0

Spring security (2.0.x) http命名空间,form-login定义自动使用AuthenticationProcessingFilter。

<form-login login-page='/logon.jsp' 
default-target-url='/home.jsp' 
always-use-default-target='true' />

我也知道,如果我设置,auto-config="false"我可以通过提供自定义 bean 定义来自定义身份验证。

我有 CustomAuthenticationProcessingFilter 扩展了 AuthenticationProcessingFilter 覆盖了 gainUsername 并使用自定义逻辑来获取用户名而不是通过的用户名。

protected String obtainUsername(HttpServletRequest request) {
   // custom logic to return username from parameter/cookies/header etc ... 
}

是否可以在使用时使用 CustomAuthenticationProcessingFilter 而auto-config="true" <form-login>无需定义 customAuthFilter 和所有依赖的bean?

  <beans:bean id="customAuthFilter" class="x.y.z.CustomAuthenticationProcessingFilter">
    <custom-filter  position="AUTHENTICATION_PROCESSING_FILTER" />
    <beans:property name="defaultTargetUrl" value="/home.jsp"></beans:property>
    ...
    ...
  </beans:bean>
4

3 回答 3

1

介绍

Spring Security 2.0 处于维护模式,因此不会有任何官方更新。但是,您可以使用一些方法来解决此问题。

豆后处理器

您可以从Spring Security FAQ中使用的一个技巧是使用 BeanPostProcessor。您可以返回自定义过滤器,而不是修改属性。一个例子可能是这样的:

public class CustomFilterBeanPostProcessor implements BeanPostProcessor {
    private Filter customFilter;

    public Object postProcessAfterInitialization(Object bean, String name) {
        if (bean instanceof AuthenticationProcessingFilter) {
           return customFilter;
        }
        return bean;
    }

    public Object postProcessBeforeInitialization(Object bean, String name) {
        return bean;
    }

    public void setFilter(Filter filter) {
        this.customFilter = filter;
    }
}

那么您的配置将包括以下内容:

  <beans:bean class="CustomFilterBeanPostProcessor">
    <beans:property name="filter" ref="customAuthFilter"/>
  </beans:bean>

在属性之前使用

另一种方法是在 AuthenticationProcessingFilter 之前插入自定义过滤器。这将有一个额外的过滤器,但它应该是微创的,因为它很小并且不应该被访问(即,因为自定义过滤器仅在 AuthenticationProcessingFilter 忽略请求时继续过滤器链)。使用此方法的示例配置如下所示:

<beans:bean id="customAuthFilter" class="x.y.z.CustomAuthenticationProcessingFilter">
    <custom-filter before="AUTHENTICATION_PROCESSING_FILTER" />
    <beans:property name="defaultTargetUrl" value="/home.jsp"></beans:property>
    ...
    ...
  </beans:bean>
于 2012-09-05T19:38:42.220 回答
0

唉,看起来(如果我没记错的话)没有什么可以做的,因为 AuthenticationProcessingFilter 类名是硬编码在< HttpSecurityBeanDefinitionParser> :(

if (formLoginElt != null || autoConfig) {
  FormLoginBeanDefinitionParser parser = 
     new FormLoginBeanDefinitionParser("/j_spring_security_check", 
     "org.springframework.security.ui.webapp.AuthenticationProcessingFilter");

.

.

如果过滤器类是一个配置属性并在外部进行控制(就像default-target-url)可能会使用属性会更好authentication-filter-class

<form-login login-page='/logon.jsp' 
default-target-url='/home.jsp' 
always-use-default-target='true'
authentication-filter-class='x.y.z.CustomAuthenticationProcessingFilter'
/>

希望春天的人们在听;)

于 2012-09-04T16:55:03.097 回答
0

事实上,spring 的命名空间处理程序在内部定义了名称_formLoginFilter为 AuthenticationProcessingFilter 的 bean(参见BeanIds完整列表)。有多种方法可以解决此问题(即使用 DaoAuthenticationProvider 中的 j_username 以外的其他内容进行身份验证,例如从标头中获取用户名等...)

