我要求我的应用程序的用户可以是SSO用户或非SSO用户。如果没有重定向的SSO用户,我会将他传递给他要求的页面。 (不进行身份验证),对于非SSO用户,我必须重定向到登录页面。
因此我想到编写自己的自定义AbstractAuthenticationProcessingFilter。 在这里,我将检查用户是否是SSO用户(我检查请求标头中是否有用户ID)如果他不是SSO用户,那么我会将他重定向到登录页面,否则他将继续他访问的页面。
自定义AbstractAuthenticationProcessingFilter
var data = new Dictionary<int, Dictionary<string, List<int>>>;
data[100] =new Dictionary<string, List<int>>();
data[100]["first"] = new List<int>();
data[100]["first"].AddRange(new [] {4, 24, 5, 0});
// etc...
我的安全配置
public class UserTypeFilter extends AbstractAuthenticationProcessingFilter {
private static final String INTERCEPTOR_PROCESS_URL = "/index";
public void setAuthenticationFailureHandler(AuthenticationFailureHandler failureHandler) {
super.setAuthenticationFailureHandler(failureHandler);
}
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
super.setAuthenticationManager(authenticationManager);
}
public UserTypeFilter() {
super(INTERCEPTOR_PROCESS_URL);
}
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException, ServletException {
String userId = request.getHeader("USERID");
try {
if (userId == null) {
throw new PreAuthenticatedCredentialsNotFoundException("EID param not found");
}
} catch (AuthenticationException e) {
unsuccessfulAuthentication(request, response, e);
}
/*if (userId == null) {
System.out.println(" THROWING EXCEPTION FILTER");
throw new PreAuthenticatedCredentialsNotFoundException("EID param not found");
}*/
PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken(userId, "123456");
authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
Authentication authResult = getAuthenticationManager().authenticate(authRequest);
return authResult;
}
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) throws IOException, ServletException {
SecurityContextHolder.clearContext();
if (logger.isDebugEnabled()) {
logger.debug("Authentication request failed: " + failed.toString());
logger.debug("Updated SecurityContextHolder to contain null Authentication");
// logger.debug("Delegating to authentication failure handler " +
// failureHandler);
}
String defaultFailureUrl = "/login";
request.getRequestDispatcher(defaultFailureUrl).forward(request, response);
}
}
我有多个问题/疑问:
1)在非SSO用户的情况下,即当用户标识不在标题中时。然后按预期重定向发生在登录页面。但这种重定向方式是否恰当。我应该配置SimpleUrlAuthenticationFailureHandler吗?
3)在我尝试创建身份验证的情况下,我的代码包含SSO用户是抛出空指针异常。我在网上从一个例子中复制了这个代码,但我真的不知道该怎么办可以有人帮我这个吗?
2)我在UsernamePasswordAuthenticationFilter之前配置了我的customfilter吗?
我的方法是使用customfilter吗?