在新用户提交"新帐户"表单后,我想手动将该用户登录,这样他们就不必在后续页面上登录.
通过spring安全拦截器的普通表单登录页面工作得很好.
在新帐户形式的控制器中,我正在创建UsernamePasswordAuthenticationToken并手动在SecurityContext中设置它:
SecurityContextHolder.getContext().setAuthentication(authentication);
在同一页面上,我稍后检查用户是否已登录:
SecurityContextHolder.getContext().getAuthentication().getAuthorities();
这将返回我之前在身份验证中设置的权限.一切都很好.
但是当我加载的下一页上调用相同的代码时,身份验证令牌就是UserAnonymous.
我不清楚为什么它没有保留我在上一个请求中设置的身份验证.有什么想法吗?
只是寻找一些可能有助于我了解这里发生了什么的想法.
我正在使用Spring Security 3.2和Spring 4.0.1
我正在努力将xml配置转换为Java配置.当我在我的过滤器中注释AuthenticationManager时@Autowired,我得到一个例外
Caused by: org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.authentication.AuthenticationManager] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}
我已经尝试过注射AuthenticationManagerFactoryBean但是也失败了类似的例外.
这是我正在使用的XML配置
<?xml version="1.0" encoding="UTF-8"?> <beans ...>
<security:authentication-manager id="authenticationManager">
<security:authentication-provider user-service-ref="userDao">
<security:password-encoder ref="passwordEncoder"/>
</security:authentication-provider>
</security:authentication-manager>
<security:http
realm="Protected API"
use-expressions="true"
auto-config="false"
create-session="stateless"
entry-point-ref="unauthorizedEntryPoint"
authentication-manager-ref="authenticationManager">
<security:access-denied-handler ref="accessDeniedHandler"/>
<security:custom-filter ref="tokenAuthenticationProcessingFilter" position="FORM_LOGIN_FILTER"/>
<security:custom-filter ref="tokenFilter" position="REMEMBER_ME_FILTER"/>
<security:intercept-url method="GET" pattern="/rest/news/**" access="hasRole('user')"/>
<security:intercept-url method="PUT" pattern="/rest/news/**" access="hasRole('admin')"/>
<security:intercept-url method="POST" …我一直使用Spring Security 3.0作为我们的网站登录机制,使用专用的登录网页.现在我需要登录网页,而不是我们站点中每个网页上的灯箱/弹出窗口,登录时我得到一个AJAX结果,无论它是否成功.使用Spring Security和Spring webmvc 3.0,最好的方法是什么?
我正在尝试更改JHipster,因此它使用JSON对象进行身份验证而不是表单参数.我已经成功地为其JWT认证机制做了这项工作.现在我想为其他身份验证选项做这件事.
是否有一种简单的方法可以更改Spring Security的默认安全配置以允许此操作?以下是JHipster现在使用的内容:
.and()
.rememberMe()
.rememberMeServices(rememberMeServices)
.rememberMeParameter("remember-me")
.key(env.getProperty("jhipster.security.rememberme.key"))
.and()
.formLogin()
.loginProcessingUrl("/api/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
我想发送以下作为JSON而不是表单参数:
{username: "admin", password: "admin", rememberMe: true}
我需要我的安全性具有以下逻辑:
在这两种情况下,我都有相同的身份验证提供程序,但我不能让它工作.委托入口点工作正常,但我从未进入我的自定义身份验证提供程序...
这是我的安全配置:
<security:global-method-security
secured-annotations="enabled" />
<security:http entry-point-ref="delegatingAuthenticationEntryPoint"
use-expressions="true" auto-config="false">
<!-- <security:custom-filter position="FORM_LOGIN_FILTER" -->
<!-- ref="usernamePasswordAuthenticationFilter" /> -->
<!-- <security:custom-filter position="BASIC_AUTH_FILTER" -->
<!-- ref="basicAuthenticationFilter" /> -->
<security:intercept-url pattern="/login*"
filters="none" />
<security:intercept-url pattern="/portimaLogin*"
filters="none" />
<security:intercept-url pattern="/**"
access="isAuthenticated()" />
</security:http>
<bean id="delegatingAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint">
<constructor-arg>
<map>
<entry key="hasHeader('portima','true')" value-ref="PortimaLoginUrlAuthenticationEntryPoint" />
</map>
</constructor-arg>
<property name="defaultEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="usernamePasswordAuthenticationFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
</bean>
<bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> …我有一个 Spring Security 3 应用程序,我登录和注销效果很好。我想为我的应用程序实现我自己的 UsernamePasswordAuthenticationFilter 。我遵循了该教程:
http://mrather.blogspot.com/2010/02/extending-usernamepasswordauthenticatio.html
我的过滤器类是:
package security;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class CustomUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException, ServletException {
super.successfulAuthentication(request, response, authResult);
System.out.println("==successful login==");
}
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
super.unsuccessfulAuthentication(request, response, failed);
System.out.println("==failed login==");
}
}
我的安全 xml 配置文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" …我想使用 Rest Spring 控制器通过 JSON 格式使用 Spring Security 对用户进行身份验证。
休息控制器
@RestController
@RequestMapping("/rest/api/login")
public class UserRestController {
@Autowired
@Qualifier(value = "authenticationManager")
private AuthenticationManager authenticationManager;
@RequestMapping(method = RequestMethod.POST, headers = {"Accept=application/json"})
public Map<String, String> login(@RequestParam("login") String username, @RequestParam("password") String password) {
Map<String, String> response = new HashMap<String, String>();
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
try {
Authentication auth = authenticationManager.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(auth);
response.put("status", "true");
return response;
} catch (BadCredentialsException ex) {
response.put("status", "false");
return response;
}
}}
spring-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" …我创建了一个提供用户身份验证的API,它的登录操作由Spring Security 在默认的'/ login'路径上处理.
我想将此路径更改为"api/v1/login".
这是我的安全配置:
http.cors().and().csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/h2-console/**/**").permitAll()
.antMatchers(HttpMethod.POST,"/user/register").permitAll()
.antMatchers("/user/activate").permitAll()
.antMatchers("/user/reset-password").permitAll()
.antMatchers("/user/reset-password").permitAll()
.antMatchers("/admin/user").hasRole("ADMIN")
.antMatchers("/roles").permitAll()
.antMatchers("/user/**").hasRole("USER")
.and()
.formLogin().loginProcessingUrl("/api/v1/login")
.and()
.exceptionHandling().authenticationEntryPoint(jwtAuthenticationEntryPoint)
.and()
.addFilterBefore(new ExceptionHandlerFilter(), UsernamePasswordAuthenticationFilter.class)
.addFilter(new JwtAuthenticationFilter(authenticationManager()))
.addFilter(new JwtAuthorizationFilter(authenticationManager(), jwtUserDetailService));
我添加了这一行来改变它:
.formLogin().loginProcessingUrl("/api/v1/login")
但它仍然在'/ login'路径下工作.
"/ api/v1/login"返回404.
有没有办法改变它?
Spring Boot版本:2.0.0.RELEASE