- 浏览: 249798 次
- 性别:
- 来自: 苏州
文章分类
- 全部博客 (289)
- java (72)
- oracle (3)
- mysql (5)
- spring (28)
- hibernate (2)
- osgi (0)
- linux (2)
- ExtJs (1)
- jvm (0)
- mybatis (7)
- 分布式 (11)
- MINA (6)
- apache+tomcat (13)
- js+htm (7)
- android (44)
- http (1)
- hbase+hdoop (0)
- memcache (13)
- search (27)
- 部署及性能 (12)
- mongoDB (2)
- 多线程 (12)
- 安全管理验证 (9)
- struts (1)
- webservice (0)
- easyUI (1)
- spring security (16)
- pattern (6)
- 算法 (2)
最新评论
-
lzh8189146:
CommonsHttpSolrServer这个类,现在是不是没 ...
CommonsHttpSolrServer -
xiaochanzi:
我按照你的方法试了下,tomcat6可以发布,但是访问任何网页 ...
基于内嵌Tomcat的应用开发 -
phoneeye:
麻烦你,如果是抄来的文章,请给出来源。谢谢
ant 两则技巧 -
neverforget:
转载不注明出处
Spring Security3.1登陆验证 替换 usernamepasswordfilter -
liang1022:
若不使用eclipse ,如何在命令行下 运行服务端程序 ?
WebService CXF学习(入门篇2):HelloWorld
一、前言 在上一篇http://blog.csdn.net/k10509806/archive/2011/04/28/6369131.aspx文章中,提到的MyUserDetailServiceImpl获取用户权限,在用户没有登陆的时候,Spring Security会让我们自动跳转到默认的登陆界面,但在实际应用绝大多数是用我们自己的登陆界面的,其中就包括一些我们自己的逻辑,比如验证码。所以本人又研究一下,终于摸清了一些如何配置自己的登陆界面的办法。在这里献丑了。 二、Spring Security的过滤器 通过DEBUG可以看到Spring Security的Filter的顺序 Security filter chain: [ Spring Security的登陆验证用的就是MyUsernamePasswordAuthenticationFilter,所以要实现我们自己的验证,可以写一个类并继承MyUsernamePasswordAuthenticationFilter类,重写attemptAuthentication方法。 三、applicationContext-Security.xml配置
ConcurrentSessionFilter
SecurityContextPersistenceFilter
LogoutFilter
MyUsernamePasswordAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
MySecurityFilter
FilterSecurityInterceptor
]
这里特别要说明一下,我们的<http>标签不能配置auto-config,因为这样配置后,依然会采用Spring Security的Filter Chain会与下面我们配的custom-filter冲突,最好会抛异常。还有配置一个切入点entry-point-ref="authenticationProcessingFilterEntryPoint",为了在未登陆的时候,跳转到哪个页面,不配也会抛异常。
<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" /> position表示替换掉Spring Security原来默认的登陆验证Filter。
四、MyUsernamePasswordAuthenticationFilter
- package com.huaxin.security;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import javax.servlet.http.HttpSession;
- import org.apache.commons.lang.xwork.StringUtils;
- import org.springframework.security.authentication.AuthenticationServiceException;
- import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
- import org.springframework.security.core.Authentication;
- import org.springframework.security.core.AuthenticationException;
- import org.springframework.security.web.WebAttributes;
- import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
- import com.huaxin.bean.Users;
- import com.huaxin.dao.UsersDao;
- /*
- *
- * UsernamePasswordAuthenticationFilter源码
- attemptAuthentication
- this.getAuthenticationManager()
- ProviderManager.java
- authenticate(UsernamePasswordAuthenticationToken authRequest)
- AbstractUserDetailsAuthenticationProvider.java
- authenticate(Authentication authentication)
- P155 user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
- DaoAuthenticationProvider.java
- P86 loadUserByUsername
- */
- public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{
- public static final String VALIDATE_CODE = "validateCode";
- public static final String USERNAME = "username";
- public static final String PASSWORD = "password";
- private UsersDao usersDao;
- public UsersDao getUsersDao() {
- return usersDao;
- }
- public void setUsersDao(UsersDao usersDao) {
- this.usersDao = usersDao;
- }
- @Override
- public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
- if (!request.getMethod().equals("POST")) {
- throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
- }
- //检测验证码
- checkValidateCode(request);
- String username = obtainUsername(request);
- String password = obtainPassword(request);
- //验证用户账号与密码是否对应
- username = username.trim();
- Users users = this.usersDao.findByName(username);
- if(users == null || !users.getPassword().equals(password)) {
- /*
- 在我们配置的simpleUrlAuthenticationFailureHandler处理登录失败的处理类在这么一段
- 这样我们可以在登录失败后,向用户提供相应的信息。
- if (forwardToDestination) {
- request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
- } else {
- HttpSession session = request.getSession(false);
- if (session != null || allowSessionCreation) {
- request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);
- }
- }
- */
- throw new AuthenticationServiceException("用户名或者密码错误!");
