いつか は、ここでは、 'ApplicationContextの-のsecurity.xml' です前に私はある程度解決可能な解決策を得ました。私は今それを公開している、私はそれが他の誰にとっても役に立つかもしれないと思う。 (OBS:溶液がSpringSecurity2.xを用いて実施された。)
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd"><!-- -2.5 -3.2 -->
<!-- <context:annotation-config/>-->
<!-- <beans:bean id="testingAuthenticationProvider" ->>por estar http auto-config="true", este NÃO é necessário: AnonymousAuthenticationProvider é injetado em ser lugar
class="org.springframework.security.authentication.TestingAuthenticationProvider" autowire-candidate="false">
<custom-authentication-provider />
</beans:bean>-->
<beans:bean class="org.springframework.security.event.authentication.LoggerListener" />
<beans:bean class="org.springframework.security.event.authorization.LoggerListener" />
<beans:bean id="sessionRegistry" class="org.springframework.security.concurrent.SessionRegistryImpl" />
<context:component-scan base-package="br.com.vitoria.springSecJSR250" />
<global-method-security jsr250-annotations="enabled" access-decision-manager-ref="accessDecisionManager"/><!-- authentication-manager-ref="authManager" -->
<!-- Voter customizado -->
<beans:bean id="customVoter" class="br.com.vitoria.springSecJSR250.config.CustomVoter" />
<!-- Define AccessDesisionManager como UnanimousBased e coloca o Voter na lista -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.vote.UnanimousBased"><!-- access. -->
<beans:property name="allowIfAllAbstainDecisions"><beans:value>true</beans:value></beans:property>
<beans:property name="decisionVoters">
<beans:list>
<beans:ref bean="customVoter" />
<beans:bean class="org.springframework.security.vote.AuthenticatedVoter" /><!-- access.-->
<beans:bean class="org.springframework.security.vote.RoleVoter"/><!-- access.-->
</beans:list>
</beans:property>
<!-- <beans:constructor-arg>SpringSec 3.X+
<beans:list>
<beans:bean class="org.springframework.security.vote.AuthenticatedVoter" /> access.
<beans:ref bean="customVoter" />
</beans:list>
</beans:constructor-arg>-->
</beans:bean>
<authentication-manager alias='authManager'/><!--id="authManager" -->
<authentication-provider user-service-ref=""><!-- ref="testingAuthenticationProvider"->>AnonymousAuthenticationProvider gerada p/ auto-config="true" -->
<user-service>
<user name="Test" password="Password" authorities="ROLE_USER"/>
<user name="admin" password="admin" authorities="ROLE_ADMIN"/>
</user-service>
</authentication-provider>
</beans:beans>
ユーザセッションデータを保持..theクラスAuthenticationToken:
public class StandardSessionAuthenticationToken/*<C extends SecurityContext, T extends SessionStandaloneInformation>*/
extends UsernamePasswordAuthenticationToken implements AuthenticationDetailsSource{
// private SessionStandaloneInformation details;
protected GrantedAuthority[] authorities;
public StandardSessionAuthenticationToken(Object principal, Object credentials, String sessionId, Date lastRequest) {
this(principal, credentials, sessionId, lastRequest, null);
}
public StandardSessionAuthenticationToken(Object principal, Object credentials, String sessionId, Date lastRequest, GrantedAuthority[] authorities) {
super(principal, credentials, authorities);
this.setDetails(new SessionStandaloneInformation(principal, sessionId, lastRequest));
}
/**
*
* @param context
* @return
*/
@Override
public Object buildDetails(Object context) {
final Object principal = ((/*C*/SecurityContext)context).getAuthentication().getPrincipal(); //To change body of generated methods, choose Tools | Templates.
this.setDetails(new SessionStandaloneInformation(principal, ((SessionStandaloneInformation)getDetails()).getSessionId(), new Date()));
return this.getDetails();
}
// @Override
// public boolean implies(Subject subject) {
// return super.implies(subject); //To change body of generated methods, choose Tools | Templates.
