我正在开发gwt应用程序,我希望使用spring-security来保护它。我在数据库中有用户数据,UserService负责获取特定用户。我已经按照tutorial
进行了操作的AuthenticationProvider:
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired UserService userService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = (String) authentication.getPrincipal();
String password = (String) authentication.getCredentials();
User user = userService.findByUserName(username);
if (user == null) {
throw new UsernameNotFoundException("User not found");
}
String storedPass = user.getPassword();
if (!storedPass.equals(password)) {
throw new BadCredentialsException("Invalid password");
}
Authentication customAuthentication = new CustomUserAuthentication(user, authentication);
customAuthentication.setAuthenticated(true);
return customAuthentication;
}
@Override
public boolean supports(Class<?> authentication) {
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
}
CustomAuthentication
public class CustomUserAuthentication implements Authentication {
private static final long serialVersionUID = -3091441742758356129L;
private boolean authenticated;
private final GrantedAuthority grantedAuthority;
private final Authentication authentication;
private final User user;
public CustomUserAuthentication(User user, Authentication authentication) {
this.grantedAuthority = new SimpleGrantedAuthority(user.getRole().name());
this.authentication = authentication;
this.user = user;
}
@Override
public Collection<GrantedAuthority> getAuthorities() {
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(grantedAuthority);
return authorities;
}
@Override
public Object getCredentials() {
return authentication.getCredentials();
}
@Override
public Object getDetails() {
return authentication.getDetails();
}
@Override
public Object getPrincipal() {
return user;
}
@Override
public boolean isAuthenticated() {
return authenticated;
}
@Override
public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
this.authenticated = authenticated;
}
@Override
public String getName() {
return user.getUsername();
}
}
安全背景:
<s:http auto-config="true" create-session="always" >
<s:intercept-url pattern="/index.html" access="ROLE_USER" />
<s:logout logout-success-url="/login.html"/>
<s:form-login login-page="/login.html" default-target-url="/index.html" authentication-failure-url="/login.html" />
</s:http>
<s:authentication-manager alias="authenticationManager">
<s:authentication-provider ref="customAuthenticationProvider" />
</s:authentication-manager>
<bean id="customAuthenticationProvider" class="com.example.server.security.CustomAuthenticationProvider" />
一切正常,弹簧拦截调用index.html我需要记录并将其重定向回index.html。问题是,当我退出然后再次访问index.html时,我只是简单地访问它。我想通了:
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
System.out.println("Logged as: " + auth.getName());
注销后打印anonymousUser。当我再次登录时,此代码打印我的用户名,因此我认为拦截匿名用户有问题。有谁知道如何拦截匿名用户?
答案 0 :(得分:4)
而不是:
<s:intercept-url pattern="/**" access="ROLE_USER" />
您可以使用:
<s:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY,ROLE_USER" />
这应该使Spring Security拒绝访问匿名用户。当然,这意味着您还需要添加其中一个:
<s:intercept-url pattern="/url_that_should_be_accessible_to_anonymous_user" access="IS_AUTHENTICATED_ANONYMOUSLY" />
对于匿名用户应该能够访问的每个模式。通常,登录页面,错误页面,静态资源(图像,PDF等)。