- }
- //UsernamePasswordAuthenticationToken实现 Authentication
- UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
- // Place the last username attempted into HttpSession for views
- // 允许子类设置详细属性
- setDetails(request, authRequest);
- // 运行UserDetailsService的loadUserByUsername 再次封装Authentication
- return this.getAuthenticationManager().authenticate(authRequest);
- }
- protected void checkValidateCode(HttpServletRequest request) {
- HttpSession session = request.getSession();
- String sessionValidateCode = obtainSessionValidateCode(session);
- //让上一次的验证码失效
- session.setAttribute(VALIDATE_CODE, null);
- String validateCodeParameter = obtainValidateCodeParameter(request);
- if (StringUtils.isEmpty(validateCodeParameter) || !sessionValidateCode.equalsIgnoreCase(validateCodeParameter)) {
- throw new AuthenticationServiceException("验证码错误!");
- }
- }
- private String obtainValidateCodeParameter(HttpServletRequest request) {
- Object obj = request.getParameter(VALIDATE_CODE);
- return null == obj ? "" : obj.toString();
- }
- protected String obtainSessionValidateCode(HttpSession session) {
- Object obj = session.getAttribute(VALIDATE_CODE);
- return null == obj ? "" : obj.toString();
- }
- @Override
- protected String obtainUsername(HttpServletRequest request) {
- Object obj = request.getParameter(USERNAME);
- return null == obj ? "" : obj.toString();
- }
- @Override
- protected String obtainPassword(HttpServletRequest request) {
- Object obj = request.getParameter(PASSWORD);
- return null == obj ? "" : obj.toString();
- }
- }
有时间,大家看看源码吧。
五、login.jsp
- <body>
- <span style="color:red"><%=session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) %></span>
- <form action="j_spring_security_check" method="post">
- Account:<Input name="username"/><br/>
- Password:<input name="password" type="password"/><br/>
- <input value="submit" type="submit"/>
- </form>
- </body>
六、完了,源码大家可以看下我上一篇文章http://blog.csdn.net/k10509806/archive/2011/04/28/6369131.aspx。
发表评论
-
在spring security3上实现验证码
2012-04-21 16:07 613在spring security3上实现验证码 h ... -
Spring Security 3应用的11个步骤
2012-04-15 01:47 1127Spring Security 3应用的11个步骤 ... -
在spring security3上实现验证码
2012-03-01 08:44 600转载: 在spring securi ... -
spring security 密码编码器
2012-03-14 08:13 930spring security 密码编码器 (2 ... -
spring security 配置详解
2012-02-25 11:50 2135http://static.springsource.org/ ... -
图解Spring Security默认使用的过滤器
2012-02-24 08:13 737转载:http://www.flyysoft.com/plus ... -
Spring Security 3 与 CAS单点登录配置-Server
2012-03-15 19:56 1256转载:http://www.hxdw.com/bbs/post ... -
Topic: Spring Security 3 与 CAS单点登录配置-Client
2012-02-26 12:12 790转载: http://www.hxdw.com ... -
Spring Security 可动态授权RBAC权限模块实践
2012-02-19 13:25 2009Spring Security 可动态授权RBA ... -
Spring Security 3 基于角色访问控制过程详解
2012-02-19 13:25 1372访问控制:由于我们配 ... -
修改spring security源码实现动态授权
2012-02-21 08:15 884修改spring security源码实现动态 ... -
spring security 3.0 logout filter 代码中的一个小bug
2012-03-15 19:57 962spring security 3.0 log ... -
spring security 源码分析: 过滤器
2012-03-19 08:23 980spring security 源码分析: 过 ... -
spring security遇到的一些问题
2012-03-19 08:24 634spring security遇到的一些问题 ... -
spring security 源码解读 1
2012-03-19 08:24 834http://feiyan35488.iteye.com/bl ...
相关推荐
springsecurity3.1.pdf
spring security3.1高级详细开发指南 包含一个简单例子和一个复杂例子
Spring_Security-3.0.1中文官方文档 springsecurity3.1官方手册(英文版)
这是一个基于spring security3.1的简单验证项目。希望对你有帮助。含有sql脚本。
spring security3.1 在数据库实现 用户 角色 资源 权限控制,在eclipse+tomcat下测试通过
和spring集成使用的完美权限框架,学习java一定要学会spring_security
Spring Security 3.1 随书源代码
Spring Security 3.1 +Spring +Servlet+JdbcTemplate 自己找的资料,并开发成功
spring security 3.1 英文版的,对学习比较有帮助
非常完整的spring3及springsecurity3.1源码及jar包 spring3及springsecurity3.1源码及jar包,导入eclipse将各个工程下的jar包分别加入buildpath就可以用了
Spring Security 3.1.pdf
Spring Security3.1高级详细开发指南
Spring Security3.1入门Demo,带JAR包及注释~ 使用的ECLIPSE搭建的项目~
NULL 博文链接:https://chxiaowu.iteye.com/blog/1536141
spring security 3.1
NULL 博文链接:https://zjy7554.iteye.com/blog/2021785
进行spring security开发引用的spring-security-acl-3.0.2.RELEASE.jar、spring-security-config-3.0.2.RELEASE.jar、spring-security-core-3.0.2.RELEASE.jar、spring-security-taglibs-3.0.2.RELEASE.jar、spring-...
spring-security3.1源码
spirng security 3.1 PDF版,附带源代码,请注意是英文版的,不要下错了