如何在spring security中使用带有authentication-success-handler-ref等效的自定义过滤器

时间:2014-05-29 05:54:14

标签: spring spring-mvc spring-security

我想将一些带有登录详细信息的参数传递给spring安全性,例如一些item id。 然后我想根据用户类型重定向到页面。 为此,我使用自定义过滤器来发送其他参数。 重定向我正在使用 authentication-success-handler-ref 。 我的问题是,我正在使用 以及自定义过滤器来解决位置冲突。 请帮我完成任务。

这是我的配置

<http   use-expressions="true">
        <intercept-url pattern="/login" access="permitAll" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/logout" access="permitAll" />
        <intercept-url pattern="/accessdenied" access="permitAll" />

       <custom-filter ref="ddAuthenticationFilter" position="FORM_LOGIN_FILTER" />
        <form-login authentication-failure-url="/accessdenied" 
        authentication-success-handler-ref="ddAuthenticationSuccessHandler"/>



    </http>

    <beans:bean id="ddAuthenticationFilter" class="com.dd.security.ExUsernamePasswordAuthenticationFilter"/>

    <beans:bean id="ddAuthenticationSuccessHandler" class="com.dd.security.DDAuthenticationSuccessHandler" />

1 个答案:

答案 0 :(得分:6)

我理解您的问题如下:我想在登录表单中提交一个itemId,该表单在成功登录重定向后使用

为了建立这样一个过程,你需要做一些事情。

从配置中删除<form-login ...>。你应该:

<http use-expressions="true" entry-point-ref="authenticationEntryPoint">
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/resources/**" access="permitAll" />
    <intercept-url pattern="/logout" access="permitAll" />
    <intercept-url pattern="/accessdenied" access="permitAll" />

    <custom-filter ref="ddAuthenticationFilter" position="FORM_LOGIN_FILTER" />
    <security:logout />
</http>

不要忘记添加<security:logout />进行退出,entry-point-ref属性指向authenticationEntryPoint

LoginUrlAuthenticationEntryPoint添加entry-point-ref,指向您的登录页面:

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <constructor-arg name="loginFormUrl" value="/login" />
</bean>

重构您的ddAuthenticationFilter以符合以下配置:

<bean id="ddAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="filterProcessesUrl" value="/j_spring_security_check" />
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
    <property name="authenticationSuccessHandler" ref="ddAuthenticationSuccessHandler" />
    <property name="authenticationDetailsSource">
        <bean class="security.CustomWebAuthenticationDetailsSource" />
    </property>
</bean>

<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/accessdenied" />
</bean>

创建新课程CustomWebAuthenticationDetailsSource

package security;

import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

import javax.servlet.http.HttpServletRequest;

public class CustomWebAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> {
    @Override
    public WebAuthenticationDetails buildDetails(HttpServletRequest context) {
        return new CustomWebAuthenticationDetails(context);
    }
}

以及相关的CustomWebAuthenticationDetails

package security;

import org.springframework.security.web.authentication.WebAuthenticationDetails;
import javax.servlet.http.HttpServletRequest;

public class CustomWebAuthenticationDetails extends WebAuthenticationDetails {

    private final String itemId;

    public CustomWebAuthenticationDetails(HttpServletRequest request) {
        super(request);
        itemId = request.getParameter("itemId");
    }

    public String getItemId() {
        return itemId;
    }

    //TODO override hashCode, equals and toString to include itemId
    @Override
    public int hashCode() { /* collapsed */ }
    @Override
    public boolean equals(Object obj) { /* collapsed */ }
    @Override
    public String toString() { /* collapsed */ }
}

您的ddAuthenticationSuccessHandler应该具有类似于此示例的逻辑:

package com.dd.security;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.util.StringUtils;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class DDAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        CustomWebAuthenticationDetails details = (CustomWebAuthenticationDetails) authentication.getDetails();
        if(StringUtils.hasText(details.getItemId())) {
            //TODO sanity and security check for itemId needed
            String redirectUrl = "item/" + details.getItemId();
            response.sendRedirect(redirectUrl);
        }
        throw new IllegalStateException("itemId in authentication details not found");
    }
}

可以找到一个工作示例here

相关问题
最新问题