在Spring Security中捕获Remember-Me身份验证事件

Chr*_*ell 7 java kml spring-security google-earth-plugin remember-me

我正在开发一个应用程序,我需要捕获并响应身份验证事件以采取适当的操作.目前,AuthenticationSuccessEvent当用户手动登录时,我正好赶上Spring抛出.我现在正在尝试实现Remember-Me功能.记录帮助我弄清楚我想要捕获的事件是什么InteractiveAuthenticationSuccessEvent.有人可以看看下面的代码并帮助我回应这个新事件吗?

@Override
public void onApplicationEvent(ApplicationEvent event) {
    log.info(event.toString()); // debug only: keep track of all events
    if (event instanceof AuthenticationSuccessEvent) {
        AuthenticationSuccessEvent authEvent = (AuthenticationSuccessEvent)event;
        lock.writeLock().lock();
        try {
            sessionAuthMap.put(((WebAuthenticationDetails)authEvent.getAuthentication().getDetails()).getSessionId(), authEvent.getAuthentication());
        } finally {
            lock.writeLock().unlock();
        }
    } else if (event instanceof HttpSessionDestroyedEvent) {
        HttpSessionDestroyedEvent destroyEvent = (HttpSessionDestroyedEvent)event;
        lock.writeLock().lock();
        try {
            sessionAuthMap.remove(destroyEvent.getId());
        } finally {
            lock.writeLock().unlock();
        }
    }
}
Run Code Online (Sandbox Code Playgroud)

附加信息:

我在原始帖子中没有提到在Map中存储Session Id和Authentication对象的要求是由于我正在使用Google Earth插件.GE充当独立的,不相关的用户代理,因此用户的会话信息永远不会被GE传递给服务器.出于这个原因,我重写GE的请求URL以包含用户的活动会话ID(来自前面提到的Map)作为参数,因此我们可以验证所述会话ID对于登录用户确实有效.所有这一切都已到位,因为我们有GE需要的KML,但是我们不能允许用户通过Firebug获取直接的,不受保护的URL或者你有什么.

Spring Config :(抱歉,有点捏造格式化)

<sec:http use-expressions="true">
<sec:intercept-url pattern="/Login.html*" access="permitAll"/>
<sec:intercept-url pattern="/j_spring_security*" access="permitAll" method="POST"/>
<sec:intercept-url pattern="/main.css*" access="permitAll"/>
<sec:intercept-url pattern="/favicon.ico*" access="permitAll"/>
<sec:intercept-url pattern="/images/**" access="permitAll"/>
<sec:intercept-url pattern="/common/**" access="permitAll"/>
<sec:intercept-url pattern="/earth/**" access="permitAll"/>
<sec:intercept-url pattern="/earth/kml/**" access="permitAll"/>
<sec:intercept-url pattern="/earth/js/**" access="permitAll"/>
<sec:intercept-url pattern="/css/**" access="permitAll"/>   
<sec:intercept-url pattern="/resource*" access="permitAll"/>
<sec:intercept-url pattern="/geom*" access="hasRole('ROLE_SUPERUSER')"/>    
<sec:intercept-url pattern="/status/**" access="permitAll"/>    
<sec:intercept-url pattern="/index.html*" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/project.html*" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/js/**" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/help/**" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/app/**" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/data/**" access="hasRole('ROLE_USER')"/>   
<sec:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/> 
<sec:intercept-url pattern="/session/**" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/" access="hasRole('ROLE_USER')"/>
<sec:intercept-url pattern="/**" access="denyAll"/>
<sec:intercept-url pattern="**" access="denyAll"/>

<sec:session-management session-fixation-protection="none" />

<sec:form-login login-page="/Login.html${dev.gwt.codesrv.htmlparam}" default-target-url="/index.html${dev.gwt.codesrv.htmlparam}" authentication-failure-url="/Login.html${dev.gwt.codesrv.htmlparam}"/>
<sec:http-basic/>
<sec:logout invalidate-session="true" logout-success-url="/Login.html${dev.gwt.codesrv.htmlparam}"/>
 <sec:remember-me key="[REMOVED]" />
 </sec:http>

<bean id="authenticationEventPublisher" class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />

<bean id="org.springframework.security.authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="authenticationEventPublisher" ref="authenticationEventPublisher"/>
    <property name="providers">
        <list>
            <ref bean="authenticationProvider" />
            <ref bean="anonymousProvider" />
        </list>
    </property>
</bean>

<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="passwordEncoder" ref="passwordEncoder"/>
    <property name="saltSource" ref="saltSource"/>
    <property name="userDetailsService" ref="userService" />
</bean>

<bean id="anonymousProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    <property name="key" value="[REMOVED]" />
</bean>
Run Code Online (Sandbox Code Playgroud)

jto*_*ron 2

根据spring 文档,“在 Spring Security 3 中,用户首先由 AuthenticationManager 进行身份验证,一旦成功通过身份验证,就会创建一个会话。”

相反,您可以实现自己的AuthenticationSuccessHandler(可能通过子类化SavedRequestAwareAuthenticationSuccessHandler)。您可以在方法中放置任何您想要的逻辑onAuthenticationSuccess,因此将现有逻辑移至此处:

public class MyAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    // declare and initialize lock and sessionAuthMap at some point...
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, 
            HttpServletResponse response, Authentication authentication) 
            throws ServletException, IOException {
        lock.writeLock().lock();
        try {
            sessionAuthMap.put(request.getSession().getId(), authentication);
        } finally {
            lock.writeLock().unlock();
        }
        super.onAuthenticationSuccess(request, response, authentication);
    }
}
Run Code Online (Sandbox Code Playgroud)

然后,更新您的配置,以便 Spring Security 在身份验证过程中调用此类。就是这样:

第一步:自定义元素UsernamePasswordAuthenticationFilter创建的<form-login>元素。特别是,将其放入您的<http>元素中:

<sec:custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />
Run Code Online (Sandbox Code Playgroud)

第2步:定义myFilter,并挂钩MyAuthenticationSuccessHandler它。

<bean id="myFilter" 
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationFailureHandler" ref="myAuthenticationSuccessHandler" />
    <property name="authenticationSuccessHandler" ref="myAuthenticationFailureHandler" />
</bean>

<bean id="myAuthenticationSuccessHandler" 
    class="my.MyAuthenticationSuccessHandler">
<!-- set properties here -->
</bean>

<!-- you can subclass this or one of its parents, too -->
<bean id="myAuthenticationFailureHandler" 
    class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <!-- set properties such as exceptionMappings here -->
</bean>
Run Code Online (Sandbox Code Playgroud)

有关更多详细信息,请参阅http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html。另请参阅AbstractAuthenticationProcessingFilter文档。

顺便说一句,你的问题让我想起了 OAuth。本质上,您是根据资源所有者授权向客户端颁发访问令牌的。