AbstractAuthenticationProcessingFilter中的Wire服务,用于添加身份验证详细信息

时间:2013-10-21 14:16:57

标签: spring spring-mvc spring-security

我想在安全认证过程中向Authentication对象添加自定义数据:

public class MyAuthFilter extends AbstractAuthenticationProcessingFilter {

    MyUserDetailService userDetailService;  // <==== How to wire??

    @Override
    public Authentication attemptAuthentication(
            HttpServletRequest request,
            HttpServletResponse response)
            throws AuthenticationException, IOException, ServletException {
        ...
        Authentication auth = new UsernamePasswordAuthenticationToken(
               username,
               r.sessionId,
               Arrays.asList(new GrantedAuthority[]{new SimpleGrantedAuthority(grantedUserRole)}));
        auth.setDetails(userDetailService.getDetail()); // <== Save detail to auth.
        return auth;
    }
}

如何连接MyUserDetailService服务?

如何将MyUserDetailService缓存到主体映射(以避免不必要的调用userDetailService.getDetail()并且不会因为内存不足而崩溃?)

PS spring-security.xml

<http use-expressions="true" auto-config="false" entry-point-ref="oauthEntryPoint" authentication-manager-ref="oauthAuthenticationManager">
    <custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
    <intercept-url pattern="/login.htm" access="permitAll" />
    <intercept-url pattern="/**" access="isAuthenticated()" />
    <anonymous username="anonymous" enabled="true" granted-authority="AN" key="anonymous-security" />
    <logout invalidate-session="true" logout-url="/logout" success-handler-ref="logoutHandler"/>
</http>

<beans:bean id="myFilter" class="com.web.filter.MyAuthFilter"> ...</beans:bean>

1 个答案:

答案 0 :(得分:3)

Spring Security遵循通常的Spring架构,所以我的自定义AbstractAuthenticationProcessingFilter只是普通的bean。

我不需要像@Component中声明的那样将类标记为spring-security.xml。我可以使用:

 @Autowired
 private UserService userService;

或:

public class MyAuthFilter
extends AbstractAuthenticationProcessingFilter
implements ApplicationContextAware {
    private UserService userService;
    @Override
    public void setApplicationContext(ApplicationContext applicationContext)
            throws BeansException {
        userService = applicationContext.getBean(UserService.class);
    }
...
}

将userDetailService.getDetail()的值放入身份验证后:

UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken(
    userName, sessionId,
    AuthorityUtils.createAuthorityList(grantedUserRole));     
auth.setDetails(userService.get(userName));

它将自动缓存为与身份验证对象的会话保持关联,并且在会话失效后,此关联将传递给GC。

相关问题
最新问题