带有remember-me的Spring安全性UsernamePasswordAuthenticationFilter

时间:2012-05-10 10:29:08

标签: spring spring-security

我想通过阅读here将remember-me添加到我的登录页面,它需要一个UserDetailsS​​ervice。但我的UserDetailsS​​ervice没有被调用,任何人都可以指出我错了吗?感谢。

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p" 
xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<!-- configure Spring-Security  
auto-config is false.
use-expressions is true: see http://static.springsource.org/spring-security/site/docs/3.1.x/reference/el-access.html
access-denied-page: which page is redirected when login is denied
entry-point-ref: This attribute allows this behaviour to be overridden by defining a customized 
AuthenticationEntryPoint bean which will start the authentication process   
-->

<security:http auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint" >

    <!-- define how to handle the url /auth/login, primitAll is used since we defined use-expressions=true -->
    <security:intercept-url pattern="/login" access="permitAll"/>
    <security:intercept-url pattern="/search" access="hasRole('ROLE_USER')"/>

    <!-- The logout element adds support for logging out by navigating to a particular URL. 
    The default logout URL is /j_spring_security_logout, 
    but you can set it to something else using the logout-url attribute -->
    <security:logout 
            invalidate-session="true" 
            logout-success-url="/login" />

    <security:custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
    <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
</security:http>

<!--  Custom filter to deny unwanted users even though registered -->
<bean id="blacklistFilter" class="com.myapp.filter.BlacklistFilter" />

<!-- Custom filter for username and password. we need to create another 4 beans -->
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
    p:rememberMeServices-ref="rememberMeServices"
    p:authenticationManager-ref="customAuthenticationManager"
    p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
    p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />

<!-- Bean 1: Custom authentication manager. -->
<bean id="customAuthenticationManager" class="com.myapp.manager.CustomAuthenticationManager" />

<!-- bean 2: set the default failure url here -->
<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
    p:defaultFailureUrl="/login?error=true" />

 <!-- bean 3: set the default target url here -->
<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
    p:defaultTargetUrl="/search" />

<!-- bean 4: remember me -->
<bean id="rememberMeServices"
    class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="userDetailsService" ref="userDetailsService"/>
        <property name="key" value="myapp"/>
</bean>

<bean id="userDetailsService" class="com.myapp.service.UserDetailsServiceImpl" />

<bean id="authenticationEntryPoint"  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
    p:loginFormUrl="/login"/>
<security:authentication-manager/></beans>

谢谢,拉尔夫

我添加了过滤器,但仍然没有调用UserDetailsS​​erviceImpl,有一个停止点。

public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException { logger.info("User details service is called"); return null; }

现在的配置是:

<?xml version="1.0" encoding="UTF-8"?><beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p" 
xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<!-- configure Spring-Security  
auto-config is false.
use-expressions is true: see http://static.springsource.org/spring-security/site/docs/3.1.x/reference/el-access.html
access-denied-page: which page is redirected when login is denied
entry-point-ref: This attribute allows this behaviour to be overridden by defining a customized 
AuthenticationEntryPoint bean which will start the authentication process   
-->

<security:http auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint" >

    <!-- define how to handle the url /auth/login, primitAll is used since we defined use-expressions=true -->
    <security:intercept-url pattern="/login" access="permitAll"/>
    <security:intercept-url pattern="/search" access="hasRole('ROLE_USER')"/>

    <!-- The logout element adds support for logging out by navigating to a particular URL. 
    The default logout URL is /j_spring_security_logout, 
    but you can set it to something else using the logout-url attribute -->
    <security:logout 
            invalidate-session="true" 
            logout-success-url="/login" />

    <security:custom-filter ref="blacklistFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
    <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
    <security:custom-filter ref="rememberMeFilter" position="REMEMBER_ME_FILTER"/>
</security:http>

<!--  Custom filter to deny unwanted users even though registered -->
<bean id="blacklistFilter" class="com.myapp.filter.BlacklistFilter" />

<!-- Custom filter for username and password. we need to create another 4 beans -->
<bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"

    p:rememberMeServices-ref="rememberMeServices"
    p:authenticationManager-ref="customAuthenticationManager"
    p:authenticationFailureHandler-ref="customAuthenticationFailureHandler"
    p:authenticationSuccessHandler-ref="customAuthenticationSuccessHandler" />

<!-- Bean 1: Custom authentication manager. -->
<bean id="customAuthenticationManager" class="com.myapp.manager.CustomAuthenticationManager" />

<!-- bean 2: set the default failure url here -->
<bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
    p:defaultFailureUrl="/login?error=true" />

 <!-- bean 3: set the default target url here -->
<bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler"
    p:defaultTargetUrl="/search" />

<!-- bean 4: remember me -->
<bean id="rememberMeServices"
    class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
        <property name="userDetailsService" ref="userDetailsService"/>
        <property name="key" value="myapp"/>
</bean>

<bean id="userDetailsService" class="com.myapp.service.UserDetailsServiceImpl" />


<bean id="rememberMeFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
    <property name="rememberMeServices" ref="rememberMeServices"/>
    <property name="authenticationManager" ref="customAuthenticationManager" />
</bean>

<bean id="authenticationEntryPoint"  class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
    p:loginFormUrl="/login"/>

<security:authentication-manager alias="theAuthenticationManager"/></beans>

1 个答案:

答案 0 :(得分:0)

您似乎忘了添加RememberMeAuthenticationFilter。 - 看看你提到的文档中的例子,你会看到我的意思。


尝试首先将配置缩减为默认配置,例如http://www.i-develop.be/blog/2010/02/04/spring-security-remember-me/