5

我正在使用 spring-security 3.1.4 并且我有要求:

  • 看认证是成功还是失败
    • 如果成功将用户一般信息放入会话属性中
    • 如果结果是失败,那么;
      • 确定失败的原因(帐户锁定、帐户过期、凭据过期、用户禁用、登录失败尝试次数超过等)
      • 为咆哮组件生成登录失败消息位于 login.xhtml
      • 对失败事件采取特定的措施,例如在数据库中增加登录失败尝试和/或重定向到重新定义凭据等页面

我已经研究并找到了三种解决方案:

  • 实现PhaseListener哪个是草率的,因为它在
    所有阶段事件中被调用:

public class LoginErrorPhaseListener implements PhaseListener {
  private static final long   serialVersionUID              = -404551400448242299L;

  private static final String MESSAGES_RESOURCE_BUNDLE_NAME = "msgs";
  private static final String ACCESS_DENIED_MESSAGE_KEY     = "accessDeniedMessage";
  private static final String BAD_CREDENTIALS_MESSAGE_KEY   = "badCredentialsMessage";

  @Override
  public void beforePhase(final PhaseEvent arg0) {
    Exception e = (Exception) FacesContext.getCurrentInstance().getExternalContext().getSessionMap().get(WebAttributes.AUTHENTICATION_EXCEPTION);
      if (e instanceof BadCredentialsException) {
         FacesContext fc = FacesContext.getCurrentInstance();
         ResourceBundle messages = fc.getApplication().getResourceBundle(fc, MESSAGES_RESOURCE_BUNDLE_NAME);
         fc.getExternalContext().getSessionMap().put(WebAttributes.AUTHENTICATION_EXCEPTION, null);
         fc.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, messages.getString(ACCESS_DENIED_MESSAGE_KEY), messages.getString(BAD_CREDENTIALS_MESSAGE_KEY)));
      }
   }

   @Override
   public void afterPhase(final PhaseEvent arg0) {
   }

   @Override
   public PhaseId getPhaseId() {
      return PhaseId.RENDER_RESPONSE;
   }

}
  • 其他是定制AuthenticationFailureHandlerAuthenticationSuccessHandler

public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {

   @Inject
   private UserDao userDao;

   public CustomAuthenticationFailureHandler() {
   }

   public CustomAuthenticationFailureHandler(String defaultFailureUrl) {
      super(defaultFailureUrl);
   }

   @Override
   public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
      super.onAuthenticationFailure(request, response, exception);
      Class exceptionClazz = exception.getClass();

      if (exceptionClazz == UsernameNotFoundException.class) {

      }
      else if (exceptionClazz == AuthenticationCredentialsNotFoundException.class) {

      }
      else if (exceptionClazz == BadCredentialsException.class) {
         UserBean user = (UserBean) exception.getExtraInformation();
         if (user.getLoginAttempts() == 2) {
            userDao.updateUserStates(user.getUsername(), true, false, true, true);
            userDao.resetUserLoginFailedAttempts(user.getUsername());
         }
         else {
            userDao.incrementLoginFailedAttempts(user.getUsername());
         }
      }
      else if (exceptionClazz == AccountStatusException.class) {

      }
      else if (exceptionClazz == AuthenticationServiceException.class) {

      }
      else if (exceptionClazz == InsufficientAuthenticationException.class) {

      }
      else if (exceptionClazz == NonceExpiredException.class) {

      }
      else if (exceptionClazz == PreAuthenticatedCredentialsNotFoundException.class) {

      }
      else if (exceptionClazz == ProviderNotFoundException.class) {

      }
      else if (exceptionClazz == RememberMeAuthenticationException.class) {

      }
      else if (exceptionClazz == SessionAuthenticationException.class) {

      }
   }
}

public class CustomAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {

   @Inject
   private UserDao userDao;

   @Override
   public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
      super.onAuthenticationSuccess(request, response, authentication);
      UserPersonalInfoBean activeUser = (UserPersonalInfoBean) authentication.getPrincipal();
      request.getSession().setAttribute("activeUser", activeUser);
      userDao.resetUserLoginFailedAttempts(activeUser.getUsername());
   }
}
  • 我发现的最后一种方法是实现 spring-context ApplicationListener

@Named
public class BadCredentialsListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {
   private static final long   serialVersionUID              = -404551400448242299L;

   private static final String MESSAGES_RESOURCE_BUNDLE_NAME = "msgs";
   private static final String ACCESS_DENIED_MESSAGE_KEY     = "accessDeniedMessage";
   private static final String BAD_CREDENTIALS_MESSAGE_KEY   = "badCredentialsMessage";

   @Override
   public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {
      FacesContext fc = FacesContext.getCurrentInstance();
      ResourceBundle messages = fc.getApplication().getResourceBundle(fc, MESSAGES_RESOURCE_BUNDLE_NAME);
      fc.getExternalContext().getSessionMap().put(WebAttributes.AUTHENTICATION_EXCEPTION, null);
      fc.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, messages.getString(ACCESS_DENIED_MESSAGE_KEY), messages.getString(BAD_CREDENTIALS_MESSAGE_KEY)));
   }

}

我的问题终于来了。我是一名初级开发人员,无法决定/弄清楚哪种方式是有效/高效的,简而言之,这是克服我使用的要求和技术(jsr330 注入、jsf 上下文等)的最佳方式。

我放弃了 jsfPhaseListener解决方案,原因是我上面所说的。实际上 spring-security 访问和故障处理程序类似于PhaseListeners 但更有效,因为它们在更具体的条件下被调用。必须根据异常的类型从异常中获取更具体的事件。但是,我应该同意在定义它们时security-context.xml增加安全模块的可读性。听AbstractAuthenticationFailureEvent儿童课在我看来真的很好。每个事件都彼此垂直分离并且很干净。此外,由于不推荐使用AuthenticationException'sgetExtraInformationgetAuthentication方法,我无法找到另一种方法来访问AuthenticationFailureHandler.onAuthenticationFailure.

所以你们理解的人,我很困惑,愿意接受你们的评论。

提前谢谢你,问候

4

1 回答 1

0

我认为是否使用一种或另一种选择取决于您的要求。

例如,使用处理程序的一个动机:处理程序获取请求和响应参数。因此,如果您想在某些情况下将用户重定向到某个页面(例如,如果帐户被锁定,并且您想向他显示不同的 HTML 页面) - 您应该使用处理程序。事件监听器不能(也不应该)重定向用户或改变流程。他们只是听众……

于 2014-04-17T06:18:36.880 回答