首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
檔案 問題管理 0 Wiki
目錄樹: ac3b142e4f
分支列表 標籤列表
spring-security
/
doc
/
xdocs
/
petclinic-tutorial.xml

petclinic-tutorial.xml 8.2 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168 
  1. <?xml version="1.0" encoding="ISO-8859-1"?>
    2. 

  2. <document><properties><title>Tutorial: Adding Security to Spring Petclinic</title></properties><body><section name="Tutorial: Adding Security to Spring Petclinic"><subsection name="Preparation"><p>To complete this tutorial, you will require a servlet container (such as Tomcat)
    3. 

  3. and a general understanding of using Spring without Acegi Security. The Petclinic
    4. 

  4. sample itself is part of Spring and should help you learn Spring. We suggest you
    5. 

  5. only try to learn one thing at a time, and start with Spring/Petclinic before
    6. 

  6. Acegi Security.
    7. 

  7. </p><p>
    8. 

  8. You will also need to download:
    9. 

  9. <ul>
    10. 

  10. <li>Spring 2.0 with dependencies ZIP file</li>
    11. 

  11. <li>Acegi Security 1.0.2</li>
    12. 

  12. </ul>
    13. 

  13. </p><p>
    14. 

  14. Unzip both files. After unzipping Acegi Security, you'll need to unzip the
    15. 

  15. acegi-security-sample-tutorial.war file, because we need some files that are
    16. 

  16. included within it. In the code below, we'll refer to the respective unzipped
    17. 

  17. locations as %spring% and %acegi% (with the latter variable referring to the
    18. 

  18. unzipped WAR, not the original ZIP). There is no need to setup any environment
    19. 

  19. variables to complete the tutorial.
    20. 

  20. </p></subsection><subsection name="Add required Acegi Security files to Petclinic"><p>
    21. 

  21. We now need to put some extra files into Petclinic. The following commands should work:
    22. 

  22. <pre>
    23. 

  23. mkdir %spring%\samples\petclinic\war\WEB-INF\lib
    24. 

  24. copy %acegi%\acegilogin.jsp %spring%\samples\petclinic\war
    25. 

  25. copy %acegi%\accessDenied.jsp %spring%\samples\petclinic\war
    26. 

  26. copy %acegi%\WEB-INF\users.properties %spring%\samples\petclinic\war\WEB-INF
    27. 

  27. copy %acegi%\WEB-INF\applicationContext-acegi-security.xml %spring%\samples\petclinic\war\WEB-INF
    28. 

  28. copy %acegi%\WEB-INF\lib\acegi-security-1.0.0.jar %spring%\samples\petclinic\war\WEB-INF\lib
    29. 

  29. copy %acegi%\WEB-INF\lib\oro-2.0.8.jar %spring%\samples\petclinic\war\WEB-INF\lib
    30. 

  30. copy %acegi%\WEB-INF\lib\commons-codec-1.3.jar %spring%\samples\petclinic\war\WEB-INF\lib
    31. 

  31. </pre>
    32. 

  32. </p></subsection><subsection name="Configure Petclinic&apos;s files"><p>Edit %spring%\samples\petclinic\war\WEB-INF\web.xml and insert the following block of code.
    33. 

  33. <pre>
    34. 

  34. &lt;filter&gt;
    35. 

  35.   &lt;filter-name&gt;Acegi Filter Chain Proxy&lt;/filter-name&gt;
    36. 

  36.   &lt;filter-class&gt;org.acegisecurity.util.FilterToBeanProxy&lt;/filter-class&gt;
    37. 

  37.   &lt;init-param&gt;
    38. 

  38.     &lt;param-name&gt;targetClass&lt;/param-name&gt;
    39. 

  39.     &lt;param-value&gt;org.acegisecurity.util.FilterChainProxy&lt;/param-value&gt;
    40. 

  40.   &lt;/init-param&gt;
    41. 

  41. &lt;/filter&gt;
    42. 

  42. 

  43. &lt;filter-mapping&gt;
    44. 

  44.   &lt;filter-name&gt;Acegi Filter Chain Proxy&lt;/filter-name&gt;
    45. 

  45.   &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
    46. 

  46. &lt;/filter-mapping&gt;
    47. 

  47. </pre>
    48. 

  48. Next, locate the "contextConfigLocation" parameter, and add a new line into the existing param-value.
    49. 

  49. The resulting block will look like this:
    50. 

  50. <pre>
    51. 

