如何在spring security中使用带有authentication-success-handler-ref等效的自定义过滤器

Question

我想将一些带有登录详细信息的参数传递给spring安全性,例如一些item id.然后我想根据用户类型重定向到页面.为此我使用自定义过滤器发送附加参数.并重定向我使用authentication-success-handler-ref.我的问题是,我正在使用我的职位冲突以及自定义过滤器.请帮我完成任务.

这是我的配置

<http   use-expressions="true">
        <intercept-url pattern="/login" access="permitAll" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/logout" access="permitAll" />
        <intercept-url pattern="/accessdenied" access="permitAll" />

       <custom-filter ref="ddAuthenticationFilter" position="FORM_LOGIN_FILTER" />
        <form-login authentication-failure-url="/accessdenied" 
        authentication-success-handler-ref="ddAuthenticationSuccessHandler"/>



    </http>

    <beans:bean id="ddAuthenticationFilter" class="com.dd.security.ExUsernamePasswordAuthenticationFilter"/>

    <beans:bean id="ddAuthenticationSuccessHandler" class="com.dd.security.DDAuthenticationSuccessHandler" />

Answer 1

我理解你的问题如下:我想在登录表单中提交一个itemId,该表单在成功登录重定向后使用.

为了建立这样一个过程,你需要做以下事情.

<form-login ...>从配置中删除.你应该有:

<http use-expressions="true" entry-point-ref="authenticationEntryPoint">
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/resources/**" access="permitAll" />
    <intercept-url pattern="/logout" access="permitAll" />
    <intercept-url pattern="/accessdenied" access="permitAll" />

    <custom-filter ref="ddAuthenticationFilter" position="FORM_LOGIN_FILTER" />
    <security:logout />
</http>

不要忘记添加<security:logout />注销和entry-point-ref属性指向authenticationEntryPoint.

添加LoginUrlAuthenticationEntryPoint了entry-point-ref指向您的登录页面:

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <constructor-arg name="loginFormUrl" value="/login" />
</bean>

重构您的内容ddAuthenticationFilter以满足以下配置:

<bean id="ddAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="filterProcessesUrl" value="/j_spring_security_check" />
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
    <property name="authenticationSuccessHandler" ref="ddAuthenticationSuccessHandler" />
    <property name="authenticationDetailsSource">
        <bean class="security.CustomWebAuthenticationDetailsSource" />
    </property>
</bean>

<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/accessdenied" />
</bean>

创建一个新类CustomWebAuthenticationDetailsSource:

package security;

import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

import javax.servlet.http.HttpServletRequest;

public class CustomWebAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> {
    @Override
    public WebAuthenticationDetails buildDetails(HttpServletRequest context) {
        return new CustomWebAuthenticationDetails(context);
    }
}

和相关的CustomWebAuthenticationDetails:

package security;

import org.springframework.security.web.authentication.WebAuthenticationDetails;
import javax.servlet.http.HttpServletRequest;

public class CustomWebAuthenticationDetails extends WebAuthenticationDetails {

    private final String itemId;

    public CustomWebAuthenticationDetails(HttpServletRequest request) {
        super(request);
        itemId = request.getParameter("itemId");
    }

    public String getItemId() {
        return itemId;
    }

    //TODO override hashCode, equals and toString to include itemId
    @Override
    public int hashCode() { /* collapsed */ }
    @Override
    public boolean equals(Object obj) { /* collapsed */ }
    @Override
    public String toString() { /* collapsed */ }
}

您ddAuthenticationSuccessHandler应该具有类似于此示例中的类似逻辑:

package com.dd.security;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.util.StringUtils;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class DDAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        CustomWebAuthenticationDetails details = (CustomWebAuthenticationDetails) authentication.getDetails();
        if(StringUtils.hasText(details.getItemId())) {
            //TODO sanity and security check for itemId needed
            String redirectUrl = "item/" + details.getItemId();
            response.sendRedirect(redirectUrl);
        }
        throw new IllegalStateException("itemId in authentication details not found");
    }
}

可以在这里找到一个工作示例