Chr*_*ell 7 java kml spring-security google-earth-plugin remember-me
我正在开发一个应用程序,我需要捕获并响应身份验证事件以采取适当的操作.目前,AuthenticationSuccessEvent当用户手动登录时,我正好赶上Spring抛出.我现在正在尝试实现Remember-Me功能.记录帮助我弄清楚我想要捕获的事件是什么InteractiveAuthenticationSuccessEvent.有人可以看看下面的代码并帮助我回应这个新事件吗?
@Override
public void onApplicationEvent(ApplicationEvent event) {
log.info(event.toString()); // debug only: keep track of all events
if (event instanceof AuthenticationSuccessEvent) {
AuthenticationSuccessEvent authEvent = (AuthenticationSuccessEvent)event;
lock.writeLock().lock();
try {
sessionAuthMap.put(((WebAuthenticationDetails)authEvent.getAuthentication().getDetails()).getSessionId(), authEvent.getAuthentication());
} finally {
lock.writeLock().unlock();
}
} else if (event instanceof HttpSessionDestroyedEvent) {
HttpSessionDestroyedEvent destroyEvent = (HttpSessionDestroyedEvent)event;
lock.writeLock().lock();
try {
sessionAuthMap.remove(destroyEvent.getId());
} finally {
lock.writeLock().unlock();
}
}
}
Run Code Online (Sandbox Code Playgroud)
附加信息:
我在原始帖子中没有提到在Map中存储Session Id和Authentication对象的要求是由于我正在使用Google Earth插件.GE充当独立的,不相关的用户代理,因此用户的会话信息永远不会被GE传递给服务器.出于这个原因,我重写GE的请求URL以包含用户的活动会话ID(来自前面提到的Map)作为参数,因此我们可以验证所述会话ID对于登录用户确实有效.所有这一切都已到位,因为我们有GE需要的KML,但是我们不能允许用户通过Firebug获取直接的,不受保护的URL或者你有什么.
Spring Config :(抱歉,有点捏造格式化)
<sec:http use-expressions="true">
<sec:intercept-url pattern="/Login.html*" access="permitAll"/>
<sec:intercept-url pattern="/j_spring_security*" access="permitAll" method="POST"/>
<sec:intercept-url pattern="/main.css*" access="permitAll"/>
<sec:intercept-url pattern="/favicon.ico*" access="permitAll"/>
<sec:intercept-url pattern="/images/**" access="permitAll"/>
<sec:intercept-url pattern="/common/**" access="permitAll"/>
<sec:intercept-url pattern="/earth/**" access="permitAll"/>
<sec:intercept-url pattern="/earth/kml/**" access="permitAll"/>
<sec:intercept-url pattern="/earth/js/**" access="permitAll"/>
<sec:intercept-url pattern="/css/**" access="permitAll"/>
<sec:intercept-url pattern="/resource*" access="permitAll"/>
<sec:intercept-url pattern="/geom*" access="hasRole('ROLE_SUPERUSER')"/>
<sec:intercept-url pattern="/status/**" access="permitAll"/>
<sec:intercept-url pattern="/index.html*" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/project.html*" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/js/**" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/help/**" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/app/**" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/data/**" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
<sec:intercept-url pattern="/session/**" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/**" access="denyAll"/>
<sec:intercept-url pattern="**" access="denyAll"/>
<sec:session-management session-fixation-protection="none" />
<sec:form-login login-page="/Login.html${dev.gwt.codesrv.htmlparam}" default-target-url="/index.html${dev.gwt.codesrv.htmlparam}" authentication-failure-url="/Login.html${dev.gwt.codesrv.htmlparam}"/>
<sec:http-basic/>
<sec:logout invalidate-session="true" logout-success-url="/Login.html${dev.gwt.codesrv.htmlparam}"/>
<sec:remember-me key="[REMOVED]" />
</sec:http>
<bean id="authenticationEventPublisher" class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />
<bean id="org.springframework.security.authenticationManager" class="org.springframework.security.authentication.ProviderManager">
<property name="authenticationEventPublisher" ref="authenticationEventPublisher"/>
<property name="providers">
<list>
<ref bean="authenticationProvider" />
<ref bean="anonymousProvider" />
</list>
</property>
</bean>
<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="passwordEncoder" ref="passwordEncoder"/>
<property name="saltSource" ref="saltSource"/>
<property name="userDetailsService" ref="userService" />
</bean>
<bean id="anonymousProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
<property name="key" value="[REMOVED]" />
</bean>
Run Code Online (Sandbox Code Playgroud)
根据spring 文档,“在 Spring Security 3 中,用户首先由 AuthenticationManager 进行身份验证,一旦成功通过身份验证,就会创建一个会话。”
相反,您可以实现自己的AuthenticationSuccessHandler(可能通过子类化SavedRequestAwareAuthenticationSuccessHandler)。您可以在方法中放置任何您想要的逻辑onAuthenticationSuccess,因此将现有逻辑移至此处:
public class MyAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
// declare and initialize lock and sessionAuthMap at some point...
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws ServletException, IOException {
lock.writeLock().lock();
try {
sessionAuthMap.put(request.getSession().getId(), authentication);
} finally {
lock.writeLock().unlock();
}
super.onAuthenticationSuccess(request, response, authentication);
}
}
Run Code Online (Sandbox Code Playgroud)
然后,更新您的配置,以便 Spring Security 在身份验证过程中调用此类。就是这样:
第一步:自定义元素UsernamePasswordAuthenticationFilter创建的<form-login>元素。特别是,将其放入您的<http>元素中:
<sec:custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
Run Code Online (Sandbox Code Playgroud)
第2步:定义myFilter,并挂钩MyAuthenticationSuccessHandler它。
<bean id="myFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureHandler" ref="myAuthenticationSuccessHandler" />
<property name="authenticationSuccessHandler" ref="myAuthenticationFailureHandler" />
</bean>
<bean id="myAuthenticationSuccessHandler"
class="my.MyAuthenticationSuccessHandler">
<!-- set properties here -->
</bean>
<!-- you can subclass this or one of its parents, too -->
<bean id="myAuthenticationFailureHandler"
class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<!-- set properties such as exceptionMappings here -->
</bean>
Run Code Online (Sandbox Code Playgroud)
有关更多详细信息,请参阅http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html。另请参阅AbstractAuthenticationProcessingFilter文档。
顺便说一句,你的问题让我想起了 OAuth。本质上,您是根据资源所有者授权向客户端颁发访问令牌的。