  51. &lt;context-param&gt;
    52. 

  52.   &lt;param-name&gt;contextConfigLocation&lt;/param-name&gt;
    53. 

  53.   &lt;param-value&gt;
    54. 

  54.     /WEB-INF/applicationContext-jdbc.xml
    55. 

  55.     /WEB-INF/applicationContext-acegi-security.xml
    56. 

  56.   &lt;/param-value&gt;
    57. 

  57. &lt;/context-param&gt;
    58. 

  58. </pre>
    59. 

  59. </p><p>
    60. 

  60. To make it easier to experiment with the application, now edit
    61. 

  61. %spring%\samples\petclinic\war\WEB-INF\jsp\footer.jsp. Add a new "logout" link, as shown:
    62. 

  62. <pre>
    63. 

  63. &lt;table style="width:100%"&gt;&lt;tr&gt;
    64. 

  64.   &lt;td&gt;&lt;A href="&lt;c:url value="/welcome.htm"/&gt;"&gt;Home&lt;/A&gt;&lt;/td&gt;
    65. 

  65.   &lt;td&gt;&lt;A href="&lt;c:url value="/j_acegi_logout"/&gt;"&gt;Logout&lt;/A&gt;&lt;/td&gt;
    66. 

  66.   &lt;td style="text-align:right;color:silver"&gt;PetClinic :: a Spring Framework demonstration&lt;/td&gt;
    67. 

  67. &lt;/tr&gt;&lt;/table&gt;
    68. 

  68. </pre>
    69. 

  69. </p><p>
    70. 

  70. Our last step is to specify which URLs require authorization and which do not. Let's
    71. 

  71. edit %spring%\samples\petclinic\war\WEB-INF\applicationContext-acegi-security.xml.
    72. 

  72. Locate the bean definition for FilterSecurityInterceptor. Edit its objectDefinitionSource
    73. 

  73. property so that it reflects the following:
    74. 

  74. <pre>
    75. 

  75. &lt;property name="objectDefinitionSource"&gt;
    76. 

  76.   &lt;value&gt;
    77. 

  77.     CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    78. 

  78.     PATTERN_TYPE_APACHE_ANT
    79. 

  79.     /acegilogin.jsp=IS_AUTHENTICATED_ANONYMOUSLY
    80. 

  80.     /**=IS_AUTHENTICATED_REMEMBERED
    81. 

  81.   &lt;/value&gt;
    82. 

  82. &lt;/property&gt;
    83. 

  83. </pre>
    84. 

  84. </p></subsection><subsection name="Start Petclinic&apos;s database"><p>Start the Hypersonic server (this is just normal Petclinic configuration):
    85. 

  85. <pre>
    86. 

  86. cd %spring%\samples\petclinic\db\hsqldb
    87. 

  87. server
    88. 

  88. </pre>
    89. 

  89. </p><p>
    90. 

  90. Insert some data (again, normal Petclinic configuration):
    91. 

  91. <pre>
    92. 

  92. cd %spring%\samples\petclinic
    93. 

  93. build setupDB
    94. 

  94. </pre>
    95. 

  95. </p></subsection><subsection name="Build and deploy the Petclinic WAR file"><p>
    96. 

  96. Use Petclinic's Ant build script and deploy to your servlet container:
    97. 

  97. <pre>
    98. 

  98. cd %spring%\samples\petclinic
    99. 

  99. build warfile
    100. 

  100. copy dist\petclinic.war %TOMCAT_HOME%\webapps
    101. 

  101. </pre>
    102. 

  102. </p><p>Finally, start your container and try to visit the home page.
    103. 

  103. Your request should be intercepted and you will be forced to login.</p></subsection><subsection name="Optional Bonus: Securing the Middle Tier"><p>
    104. 

  104. Whilst you've now secured your web requests, you might want to stop users
    105. 

  105. from being able to add clinic visits unless authorized. We'll make it so
    106. 

  106. you need to hold ROLE_SUPERVISOR to add a clinic visit.
    107. 

  107. </p><p>
    108. 

  108. In %spring%\samples\petclinic\war\WEB-INF\applicationContext-jdbc.xml, locate
    109. 

  109. the TransactionProxyFactoryBean definition. Add an additional property after
    110. 

  110. the existing "preInterceptors" property:
    111. 

  111. <pre>
    112. 

  112. &lt;property name="postInterceptors" ref="methodSecurityInterceptor"/&gt;
    113. 