// }
public static class SessionStandaloneInformation extends SessionInformation implements SessionIdentifierAware {
public SessionStandaloneInformation(Object principal, String sessionId, Date lastRequest) {
super(principal, sessionId, lastRequest);
}
}
/**
* @param authorities the authorities to set
*/
public void setAuthorities(GrantedAuthority[] authorities) {
this.authorities = authorities;
}
/**
* @return the authorities
*/
@Override
public GrantedAuthority[] getAuthorities() {
return authorities;
}
}
(を保持..theクラスAuthenticationTokenセッション)期限切れ情報:
import java.util.Date;
import org.springframework.security.GrantedAuthority;
/**
* @author Derlon.Aliendres
*/
public class UsernamePasswordWithTimeoutAuthenticationToken extends StandardSessionAuthenticationToken
/* UsernamePasswordAuthenticationToken */{
private String timeout = null;
public UsernamePasswordWithTimeoutAuthenticationToken(Object principal, Object credentials, String timeOut
, String sessionId, Date lastRequest) {
this(principal, credentials, timeOut, sessionId, lastRequest, null);
// this.timeout = null;
}
public UsernamePasswordWithTimeoutAuthenticationToken(Object principal, Object credentials, String timeOut
, String sessionId, Date lastRequest, GrantedAuthority[] authorities) {
super(principal, credentials, sessionId, lastRequest, authorities);
this.timeout = timeOut;
}
public String getTimeout() {
return timeout;
}
/**
* @param authorities the authorities to set
*/
@Override
public void setAuthorities(GrantedAuthority[] authorities) {
super.setAuthorities(authorities);
}
/**
* @return the authorities
*/
@Override
public GrantedAuthority[] getAuthorities() {
return super.authorities;
}
}
...テスト:
/**
* @author derlon.aliendres
*/
@RunWith(value = SpringJUnit4ClassRunner.class)
@ContextConfiguration(locations = "/applicationContext.xml")
@org.junit.FixMethodOrder(MethodSorters.NAME_ASCENDING)//->>Ordem: a1, a2, a3, ...
public class Jsr250AnnotationDomainBizzServiceTest {
// private static InMemoryXmlApplicationContext appContext;
@Inject // @Resource // @Autowired
private /*static*/ BusinessService target;
@Inject //
private ApplicationEventPublisher _eventPublisher;
@Inject //
private org.springframework.security.providers.dao.DaoAuthenticationProvider daoAuthenticationProvider;
@BeforeClass
public static void setUpClass() {
// appContext = new InMemoryXmlApplicationContext(
// // "<b:bean id='target' class='org.springframework.security.access.annotation.Jsr250BusinessServiceImpl'/>" +
// " <context:component-scan base-package=\"br.com.vitoria.springSecJSR250\" />" +
// "<global-method-security jsr250-annotations='enabled'/>" + ConfigTestUtilsEnum.AUTH_PROV_TEST_TOKEN
// );
// target = (BusinessService)appContext.getBean(BusinessService.class/*"target"*/);
// SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_GLOBAL);
}
@Before
public void loadAppContext() {
}
@After
public void clearSecurityContext() {
SecurityContextHolder.clearContext();
}
@AfterClass
public static void tearDownClass() {
// if (appContext != null) {
// appContext.close();//<<-Como o contexto é carregado só 1x(no setUpClass) só pode ser encerrado aki!
// }
}
@Test(expected=AuthenticationCredentialsNotFoundException.class)
public void a1targetShouldPreventProtectedMethodInvocationWithNoContext() {
target.someUserMethod1(); //<<<--incide aqui o teste!!!
System.out.println("Falha na Autenticação: fluxo exec BLOQUEADO!!!)");
}
@Test
public void a2permitAllShouldBeDefaultAttribute() {
// UsernamePasswordAuthenticationToken token
// = new UsernamePasswordAuthenticationToken("Test", "Password", /*AuthorityUtils.createAuthorityList(*/"ROLE_USER"/*)*/);
UsernamePasswordAuthenticationToken token
= new UsernamePasswordAuthenticationToken("Test", "Password", AuthorityUtils.stringArrayToAuthorityArray(new String[]{"ROLE_USER"}));
SecurityContextHolder.getContext().setAuthentication(token);// SecurityContextHolder.getContextHolderStrategy().getContext().getAuthentication().
