我正在尝试根据自己的需要调整springSecurity插件,因此当用户进行身份验证时,必须将密钥检查为对用户有效,然后存储在用户的会话中(用户可以拥有多个密钥)。 / p>
表单登录:
<form action='${request.contextPath}/j_spring_security_check' method='POST' id='loginForm' name='loginForm' controller="login" onLoading="showSpinner();" onComplete="hideSpinner();" class="form-horizontal" autocomplete='off'>
<g:if test='${flash.msg}'><div class='errors_pw3'><g:message code="default.message.login"/> </div><br/></g:if>
<div class="control-group" style="margin-left:80px;">
<label class="control-label" for='j_datastore'><g:message code="label.datastore" default="Key:" /></label>
<div class="controls">
<input type='text' name='key' id='key' value='${session.user.key}' class="span7"/>
</div>
</div>
<div class="control-group" style="margin-left:80px;">
<label class="control-label" for='j_username'><g:message code="label.ubistoreid" /></label>
<div class="controls">
<input type='text' name='j_username' id='username' value='${request.remoteUser}' class="span7"/>
</div>
</div>
<div class="control-group" style="margin-left:80px;">
<label class="control-label" for='j_password'><g:message code="label.password" /></label>
<div class="controls">
<input type='password' name='j_password' id='password' class="span7"/>
</div>
</div>
登录控制器:
def auth = {
def config = SpringSecurityUtils.securityConfig
def principal = springSecurityService.principal
// Store key in the session
session.setAttribute("KEY",params.key)
println params.key + "*******"
println params.params + "-----"
if (springSecurityService.isLoggedIn()) {
redirect uri:'/secure'
}
else if (params["login_error"]) {
if(request.getParameterValues('login_error')[0] == '1') {
flash.msg = "User or password invalid !"
}
}
String view = 'index'
String postUrl = "${request.contextPath}${config.apf.filterProcessesUrl}"
render view: view, model: [postUrl: postUrl,rememberMeParameter: config.rememberMe.parameter,params:params]
}
参数不会传递给会话
请,如何将springSecurityService修改为:
1)检查密钥条目是否已获得用户授权? (用户域类包含带有授权密钥列表的set<Key> keys条目)
2)稍后在用户会话中使用它(一旦经过身份验证)
答案 0 :(得分:0)
基本上,我已经实现了customRedirect策略。它有效,但我需要一个建议,在检查当前用户的关键对象的有效性后自定义响应;
import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse
import org.apache.commons.lang.StringUtils
import org.springframework.security.web.DefaultRedirectStrategy
public class CustomRedirectStrategy extends DefaultRedirectStrategy {
static final String adminFailureUrl='/console/index'
static final String customerFailureUrl='/login/auth'
HttpServletRequest request
HttpServletResponse response
String url
String redirectUrl
@Override
public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
def key = request.getParameter("j_key")
if(key) {
// TODO: process key validation
request.session['KEY'] = key
def ds = DataStore.findByKeyname(key)
if(ds) {
request.session['DS'] = ds
}
log.debug '--------------------'
log.debug 'Used Key:'+ key
log.debug '--------------------'
} else {
log.debug '--------------------'
log.debug 'No key defined'
log.debug '--------------------'
}
if(request.getParameter('asAdmin') == 'true') {
redirectUrl = calculateAdminRedirectUrl(request);
}
else if (request.getParameter('asUser') == 'true') {
redirectUrl = calculateUserRedirectUrl(request);
}
redirectUrl = response.encodeRedirectURL(redirectUrl);
response.sendRedirect(redirectUrl);
}
private String calculateAdminRedirectUrl(final HttpServletRequest request) {
return request.getContextPath() + adminFailureUrl + "?login_error=1";
}
private String calculateUserRedirectUrl(final HttpServletRequest request) {
return request.getContextPath() + customerFailureUrl + "?login_error=1";
}
}