使用了spring security之后,网页的显示速度明显变慢,看来spring security的使用还是需要优化配置的。 在web.xml中配置 <!-- 配置spring acegi 使用的 和com.work.core.QxglConstants.USE_ACEGI=true 配合使用 <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class> org.springframework.web.filter.DelegatingFilterProxy </filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener> <listener-class> org.springframework.web.context.ContextLoaderListener </listener-class> </listener> <listener-class> org.springframework.security.ui.session.HttpSessionEventPublisher </listener-class> </listener> --> 然后配置applicationContext-spring-security-2.0.2.xml <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd"> <authentication-manager alias="authenticationManager" /> <beans:bean id="accessDecisionManager" class="org.springframework.security.vote.AffirmativeBased"> <beans:property name="allowIfAllAbstainDecisions" value="false" /><!-- allowIfAllAbstainDecisions : 设定是否允许:“没人反对就通过”的投票策略 --> <beans:property name="decisionVoters"><!-- 定义投票者 --> <beans:list> <beans:bean class="org.springframework.security.vote.RoleVoter" /> <beans:bean class="org.springframework.security.vote.AuthenticatedVoter" /> </beans:list> </beans:property> </beans:bean> <beans:bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <!-- 配置上之后secureResourceFilter 没有被执行!不知道其他朋友们有没有碰到这个问题。如果也碰到了,请问您是如何解决的?--> <beans:property name="authenticationManager" ref="authenticationManager" /> <beans:property name="accessDecisionManager" ref="accessDecisionManager" /> <beans:property name="objectDefinitionSource" ref="secureResourceFilter" /> </beans:bean> <beans:bean id="secureResourceFilter" class="com.work.qxgl.springsecurity.MySecureResourceFilter" /> <http auto-config="true" access-denied-page="/commons/403.jsp"> <intercept-url pattern="/" access="ROLE_USER"/> <intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/imageszhuye/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/ganjian*/**" access="ROLE_SUPERVISOR,ROLE_enterprise_manager"/> <intercept-url pattern="/qxgl/menutree/**" access="ROLE_SUPERVISOR,ROLE_USER"/> <intercept-url pattern="/qxgl*/**" access="ROLE_SUPERVISOR,ROLE_PERMITMANAGER"/> <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <!-- access="ROLE_ANONYMOUS" --> <concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" /> <form-login login-page="/acegilogin.jsp" authentication-failure-url="/acegilogin.jsp" default-target-url="/sysmain.action" /> <!-- 在这里获取用户登陆的详细的信息 ,sysmain.action 在这里可以记录用户登陆的信息。成功执行!--> <logout logout-success-url="/logout.jsp" /><!-- j_spring_security_logout 这里是退出的URL,那么可以在这里做接口 在logout.jsp 中调用您自己的logout程序。 --> </http> <!-- Automatically receives AuthenticationEvent messages --> <beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener" /> <authentication-provider > <jdbc-user-service data-source-ref="dataSource" users-by-username-query="SELECT U.user_account as username, U.user_password as password, 'true' AS enabled FROM qxgl_user U where U.user_issysuser=1 and U.user_account=?" authorities-by-username-query="select a.user_account as username,c.role_name as authority from qxgl_user a ,qxgl_user_role b,qxgl_role c where a.user_id=b.user_id and b.role_id=c.role_id and a.user_account=?" /> <!-- 还支持 group-authorities-by-username-query --> </authentication-provider> </beans:beans> java程序MySecureResourceFilter
使用了spring security之后,网页的显示速度明显变慢,看来spring security的使用还是需要优化配置的。
在web.xml中配置
<!-- 配置spring acegi 使用的 和com.work.core.QxglConstants.USE_ACEGI=true 配合使用
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>
org.springframework.web.filter.DelegatingFilterProxy
</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener-class>
org.springframework.security.ui.session.HttpSessionEventPublisher
</listener-class>
</listener>
-->
然后配置applicationContext-spring-security-2.0.2.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd">
<authentication-manager alias="authenticationManager" />
<beans:bean id="accessDecisionManager"
class="org.springframework.security.vote.AffirmativeBased">
<beans:property name="allowIfAllAbstainDecisions" value="false" /><!-- allowIfAllAbstainDecisions : 设定是否允许:“没人反对就通过”的投票策略 -->
<beans:property name="decisionVoters"><!-- 定义投票者 -->
<beans:list>
<beans:bean class="org.springframework.security.vote.RoleVoter" />
<beans:bean class="org.springframework.security.vote.AuthenticatedVoter" />
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="filterInvocationInterceptor"
class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
