我正在使用 spring-security 3.1.4 并且我有要求:
- 看认证是成功还是失败
- 如果成功将用户一般信息放入会话属性中
- 如果结果是失败,那么;
- 确定失败的原因(帐户锁定、帐户过期、凭据过期、用户禁用、登录失败尝试次数超过等)
- 为咆哮组件生成登录失败消息位于 login.xhtml
- 对失败事件采取特定的措施,例如在数据库中增加登录失败尝试和/或重定向到重新定义凭据等页面
我已经研究并找到了三种解决方案:
- 实现
PhaseListener
哪个是草率的,因为它在
所有阶段事件中被调用:
public class LoginErrorPhaseListener implements PhaseListener {
private static final long serialVersionUID = -404551400448242299L;
private static final String MESSAGES_RESOURCE_BUNDLE_NAME = "msgs";
private static final String ACCESS_DENIED_MESSAGE_KEY = "accessDeniedMessage";
private static final String BAD_CREDENTIALS_MESSAGE_KEY = "badCredentialsMessage";
@Override
public void beforePhase(final PhaseEvent arg0) {
Exception e = (Exception) FacesContext.getCurrentInstance().getExternalContext().getSessionMap().get(WebAttributes.AUTHENTICATION_EXCEPTION);
if (e instanceof BadCredentialsException) {
FacesContext fc = FacesContext.getCurrentInstance();
ResourceBundle messages = fc.getApplication().getResourceBundle(fc, MESSAGES_RESOURCE_BUNDLE_NAME);
fc.getExternalContext().getSessionMap().put(WebAttributes.AUTHENTICATION_EXCEPTION, null);
fc.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, messages.getString(ACCESS_DENIED_MESSAGE_KEY), messages.getString(BAD_CREDENTIALS_MESSAGE_KEY)));
}
}
@Override
public void afterPhase(final PhaseEvent arg0) {
}
@Override
public PhaseId getPhaseId() {
return PhaseId.RENDER_RESPONSE;
}
}
- 其他是定制
AuthenticationFailureHandler
和AuthenticationSuccessHandler
public class CustomAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
@Inject
private UserDao userDao;
public CustomAuthenticationFailureHandler() {
}
public CustomAuthenticationFailureHandler(String defaultFailureUrl) {
super(defaultFailureUrl);
}
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
super.onAuthenticationFailure(request, response, exception);
Class exceptionClazz = exception.getClass();
if (exceptionClazz == UsernameNotFoundException.class) {
}
else if (exceptionClazz == AuthenticationCredentialsNotFoundException.class) {
}
else if (exceptionClazz == BadCredentialsException.class) {
UserBean user = (UserBean) exception.getExtraInformation();
if (user.getLoginAttempts() == 2) {
userDao.updateUserStates(user.getUsername(), true, false, true, true);
userDao.resetUserLoginFailedAttempts(user.getUsername());
}
else {
userDao.incrementLoginFailedAttempts(user.getUsername());
}
}
else if (exceptionClazz == AccountStatusException.class) {
}
else if (exceptionClazz == AuthenticationServiceException.class) {
}
else if (exceptionClazz == InsufficientAuthenticationException.class) {
}
else if (exceptionClazz == NonceExpiredException.class) {
}
else if (exceptionClazz == PreAuthenticatedCredentialsNotFoundException.class) {
}
else if (exceptionClazz == ProviderNotFoundException.class) {
}
else if (exceptionClazz == RememberMeAuthenticationException.class) {
}
else if (exceptionClazz == SessionAuthenticationException.class) {
}
}
}
public class CustomAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
@Inject
private UserDao userDao;
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {
super.onAuthenticationSuccess(request, response, authentication);
UserPersonalInfoBean activeUser = (UserPersonalInfoBean) authentication.getPrincipal();
request.getSession().setAttribute("activeUser", activeUser);
userDao.resetUserLoginFailedAttempts(activeUser.getUsername());
}
}
- 我发现的最后一种方法是实现 spring-context
ApplicationListener
@Named
public class BadCredentialsListener implements ApplicationListener<AuthenticationFailureBadCredentialsEvent> {
private static final long serialVersionUID = -404551400448242299L;
private static final String MESSAGES_RESOURCE_BUNDLE_NAME = "msgs";
private static final String ACCESS_DENIED_MESSAGE_KEY = "accessDeniedMessage";
private static final String BAD_CREDENTIALS_MESSAGE_KEY = "badCredentialsMessage";
@Override
public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {
FacesContext fc = FacesContext.getCurrentInstance();
ResourceBundle messages = fc.getApplication().getResourceBundle(fc, MESSAGES_RESOURCE_BUNDLE_NAME);
fc.getExternalContext().getSessionMap().put(WebAttributes.AUTHENTICATION_EXCEPTION, null);
fc.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_ERROR, messages.getString(ACCESS_DENIED_MESSAGE_KEY), messages.getString(BAD_CREDENTIALS_MESSAGE_KEY)));
}
}
我的问题终于来了。我是一名初级开发人员,无法决定/弄清楚哪种方式是有效/高效的,简而言之,这是克服我使用的要求和技术(jsr330 注入、jsf 上下文等)的最佳方式。
我放弃了 jsfPhaseListener
解决方案,原因是我上面所说的。实际上 spring-security 访问和故障处理程序类似于PhaseListener
s 但更有效,因为它们在更具体的条件下被调用。必须根据异常的类型从异常中获取更具体的事件。但是,我应该同意在定义它们时security-context.xml
增加安全模块的可读性。听AbstractAuthenticationFailureEvent
儿童课在我看来真的很好。每个事件都彼此垂直分离并且很干净。此外,由于不推荐使用AuthenticationException
'sgetExtraInformation
和getAuthentication
方法,我无法找到另一种方法来访问AuthenticationFailureHandler.onAuthenticationFailure
.
所以你们理解的人,我很困惑,愿意接受你们的评论。
提前谢谢你,问候