使用 Spring AOPbean()语法进行拦截doFilter()

_formLoginFilter定义一个切入点,用 name和 interceptsdoFilter方法查找 bean 。( AuthenticationProcessingFilter.doFilter() method) 并有条件地委托给别的东西

public class AuthenticationProcessingFilterAspect {
  private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationProcessingFilterAspect.class);
  public Object intercept(ProceedingJoinPoint pjp) throws Throwable {
    LOGGER.info("intercept------------------{}",pjp.toLongString());
    //Delegate to customised method instead of default  pjp.proceed()
    return pjp.proceed();
  }
}

配置

<beans:bean id="authFilterAspect" class="x.y.z.AuthenticationProcessingFilterAspect" />
<aop:config>
  <aop:aspect ref="authFilterAspect">
    <aop:around pointcut="bean(_formLoginFilter) &amp;&amp; execution(* doFilter(..))" method="intercept"/>
  </aop:aspect>
</aop:config>

使用 CustomWebAuthenticationDetails 进行身份验证

为 AuthenticationProcessingFilter bean 定义一个 bean 后处理器,该 bean 注入 CustomWebAuthenticationDetails 填充自定义字段

public class AuthenticationProcessingFilterBeanPostProcessor implements
    BeanPostProcessor {

  private static final Logger LOGGER = LoggerFactory.getLogger(AuthenticationProcessingFilterBeanPostProcessor.class);

  public Object postProcessAfterInitialization(Object bean, String beanName)
      throws BeansException {
    if ("_formLoginFilter".equals(beanName) && bean instanceof AuthenticationProcessingFilter) {
      AuthenticationProcessingFilter filter = (AuthenticationProcessingFilter) bean;
      WebAuthenticationDetailsSource source = (WebAuthenticationDetailsSource) filter.getAuthenticationDetailsSource();
      source.setClazz(CustomWebAuthenticationDetails.class);
    }
    return bean;
  }

  public Object postProcessBeforeInitialization(Object bean, String beanName)
      throws BeansException {
    return bean;
  }

  @SuppressWarnings("serial")
  public static class CustomWebAuthenticationDetails extends
      WebAuthenticationDetails {
    private String customAttribute;//customfield
    public CustomWebAuthenticationDetails(HttpServletRequest request) {
      super(request);
      //Build custom attributes that could be used elsewhere (say in DaoAuthenticationProvider ) 
      //with (CustomWebAuthenticationDetails)authentication.getDetails()
      customAttribute = request.getHeader("username");
    }
    public boolean getCustomAttribute() {
      return customAttribute;
    }
  }
}

配置

<beans:bean id="authFilterProcessor" class="x.y.z.AuthenticationProcessingFilterBeanPostProcessor" />

使用线程绑定请求进行实际身份验证(在 DaoAuthenticationProvider 内)

使用 getHttpServletRequest() 访问线程绑定请求对象并使用 request.getHeader("username") 进行自定义身份验证。

public static HttpServletRequest getHttpServletRequest(){
  return((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest();
}

如果请求不是通过 DispatcherServlet 也需要在 web.xml 中定义这个

<filter>
  <filter-name>requestContextFilter</filter-name>
  <filter-class>org.springframework.web.filter.RequestContextFilter</filter-class>
</filter>
<filter-mapping>
  <filter-name>requestContextFilter</filter-name>
  <url-pattern>/j_spring_security_check</url-pattern>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>
<filter-mapping>
  <filter-name>requestContextFilter</filter-name>
  <url-pattern>/j_spring_security_logout</url-pattern>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>REQUEST</dispatcher>
</filter-mapping>

如果它的面孔应用程序使用FacesContext.getCurrentInstance()

public static HttpServletRequest getHttpServletRequest(){
    FacesContext context = FacesContext.getCurrentInstance();
    return (HttpServletRequest) context.getExternalContext().getRequest();
}
于 2012-09-10T17:18:32.087 回答