sf;

        public UserDetails getUserDetails(String username)
	{
              ABCUserAuthority user = new ABCUserAuthority();
              return user;
         }
}