我通过扩展UsernamePasswordAuthenticationFilter并覆盖requiresAuthentication方法来实现自定义过滤器。但是,在该方法中,我需要访问过滤器链。因此,我将其自动装入。但是,在尝试构建时,它没有说FilterChain没有这样的bean。
的web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd">
<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/security-context.xml
</param-value>
</context-param>
<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
安全context.xml中:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:http
realm="Protected API"
use-expressions="true"
auto-config="false"
create-session="stateless"
entry-point-ref="unauthorizedEntryPoint">
<security:intercept-url pattern="/User/sign_up/*" access="permitAll" />
<security:intercept-url pattern="/User/authenticate/**" access="permitAll" />
<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<security:custom-filter ref="authenticationTokenFilter" position="FORM_LOGIN_FILTER" />
</security:http>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="customAuthenticationProvider" />
</authentication-manager>
<beans:bean id="customAuthenticationProvider" class="pathTo:CustomAuthenticationProvider"></beans:bean>
<beans:bean id="unauthorizedEntryPoint" class="pathTo:UnauthorizedEntryPoint" />
<beans:bean id="mySuccessHandler" class="pathTo:SuccessHandler" />
<beans:bean
class="pathTo:AuthenticationTokenFilter"
id="authenticationTokenFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="postOnly" value="false" />
<beans:property name="authenticationSuccessHandler" ref="mySuccessHandler" />
</beans:bean>
<context:component-scan base-package="base package" />
<context:annotation-config />
</beans:beans>
过滤器:
public class AuthenticationTokenFilter extends UsernamePasswordAuthenticationFilter {
@Autowired
FilterChain chain;
@Override
protected boolean requiresAuthentication(HttpServletRequest request,
HttpServletResponse response) {
System.out.println("here");
boolean retVal = false;
String username = request.getHeader("j_username");
String password = request.getHeader("j_password");
System.out.println("username: " + username + " password: " + password);
if (username != null && password != null) {
Authentication authResult = null;
try {
authResult = attemptAuthentication(request, response);
System.out.println(authResult.getName());
if (authResult == null) {
retVal = false;
}
} catch (AuthenticationException failed) {
try {
System.out.println("auth failed");
unsuccessfulAuthentication(request, response, failed);
} catch (IOException e) {
retVal = false;
} catch (ServletException e) {
retVal = false;
}
retVal = false;
}
try {
successfulAuthentication(request, response, chain, authResult);
} catch (IOException e) {
retVal = false;
} catch (ServletException e) {
retVal = false;
}
return false;
} else {
System.out.println("not calling authenticate");
retVal = true;
}
return retVal;
}
protected String obtainPassword(HttpServletRequest request) {
return request.getHeader("j_password");
}
protected String obtainUsername(HttpServletRequest request) {
return request.getHeader("j_username");
}
如果没有filterChain,还有其他办法吗?否则,它应该能够执行此操作,因为filterChain是在web.xml中定义的。
关于如何解决这个问题的任何想法?
答案 0 :(得分:0)
更改代码可能有效
<beans:bean
class="pathTo:AuthenticationManagerHandler"
id="authenticationTokenFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="postOnly" value="false" />
<beans:property name="authenticationSuccessHandler" ref="mySuccessHandler" />
</beans:bean>
这是AuthenticationManagerHandler类
public class AuthenticationManagerHandler extends AbstractAuthenticationProcessingFilter {
private static final String INTERCEPTOR_PROCESS_URL = "/j_spring_security_check";
private AuthenticationUtil util;
public AuthenticationManagerHandler() {
super(INTERCEPTOR_PROCESS_URL);
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
String username = request.getParameter("j_username");
String password = request.getParameter("j_password");
UsernamePasswordAuthenticationToken authRequest = null;
if(util== null) {
util= ApplicationContext.getInstance(AuthenticationUtil.class);
}
if(util.isLDAPEnalbed()) {
authRequest = new LDAPUsernamePasswordAuthenticationToken(username, password);
}
else {
authRequest = new DBUsernamePasswordAuthenticationToken(username, password);
}
setDetails(request, authRequest);
return getAuthenticationManager().authenticate(authRequest);
}
protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest)
{
authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
}
private static final class SubStringFilterProcessUrlRequestMatcher implements RequestMatcher {
private final List<String> filterProcessUrls;
private SubStringFilterProcessUrlRequestMatcher(List<String> filterProcessUrls) {
Assert.notEmpty(filterProcessUrls, "filterProcessesUrl must be specified");
for (String filterProcessesUrl : filterProcessUrls) {
Assert.isTrue(UrlUtils.isValidRedirectUrl(filterProcessesUrl), filterProcessesUrl + " isn't a valid redirect URL");
}
this.filterProcessUrls = filterProcessUrls;
}
public boolean matches(HttpServletRequest request) {
for (String filterProcessesUrl : filterProcessUrls) {
if (matches(request, filterProcessesUrl)) {
return true;
}
}
return false;
}
private boolean matches(HttpServletRequest request, String filterProcessesUrl) {
String uri = request.getRequestURI();
int pathParamIndex = uri.indexOf(';');
if (pathParamIndex > 0) {
// strip everything after the first semi-colon
uri = uri.substring(0, pathParamIndex);
}
if ("".equals(request.getContextPath())) {
return uri.endsWith(filterProcessesUrl);
}
return uri.contains(filterProcessesUrl);
}
}
}
答案 1 :(得分:0)
我最终改变了我的Filter实现,直接调用我的身份验证提供程序(我应该如何开始这样做。我还删除了成功处理程序,因为它最终不是我想要实现的。我将分享我更新的过滤器如下:
public class AuthenticationTokenFilter extends UsernamePasswordAuthenticationFilter {
@Autowired
private CustomAuthenticationProvider authProvider;
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
// Allow subclasses to set the "details" property
setDetails(request, authRequest);
return this.authProvider.authenticate(authRequest);
}
@Override
protected String obtainPassword(HttpServletRequest request) {
return request.getHeader("X_password");
}
@Override
protected String obtainUsername(HttpServletRequest request) {
return request.getHeader("X_username");
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException,
ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
Authentication auth = attemptAuthentication(httpRequest, httpResponse);
SecurityContextHolder.getContext().setAuthentication(auth);
chain.doFilter(request, response);
}
}
这避免了必须调用SuccessfulAuthentication(我的其他方法需要)的问题。由于不使用FilterChain的SuccessfulAuthentication已被弃用,因此这种方法更简单。
感谢您的帮助!