0

我正在实现一个启用 SpringSecurity 的 web 应用程序。我现在使用 PostgreSQL 数据库来存储用户及其凭据。该应用程序的一个要求是每次用户登录时更新用户表(特别是 last_login 列)。我尝试实现一个扩展 UsernamePasswordAuthenticationFilter 的 LoginController,因此每次调用successfulAuthentication 方法时,都会更新 last_login 列。

这是我的 applicationContext.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xmlns:context="http://www.springframework.org/schema/context"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:jdbc="http://www.springframework.org/schema/jdbc"
         xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
    http://www.springframework.org/schema/jdbc  http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

<beans:bean class="org.springframework.security.authentication.encoding.ShaPasswordEncoder" id="passwordEncoder"/>

<beans:bean class="admin.beans.UserBean" id="userBean"/>

<beans:bean id="messageSource" class="org.springframework.context.support.ResourceBundleMessageSource">
    <beans:property name="basename" value="messages"/>
</beans:bean>

<http use-expressions="true" auto-config="true">
    <intercept-url pattern="/login.jsp" access="permitAll"/>
    <intercept-url pattern="/userAdmin.jsp" access="hasRole('ROLE_ADMIN')"/>
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
    <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
    <remember-me/>
    <logout invalidate-session="true" logout-success-url="/" logout-url="/logout"/>
</http>

<beans:bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <beans:property name="driverClassName" value="org.postgresql.Driver"/>
    <beans:property name="url" value="jdbc:postgresql://xexen:5432/db"/>
    <beans:property name="username" value="usr"/>
    <beans:property name="password" value="password"/>
</beans:bean>

<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="jdbcUserService">
        <password-encoder ref="passwordEncoder">
            <salt-source ref="saltSource"/>
        </password-encoder>
    </authentication-provider>
</authentication-manager>

<beans:bean id="jdbcUserService" class="security.CustomJdbcDaoImpl">
    <beans:property name="dataSource" ref="dataSource"/>
    <beans:property name="enableGroups" value="false"/>
    <beans:property name="enableAuthorities" value="true"/>
    <beans:property name="usersByUsernameQuery">
        <beans:value>select username,password,enabled, salt from users where username = ?</beans:value>
    </beans:property>
</beans:bean>

<beans:bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
    <filter-chain-map path-type="ant">
        <filter-chain pattern="/**" filters=" authenticationFilter"/>
    </filter-chain-map>
</beans:bean>


<beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource" id="saltSource">
    <beans:property name="userPropertyToUse" value="salt"/>
</beans:bean>

<beans:bean id="loggerListener" class="org.springframework.security.authentication.event.LoggerListener"/>

<beans:bean id="authenticationFilter" class="security.LoginController">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="filterProcessesUrl" value="/j_spring_security_check"/>
</beans:bean>

<context:annotation-config/>
<context:component-scan base-package="admin"/>

登录控制器类:

 package security;
 //imports

@Controller
public class LoginController extends UsernamePasswordAuthenticationFilter {

@Autowired
AuthenticationManager authenticationManager;

public LoginController() {
    super();
    System.out.println("LoginController.LoginController");
}

@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
    super.successfulAuthentication(request, response, chain, authResult);
    System.out.println("Update DB");
}

}

问题是从不调用 LoginController 过滤器,因此从不插入数据库。我很确定我犯了一个配置错误,但我对配置感到困惑和困惑:在哪里设置过滤器/提供程序等。

谁能发现我做错了什么?非常感谢您提前。

4

1 回答 1

1

我想提出一种不同的方法,在成功登录后使用处理程序。
在您的安全 xml 中:

<http use-expressions="true" auto-config="true">
...
    <form-login authentication-success-handler-ref="redirectAfterLogin" login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=1"/>
...
</http>

类将是这样的:

public class RedirectAfterLogin extends SavedRequestAwareAuthenticationSuccessHandler {
    public void onAuthenticationSuccess(HttpServletRequest request,
        HttpServletResponse response, Authentication authentication)
        throws ServletException, IOException {

        // do what you need here
    }
}
于 2012-06-12T11:17:56.177 回答