// LoggerListener listener = new LoggerListener();listener.onApplicationEvent(event);
_eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(token, this.getClass()));
target.someOther(0); //<<<--incide aqui o teste!!!
}
@Test
public void a3targetShouldAllowProtectedMethodInvocationWithCorrectRole() {
// UsernamePasswordAuthenticationToken token
// = new UsernamePasswordAuthenticationToken("Test", "Password", AuthorityUtils.createAuthorityList("ROLE_USER"));
UsernamePasswordAuthenticationToken token
= new UsernamePasswordAuthenticationToken("Test", "Password", AuthorityUtils.stringArrayToAuthorityArray(new String[]{"ROLE_USER"}));
SecurityContextHolder.getContext().setAuthentication(token);
_eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(token, this.getClass()));
target.someUserMethod1(); //<<<--incide aqui o teste!!!
}
@Inject
private SessionRegistry sessionRegistry;
@Test(expected=NonceExpiredException/*ProviderNotFoundException*/.class) //AccessDeniedException AuthenticationFailureProviderNotFoundEvent
public void a3targetShouldPreventInvocationWithCorrectRoleButNoLongerAuthenticated() {
final String timeOut = "0010";
final Date datimeLastRequest = new Date()/*, AuthorityUtils.stringArrayToAuthorityArray(new String[]{"ROLE_USER"}) */;
UsernamePasswordWithTimeoutAuthenticationToken token
// = new UsernamePasswordWithTimeoutAuthenticationToken("Test", "Password", timeOut, "001", datimeLastRequest);
= new UsernamePasswordWithTimeoutAuthenticationToken("Test", "Password", timeOut, "001", datimeLastRequest, AuthorityUtils.stringArrayToAuthorityArray(new String[]{"ROLE_USER"})/**/);
// Authentication auth = /*(StandardSessionAuthenticationToken)*/daoAuthenticationProvider.authenticate(token); //
// token.setAuthorities(auth.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(/*(UsernamePasswordWithTimeoutAuthenticationToken*/token); //auth.getDetails()
_eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(token, this.getClass())); // token
// /* SecurityContextHolder.getContext().getAuthentication()*/token.setAuthenticated(false)/*.eraseCredentials()*/;
try {
/*new */Thread.sleep(30/*00*/);//<<<--Idle time of user Session Simulation
} catch (InterruptedException e) {
e.printStackTrace();
}
SecurityContext sc = SecurityContextHolder.getContext();
String idSessao = SessionRegistryUtils.obtainSessionIdFromAuthentication(sc.getAuthentication());
sessionRegistry.registerNewSession(idSessao, token.getPrincipal())/*auth.getName()*//*.get(0).expireNow()*/;
// System.out.println("SessionInformation na Autenticação: " + idSessao);
SessionInformation[] sessoes = sessionRegistry.getAllSessions(token.getPrincipal(), true); // sc.getAuthentication()
for (SessionInformation session: sessoes) {
int i = 1;
System.out.println("SessionInformation na Autenticação: " + i++ + "º: " + session.getSessionId());
}
target.someUserMethod1(); //<<<--incide aqui o teste!!!
token.setAuthenticated(false);
SecurityContextHolder.getContext().setAuthentication(token); //auth.getDetails()
target.someUserMethod1(); //<<<--incide aqui o teste!!!
}
@Test(expected=AccessDeniedException.class)
public void a4targetShouldPreventProtectedMethodInvocationWithIncorrectRole() {
UsernamePasswordAuthenticationToken token
= new UsernamePasswordAuthenticationToken("Hakcer", "Password", AuthorityUtils.stringArrayToAuthorityArray(new String[]{"ROLE_SOMEINVALIDROLE"}));
// TestingAuthenticationToken token
// = new TestingAuthenticationToken("Test", "Password", /*AuthorityUtils.createAuthorityList(*/"ROLE_SOMEINVALIDROLE"/*)*/);
SecurityContextHolder.getContext().setAuthentication(token);
_eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(token, this.getClass()));
target.someAdminMethod(); //<<<--incide aqui o teste!!!
