自定义身份验证提供程序如何工

时间:2013-10-15 11:28:02

标签: spring spring-mvc spring-security

美好的一天。

请帮忙。无法理解应如何触发我的自定义身份验证提供程序。

我有:

弹簧context.xml中

<security:http pattern="/login" security="none" />  


            <security:http auto-config="true" use-expressions="true">


                <security:form-login login-page="/login"/>

                <security:intercept-url pattern="/" access="hasRole('ROLE_USER')"/>

                <security:form-login authentication-failure-url="www.google.com"/> 

            </security:http>



            <security:authentication-manager>

                <security:authentication-provider user-service-ref="userSecurityService"/>

            </security:authentication-manager>


            <bean id="webContentDAOImpl" class="demidov.pkg.persistence.WebContentDAOImpl">
                <property name="sessionFactory"><ref bean="sessionFactory"/></property>
            </bean>


            <bean id="userSecurityService" class="demidov.pkg.persistence.UserSecurityService">
                <property name="webContentDAOIF" >
                    <ref bean="webContentDAOImpl"/>
                </property>
            </bean>

登录控制器:

   @Controller
public class LoginController {

    @RequestMapping(value="/login", method=RequestMethod.GET)
    public String login() {

        return "login"; 
    }


    @RequestMapping(value="/security/j_spring_security_check", method=RequestMethod.POST)
    public String  access() {

        return "redirect:/";

    }


}

登录JSP页面:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>

    <form action="security/j_spring_security_check" method="post">

        UserName: <input type="text"/> <br>
        Password: <input type="password"/> <br>

        <br>

        <input type="submit"/> 


    </form>

</body>
</html>

自定义主体解析器:

   public class UserSecurityService implements UserDetailsService{


    WebContentDAOIF webContentDAOIF;

        public WebContentDAOIF getWebContentDAOIF() {
            return webContentDAOIF;
        }


        public void setWebContentDAOIF(WebContentDAOIF webContentDAOIF) {
            this.webContentDAOIF = webContentDAOIF;
        }


    @Override
    public UserDetails loadUserByUsername(String userName)
            throws UsernameNotFoundException {


         UserDetails userDetails = null;


         TheUser theUser = webContentDAOIF.fetchUserByName(userName);

         userDetails = new User(theUser.getUserEmale(), theUser.getUserPassword(), true, true, true, true, getAthorities(theUser.getRoleAccess()));


        return userDetails;
    }


    public Collection<GrantedAuthority> getAthorities(String role) {


        List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);


        authList.add(new SimpleGrantedAuthority(" "));


        if ( role.equals("ROLE_USER")) {

            authList.add(new SimpleGrantedAuthority("ROLE_USER"));
           }

           // Return list of granted authorities
           return authList;

    }   

}

我无法理解我的自定义主体解析器应该如何使用安全性。它应该如何被触发以及由什么???当我在登录页面上输入错误的用户名和密码时,似乎无法使用我的UserSecurityService,只是因为spring-context.xml中的hasRole(ROLE_USER)而只是在登录页面上重定向。我相信j_spring_security_check可能会有所作为,但对它有所怀疑。请帮我理解。

2 个答案:

答案 0 :(得分:3)

请参考下面提到的链接,可能会有所帮助: -
    spring security custom authentication

答案 1 :(得分:0)

方法loadUserByUsername正在使用param userName,该值从浏览器发布,userName与DB进行比较,密码从DB获取并传递给有密码的UserDetail对象从浏览器发布,现在它将在内部比较密码并相应地进行身份验证