<!-- 配置上之后secureResourceFilter 没有被执行!不知道其他朋友们有没有碰到这个问题。如果也碰到了,请问您是如何解决的?-->
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="objectDefinitionSource" ref="secureResourceFilter" />
</beans:bean>
<beans:bean id="secureResourceFilter" class="com.work.qxgl.springsecurity.MySecureResourceFilter" />
<http auto-config="true" access-denied-page="/commons/403.jsp">
<intercept-url pattern="/" access="ROLE_USER"/>
<intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/imageszhuye/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/js/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<intercept-url pattern="/ganjian*/**" access="ROLE_SUPERVISOR,ROLE_enterprise_manager"/>
<intercept-url pattern="/qxgl/menutree/**" access="ROLE_SUPERVISOR,ROLE_USER"/>
<intercept-url pattern="/qxgl*/**" access="ROLE_SUPERVISOR,ROLE_PERMITMANAGER"/>
<intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <!-- access="ROLE_ANONYMOUS" -->
<concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true" />
<form-login login-page="/acegilogin.jsp" authentication-failure-url="/acegilogin.jsp"
default-target-url="/sysmain.action" />
<!-- 在这里获取用户登陆的详细的信息 ,sysmain.action 在这里可以记录用户登陆的信息。成功执行!-->
<logout logout-success-url="/logout.jsp" /><!-- j_spring_security_logout 这里是退出的URL,那么可以在这里做接口 在logout.jsp 中调用您自己的logout程序。 -->
</http>
<!-- Automatically receives AuthenticationEvent messages -->
<beans:bean id="loggerListener" class="org.springframework.security.event.authentication.LoggerListener" />
<authentication-provider >
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query="SELECT U.user_account as username, U.user_password as password, 'true' AS enabled FROM qxgl_user U where U.user_issysuser=1 and U.user_account=?"
authorities-by-username-query="select a.user_account as username,c.role_name as authority from qxgl_user a ,qxgl_user_role b,qxgl_role c where a.user_id=b.user_id and b.role_id=c.role_id and a.user_account=?" />
<!-- 还支持 group-authorities-by-username-query -->
</authentication-provider>
</beans:beans>
java程序MySecureResourceFilter view plaincopy to clipboardprint?<PRE class=java name="code">package com.work.qxgl.springsecurity; import java.util.Collection; import java.util.List; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.security.ConfigAttributeDefinition; import org.springframework.security.ConfigAttributeEditor; import org.springframework.security.intercept.web.FilterInvocation; import org.springframework.security.intercept.web.FilterInvocationDefinitionSource; import com.work.core.spring.MyBeanUtil; import com.work.qxgl.model.QxglRole; import com.work.qxgl.usermodel.UserModelServiceDao; /** * TODO 虽然配置上没有出错!但是也没有起作用。不爽!!! * @author wangmingjie * */ public class MySecureResourceFilter implements FilterInvocationDefinitionSource { private static Log log = LogFactory.getLog(MySecureResourceFilter.class); public ConfigAttributeDefinition getAttributes(Object filter) throws IllegalArgumentException { FilterInvocation filterInvocation = (FilterInvocation) filter; String url = filterInvocation.getRequestUrl(); if(log.isDebugEnabled()){ log.debug("UR为:"+url); } UserModelServiceDao userModelServiceDao = (UserModelServiceDao) MyBeanUtil .getBean("userModelServiceDao"); List<QxglRole> urlRoles = userModelServiceDao.getRolesByUrl(url); ConfigAttributeEditor configAttrEditor = new ConfigAttributeEditor(); // get the Roles that can access this Url // 获取到能够访问这些资源的resource,用户根据这些资源动态的到数据库中去查找; // 这里可以增加权限的动态控制,例如将权限存放到数据库中,将这些资源查询出来放到缓存中。 // 增加对缓存的管理,一旦数据库中的内容变更了,那么就手工去更新缓存。当然也可以增加监听器,不过效率上有问题。 StringBuffer rolesList = new StringBuffer(); if (urlRoles == null || urlRoles.size() < 1) { //如果此URL没有赋给任何用户,那么就给他增加form认证的基本角色。 if(log.isDebugEnabled()){ log.debug("URL没有赋给任何用户,给他增加form认证的基本角色ROLE_USER。"); } rolesList.append("ROLE_USER,"); } else { for (QxglRole role : urlRoles) { rolesList.append(role.getRoleName()); rolesList.append(","); } // don't want to end with a "," so remove the last "," if (rolesList.length() > 0) rolesList.replace(rolesList.length() - 1, rolesList.length() + 1, ""); } if(log.isDebugEnabled()){ log.debug("URL"+url+"拥有的角色为:"+rolesList.toString()); } configAttrEditor.setAsText(rolesList.toString()); return (ConfigAttributeDefinition) configAttrEditor.getValue(); } public Collection getConfigAttributeDefinitions() { return null; } public boolean supports(Class arg0) { return true; } }</
本文来自博客,转载请标明出处:http://blog.csdn.net/wmj2003/archive/2008/07/01/2601016.aspx
