我在Spring-MVC应用程序中使用spring-security。目前我能够登录用户,密码哈希,一切都很漂亮。每当我需要经过身份验证的人员对象时,我通过Spring安全性检索名称,然后通过访问数据库获取用户对象。一直都很好。现在,当我第一次加载应用程序时,我登录,关闭选项卡,然后再次给出应用程序地址,我想检查用户是否经过身份验证和重定向。这是我遇到问题的地方。我在网上经历了很多教程,我差不多也在做同样的事情。请看看我做错了什么。感谢您的时间。
控制器:
@RequestMapping(value = "/", method = RequestMethod.GET)
public String listPersons(Model model) {
boolean id = isAuthenticated(); // Here I am calling the function I have written to see if I am logged in
if(id){
return "redirect:/canvas/list";
} else {
model.addAttribute("person", new Person());
model.addAttribute("listPersons", this.personService.listPersons());
model.addAttribute("notices",new Notes());
model.addAttribute("canvases",new Canvas());
return "person";
}
}
isAuthenticatedFunction:
private boolean isAuthenticated(){
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if(authentication == null){ return false;}
if(authentication instanceof AnonymousAuthenticationToken) {
return false;
} else {
return true;
}
}
Security-application-context.xml
<import resource="servlet-context.xml" />
<!-- Global Security settings -->
<security:global-method-security pre-post-annotations="enabled" />
<security:http pattern="/" security="none" />
<security:http create-session="ifRequired" use-expressions="true" auto-config="false" disable-url-rewriting="true">
<security:form-login login-page="/" default-target-url="/canvas/list" always-use-default-target="false" authentication-failure-url="/login?error" />
<security:remember-me key="_spring_security_remember_me" user-service-ref="userDetailsService" token-validity-seconds="1209600" data-source-ref="dataSource"/>
<security:intercept-url pattern="/canvas/list" access="hasRole('ROLE_USER')" />
<security:logout logout-success-url="/" delete-cookies="JSESSIONID" invalidate-session="true" logout-url="/j_spring_security_logout" />
<security:port-mappings>
<security:port-mapping http="80" https="443"/>
</security:port-mappings>
<security:session-management session-fixation-protection="newSession" invalid-session-url="/invalidSession.html">
<security:concurrency-control max-sessions="3" error-if-maximum-exceeded="true" expired-url="/sessionExpired.html"/>
</security:session-management>
</security:http>
<!-- queries to be run on data -->
<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<beans:property name="key" value="_spring_security_remember_me" />
<beans:property name="tokenRepository" ref="jdbcTokenRepository"/>
<beans:property name="userDetailsService" ref="LoginServiceImpl"/>
</beans:bean>
<!--Database management for remember-me -->
<beans:bean id="jdbcTokenRepository"
class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<beans:property name="createTableOnStartup" value="false"/>
<beans:property name="dataSource" ref="dataSource" />
</beans:bean>
<!-- Remember me ends here -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider user-service-ref="LoginServiceImpl">
<security:password-encoder ref="encoder"/>
</security:authentication-provider>
</security:authentication-manager>
<beans:bean id="encoder"
class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean>
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="LoginServiceImpl"/>
<beans:property name="passwordEncoder" ref="encoder"/>
</beans:bean>
</beans>
要检索已登录的用户,我正在使用下面提到的方法,它现在就像魅力一样。
@Override
public Person getCurrentlyAuthenticatedUser() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if(authentication == null){
System.out.println("User is not authenticated");
return null;
} else {
Person person = personDAO.findPersonByUsername(authentication.getName());
return person;
}
}