0

我正在尝试使 springSecurity 插件适应我自己的需要,因此当用户进行身份验证时,必须检查一个密钥是否对用户有效,然后存储在用户的会话中(用户可以有多个密钥)。

表单登录:

<form action='${request.contextPath}/j_spring_security_check' method='POST' id='loginForm' name='loginForm' controller="login" onLoading="showSpinner();" onComplete="hideSpinner();" class="form-horizontal" autocomplete='off'>
                  <g:if test='${flash.msg}'><div class='errors_pw3'><g:message code="default.message.login"/> </div><br/></g:if>
                  <div class="control-group" style="margin-left:80px;">
                      <label class="control-label" for='j_datastore'><g:message code="label.datastore" default="Key:" /></label>
                          <div class="controls">
                          <input type='text'  name='key' id='key' value='${session.user.key}' class="span7"/>
                      </div>
                </div>
                <div class="control-group" style="margin-left:80px;">
                    <label class="control-label" for='j_username'><g:message code="label.ubistoreid" /></label>
                    <div class="controls">
                        <input type='text'  name='j_username' id='username' value='${request.remoteUser}' class="span7"/>
                    </div> 
                </div>
                <div class="control-group" style="margin-left:80px;">
                    <label class="control-label" for='j_password'><g:message code="label.password" /></label>
                    <div class="controls">
                        <input type='password'  name='j_password' id='password' class="span7"/>
                    </div>
               </div>

登录控制器:

def auth = {
    def config = SpringSecurityUtils.securityConfig
    def principal = springSecurityService.principal
    // Store key in the session
    session.setAttribute("KEY",params.key)
    println params.key + "*******"
    println params.params + "-----"
    if (springSecurityService.isLoggedIn()) {
        redirect uri:'/secure'
    }
    else if (params["login_error"]) {
        if(request.getParameterValues('login_error')[0] == '1') {
            flash.msg = "User or password invalid !"
        }
    }
    String view = 'index'
    String postUrl = "${request.contextPath}${config.apf.filterProcessesUrl}"
    render view: view, model: [postUrl: postUrl,rememberMeParameter: config.rememberMe.parameter,params:params]
}

参数未传递给会话

请,如何将 springSecurityService 修改为:1)检查密钥条目是否已为用户授权?(用户域类包含一个set<Key> keys带有授权密钥列表的条目)

2)稍后在用户会话中使用它(一旦它被认证)

4

1 回答 1

0

基本上,我已经实现了一个 customRedirect 策略。它有效,但我需要一个建议来在检查当前用户的密钥对象的有效性后自定义响应;

import javax.servlet.http.HttpServletRequest
import javax.servlet.http.HttpServletResponse
import org.apache.commons.lang.StringUtils
import org.springframework.security.web.DefaultRedirectStrategy

public class CustomRedirectStrategy extends DefaultRedirectStrategy {

    static final String adminFailureUrl='/console/index'
    static final String customerFailureUrl='/login/auth'
    HttpServletRequest request
    HttpServletResponse response
    String url
    String redirectUrl

    @Override
    public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
        def key = request.getParameter("j_key")
        if(key) {
            // TODO: process key validation
            request.session['KEY'] = key
            def ds = DataStore.findByKeyname(key)
            if(ds) {
                request.session['DS'] = ds
            }
            log.debug '--------------------'
            log.debug 'Used Key:'+ key
            log.debug '--------------------'
        } else {
            log.debug '--------------------'
            log.debug 'No key defined'
            log.debug '--------------------'
        }

        if(request.getParameter('asAdmin') == 'true') {
            redirectUrl = calculateAdminRedirectUrl(request);
        }
        else if (request.getParameter('asUser') == 'true') {
            redirectUrl = calculateUserRedirectUrl(request);
        }
        redirectUrl = response.encodeRedirectURL(redirectUrl);
        response.sendRedirect(redirectUrl);
    }

    private String calculateAdminRedirectUrl(final HttpServletRequest request) {
        return  request.getContextPath() + adminFailureUrl + "?login_error=1";
    }

    private String calculateUserRedirectUrl(final HttpServletRequest request) {
        return  request.getContextPath() + customerFailureUrl + "?login_error=1";
    }
}
于 2013-05-01T21:19:12.930 回答