  113. </pre>
    114. 

  114. </p><p>
    115. 

  115. Finally, we need to add in the referred-to "methodSecurityInterceptor" bean definition.
    116. 

  116. So pop an extra bean definition in, as shown below:
    117. 

  117. <pre>
    118. 

  118. &lt;bean id="methodSecurityInterceptor" class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor"&gt;
    119. 

  119.   &lt;property name="authenticationManager"&gt;&lt;ref bean="authenticationManager"/&gt;&lt;/property&gt;
    120. 

  120.   &lt;property name="accessDecisionManager"&gt;
    121. 

  121.     &lt;bean class="org.acegisecurity.vote.AffirmativeBased"&gt;
    122. 

  122.       &lt;property name="allowIfAllAbstainDecisions" value="false"/&gt;
    123. 

  123.       &lt;property name="decisionVoters"&gt;
    124. 

  124.         &lt;list&gt;
    125. 

  125.           &lt;bean class="org.acegisecurity.vote.RoleVoter"/&gt;
    126. 

  126.           &lt;bean class="org.acegisecurity.vote.AuthenticatedVoter"/&gt;
    127. 

  127.         &lt;/list&gt;
    128. 

  128.       &lt;/property&gt;
    129. 

  129.     &lt;/bean&gt;
    130. 

  130.   &lt;/property&gt;
    131. 

  131.   &lt;property name="objectDefinitionSource"&gt;
    132. 

  132.     &lt;value&gt;
    133. 

  133.       org.springframework.samples.petclinic.Clinic.*=IS_AUTHENTICATED_REMEMBERED
    134. 

  134.       org.springframework.samples.petclinic.Clinic.storeVisit=ROLE_SUPERVISOR
    135. 

  135.     &lt;/value&gt;
    136. 

  136.   &lt;/property&gt;
    137. 

  137. &lt;/bean&gt;
    138. 

  138. </pre>
    139. 

  139. </p><p>
    140. 

  140. Redeploy your web application. Use the earlier process to do that. Be careful to
    141. 

  141. ensure that the old Petclinic WAR is replaced by the new Petclinic WAR in your
    142. 

  142. servlet container. Login as "marissa", who has ROLE_SUPERVISOR. You will be able to
    143. 

  143. then view a customer and add a visit. Logout, then login as anyone other than Marissa.
    144. 

  144. You will receive an access denied error when you attempt to add a visit.
    145. 

  145. </p><p>
    146. 

  146. To clean things up a bit, you might want to wrap up by hiding the "add visit" link
    147. 

  147. unless you are authorized to use it. Acegi Security provides a tag library to help
    148. 

  148. you do that. Edit %spring%\samples\petclinic\war\WEB-INF\jsp\owner.jsp. Add
    149. 

  149. the following line to the top of the file:
    150. 

  150. <pre>
    151. 

  151. &lt;%@ taglib prefix="authz" uri="http://acegisecurity.org/authz" %&gt;
    152. 

  152. </pre>
    153. 

  153. Next, scroll down and find the link to "add visit". Modify it as follows:
    154. 

  154. <pre>
    155. 

  155. &lt;authz:authorize ifAllGranted="ROLE_SUPERVISOR"&gt;
    156. 

  156.   &lt;FORM method=GET action="&lt;c:url value="/addVisit.htm"/&gt;" name="formVisitPet&lt;c:out value="${pet.id}"/&gt;"&gt;
    157. 

  157.   &lt;INPUT type="hidden" name="petId" value="&lt;c:out value="${pet.id}"/&gt;"/&gt;
    158. 

  158.   &lt;INPUT type="submit" value="Add Visit"/&gt;
    159. 

  159.   &lt;/FORM&gt;
    160. 

  160. &lt;/authz:authorize&gt;          
    161. 

  161. </pre>
    162. 

  162. </p></subsection><subsection name="What now?"><p>
    163. 

  163. These steps can be applied to your own application. Although we do suggest
    164. 

  164. that you visit <a href="http://acegisecurity.org">http://acegisecurity.org</a>
    165. 

  165. and in particular review the "Suggested Steps" for getting started with Acegi
    166. 

  166. Security. The suggested steps are optimized for learning Acegi Security quickly
    167. 

  167. and applying it to your own projects. It also includes realistic time estimates
    168. 

  168. for each step so you can plan your integration activities.</p></subsection></section></body></document>
    169.