System.out.println("Falha na Autenticação: fluxo exec BLOQUEADO!!!)");
}
}
...そして最後に(私のopnionで)キーの実装(「CustomVoter」):
/**
* @author Derlon.Aliendres
*/
public class CustomVoter implements AccessDecisionVoter/*<Object>*/ {
@Inject
private SessionRegistry sessionRegistry;
@Inject //
private ApplicationEventPublisher _eventPublisher;
final protected Logger logger = Logger/*Factory*/.getLogger(getClass().getName());
@Override
public boolean supports(ConfigAttribute attribute) {
return true;
}
@Override
public boolean supports(Class/*<?>*/ clazzAuthentication) {
return true/*org.aopalliance.intercept.MethodInvocation.class.isAssignableFrom(clazzAuthentication)*/;
}
@Override
public int vote(Authentication authentication, Object object, ConfigAttributeDefinition/*Collection<ConfigAttribute>*/ attributes) {
logger.info("### Controle de Acesso ###");
//verifica se as credenciais são do tipo esperado
if (UsernamePasswordWithTimeoutAuthenticationToken.class.isInstance(authentication)) {/*authentication instanceof UsernamePasswordWithTimeoutAuthenticationToken*/
Boolean result = null;
UsernamePasswordWithTimeoutAuthenticationToken user = (UsernamePasswordWithTimeoutAuthenticationToken)authentication/*.getPrincipal()*/;
final SessionStandaloneInformation sessnInfo = (SessionStandaloneInformation)(user.getDetails());
final String sessionId = sessnInfo.getSessionId();
final Date datimeLastRequest = sessnInfo.getLastRequest();
final long timeOutTime = extractNonceValue(user.getTimeout());
// for (ConfigAttribute configAttribute : attributes) {
// String attr = configAttribute.getAttribute();
if (((new Date().getTime()) - datimeLastRequest.getTime()) > timeOutTime) { //attr.equals("ROLE_USER")
//ROLE_USER é a ROLE de usuário, logado, então retorna true sempre
result = false;
} else {
//chama uma lógica específica que verifica se o usuário possui permissão no contexto atual
result = true; // gerenciadorPermissao.verificarPermissao(variavelSessao, attr)
}
// }
if (result == null || result == Boolean.FALSE) {
logger.info(" -> Acesso Negado!");
SecurityContextHolder.clearContext();/*.getContext().getAuthentication().setAuthenticated(false)*/; //authentication .clearContext()
final NonceExpiredException userSessionExpiredException =/* null*/new NonceExpiredException("Sessão deo Usuário expirou! Efetue o LogOn novamente.");
_eventPublisher.publishEvent(new AuthenticationFailureExpiredEvent
(authentication, userSessionExpiredException));
throw userSessionExpiredException;
// return ACCESS_ABSTAIN; // ACCESS_DENIED
} else {
logger.info(" -> Acesso Permitido!");
sessionRegistry.refreshLastRequest(sessionId);
return ACCESS_GRANTED;
}
} else {
System.out.println(" -> Não é do tipo UsernamePasswordWithTimeoutAuthenticationToken!");
return ACCESS_ABSTAIN;
}
}
private long extractNonceValue(String timeout) {
return Long.valueOf/*getLong*/(timeout);
}
}
すでに試したことのコードサンプルを提供してください。誰かがあなたを助けることははるかに簡単です。 – Fjut
私はsessionRegistry.getAllPrincipals()から情報を得ることができません.Oracleは、Webアプリケーションではないため、auto-config = "true"でもcreate-session = "always" –
そして、最悪の場合、Spring-Security 3.1.xでは 'SessionRegistryUtil'が廃止されたようです。私は公的セキュリティ(スタンドアローンのアプリケーションで)についてのガイダンスを感謝します。あらかじめtnx –