>spring只是一个ioc容器,怎么跟session扯到一起了,
我们在用Spring开发吧,Spring是一个开发框架,作为业务层开发框架没有Session支持,难道用Session我们到表现层使用吗?
最近JBoss Seam框架强调状态管理已经说明开发中状态管理重要性,可以深刻地说:忽视状态管理的人,基本都是使用基于数据库的编程思路,既然围绕数据库编程,写些SQL语句就可以,还何必给自己装饰那么OO表象呢?
>Spring在简洁,方便上吻合了郁闷的程序员的心理
Spring简洁吗?那是演示程序简洁,实际使用起来巨复杂无比,特别是加上Session管理,除非你完全围绕数据库编程,Spring和我开发的JdonFramework相比复杂得太多,特别是权限ACl实现,在基于JdonFramework开发得JiveJdon3实现中使用了标准JAAS容器技术+AOP组件技术,简单易学,对比Spring使用acegi security实现同样功能,真不知道要轻量多少倍,下面贴一下applicationContext-security.xml实现Web URL访问权限检查和组件访问检查的配置,一百多行配置晕倒你,这就是Spring倡导的狗屁轻量吗?是一个跛脚的陷阱啊:
配置行看这个帖子,这里不再浪费空间:
http://www.jdon.com/jive/thread.jsp?forum=61&thread=25141&message=18262459#18262459
再看看是其再拦截器中如何使用Session得代码:
public class UserSecurityAdvice implements MethodBeforeAdvice { public final static String ACCESS_DENIED = "Access Denied: Only administrators are allowed to modify other users."; protected final Log log = LogFactory.getLog(UserSecurityAdvice.class);
public void before(Method method, Object[] args, Object target) throws Throwable { SecurityContext ctx = SecurityContextHolder.getContext();
if (ctx.getAuthentication() != null) { Authentication auth = ctx.getAuthentication(); boolean administrator = false; GrantedAuthority[] roles = auth.getAuthorities(); for (int i=0; i < roles.length; i++) { if (roles[i].getAuthority().equals(Constants.ADMIN_ROLE)) { administrator = true; break; } }
User user = (User) args[0]; String username = user.getUsername();
String currentUser = null; if (auth.getPrincipal() instanceof UserDetails) { currentUser = ((UserDetails) auth.getPrincipal()).getUsername(); } else { currentUser = String.valueOf(auth.getPrincipal()); }
if (!username.equals(currentUser)) { AuthenticationTrustResolver resolver = new AuthenticationTrustResolverImpl(); // allow new users to signup - this is OK b/c Signup doesn't allow setting of roles boolean signupUser = resolver.isAnonymous(auth); if (!signupUser) { if (log.isDebugEnabled()) { log.debug("Verifying that '" + currentUser + "' can modify '" + username + "'"); } if (!administrator) { log.warn("Access Denied: '" + currentUser + "' tried to modify '" + username + "'!"); throw new AccessDeniedException(ACCESS_DENIED); } } else { if (log.isDebugEnabled()) { log.debug("Registering new user '" + username + "'"); } } }
// fix for http://issues.appfuse.org/browse/APF-96 // don't allow users with "user" role to upgrade to "admin" role else if (username.equalsIgnoreCase(currentUser) && !administrator) {
// get the list of roles the user is trying add Set userRoles = new HashSet(); if (user.getRoles() != null) { for (Iterator it = user.getRoles().iterator(); it.hasNext();) { Role role = (Role) it.next(); userRoles.add(role.getName()); } }
// get the list of roles the user currently has Set authorizedRoles = new HashSet(); for (int i=0; i < roles.length; i++) { authorizedRoles.add(roles[i].getAuthority()); }
// if they don't match - access denied // users aren't allowed to change their roles if (!CollectionUtils.isEqualCollection(userRoles, authorizedRoles)) { log.warn("Access Denied: '" + currentUser + "' tried to change their role(s)!"); throw new AccessDeniedException(ACCESS_DENIED); } } } } }
|
看看SecurityContext ctx = SecurityContextHolder.getContext();
这一句,通过静态类获得SecurityContext ,如果同一个JVM中有两个这样的Spring+Acegi应用,到底返回哪个SecurityContext ?
这段语法还只是获得Session的用户登录资料,如果是其他方式,对不起,自己做,正如前面有道友自己写静态类那样,类似SecurityContextHolder。
而同样轻量的JdonFramework,只有寥寥几句,可参见JiveJdon3源码。
最后,我想指出的是:Spring是一个实验室理想轻量产品,他挑起了大家求简求易的欲望,但是它没有完全真正做到,说得不好听,就是欺骗。