Acegi 学习笔记(6) 保护对方法的呼叫

Acegi是专为 Spring 设计的安全框架，藉由Spring所提供的AOP功能，可以使用org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor来对方法呼叫进行拦截，对方法的呼叫设定权限保护。

举个实际的例子来说，假设您设计了以下的介面与方法：

• ISome.java

package onlyfun.caterpillar;

public interface ISome {    
    public void doNormal();
    public void doSupervisor();
}

• Some.java

package onlyfun.caterpillar;

public class Some implements ISome {
    public void doNormal() {
        System.out.println("do normal...");
    }

    public void doSupervisor() {
        System.out.println("do supervisor...");
    }
}

假设某个请求下，会对Some的实例之方法进行呼叫，例如某个Servlet：

• SomeServlet.java

package onlyfun.caterpillar;

import java.io.*;
import java.net.*;

import javax.servlet.*;
import javax.servlet.http.*;
import org.springframework.context.ApplicationContext;
import org.springframework.web.context.support.WebApplicationContextUtils;

public class SomeServlet extends HttpServlet {
    
    protected void processRequest(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        response.setContentType("text/html;charset=UTF-8");
        
        ApplicationContext ctx = WebApplicationContextUtils.getRequiredWebApplicationContext(
                request.getSession().getServletContext());  
        ISome some = (ISome) ctx.getBean("some");  
        some.doNormal();
        some.doSupervisor();
        
        PrintWriter out = response.getWriter();
        out.print("process successfully...");
        out.close();
    }
    
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        processRequest(request, response);
    }
    
    protected void doPost(HttpServletRequest request, HttpServletResponse response)
    throws ServletException, IOException {
        processRequest(request, response);
    }

    public String getServletInfo() {
        return "Short description";
    }
}

在web.xml中增加SomeServlet的定义：

在不设限的情况下，请求SomeServlet，会呼叫Some实例的doNormal()方法与doSecurity()方法，现在假设您想让 doSecurity()只让ROLE_SUPERVISOR的使用者来呼叫，则您可以在acegi-config.xml中加入：

• acegi-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
    ...

    <bean id="some" class="onlyfun.caterpillar.Some"/>

    <bean id="methodSecurityInterceptor" 
          class="org.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">  
        <property name="authenticationManager">  
             <ref bean="authenticationManager"/>  
        </property>  
        <property name="accessDecisionManager">  
            <ref bean="accessDecisionManager"/>  
        </property>  
        <property name="objectDefinitionSource">  
            <value>onlyfun.caterpillar.ISome.doSupervisor=ROLE_SUPERVISOR</value>  
        </property>  
    </bean>
    
    <bean id="autoProxyCreator" 
          class="org.springframework.aop.framework.autoproxy.BeanNameAutoProxyCreator">  
        <property name="beanNames">  
            <list>  
                <value>some</value>
            </list>  
        </property>  
        <property name="interceptorNames">  
            <list>  
                <value>methodSecurityInterceptor</value>
            </list>  
        </property>  
    </bean>  
</beans>

完成以下设定，如果再次请求SomeServlet，可以在控制台中看到doNormal()执行完成，但doSecurity()必须是 ROLE_SUPERVISOR才可以存取，因此您会被送往acegilogin.jsp进行登入，如果登入正确，就会执行doSecurity()，如 果登入为非ROLE_SUPERVISOR，则会发生授权失败的例外。