2

美好的一天人们。

请帮忙。无法理解应该如何触发我的自定义身份验证提供程序。

我有:

弹簧上下文.xml

<security:http pattern="/login" security="none" />  


            <security:http auto-config="true" use-expressions="true">


                <security:form-login login-page="/login"/>

                <security:intercept-url pattern="/" access="hasRole('ROLE_USER')"/>

                <security:form-login authentication-failure-url="www.google.com"/> 

            </security:http>



            <security:authentication-manager>

                <security:authentication-provider user-service-ref="userSecurityService"/>

            </security:authentication-manager>


            <bean id="webContentDAOImpl" class="demidov.pkg.persistence.WebContentDAOImpl">
                <property name="sessionFactory"><ref bean="sessionFactory"/></property>
            </bean>


            <bean id="userSecurityService" class="demidov.pkg.persistence.UserSecurityService">
                <property name="webContentDAOIF" >
                    <ref bean="webContentDAOImpl"/>
                </property>
            </bean>

登录控制器:

   @Controller
public class LoginController {

    @RequestMapping(value="/login", method=RequestMethod.GET)
    public String login() {

        return "login"; 
    }


    @RequestMapping(value="/security/j_spring_security_check", method=RequestMethod.POST)
    public String  access() {

        return "redirect:/";

    }


}

登录JSP页面:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Insert title here</title>
</head>
<body>

    <form action="security/j_spring_security_check" method="post">

        UserName: <input type="text"/> <br>
        Password: <input type="password"/> <br>

        <br>

        <input type="submit"/> 


    </form>

</body>
</html>

自定义主体解析器:

   public class UserSecurityService implements UserDetailsService{


    WebContentDAOIF webContentDAOIF;

        public WebContentDAOIF getWebContentDAOIF() {
            return webContentDAOIF;
        }


        public void setWebContentDAOIF(WebContentDAOIF webContentDAOIF) {
            this.webContentDAOIF = webContentDAOIF;
        }


    @Override
    public UserDetails loadUserByUsername(String userName)
            throws UsernameNotFoundException {


         UserDetails userDetails = null;


         TheUser theUser = webContentDAOIF.fetchUserByName(userName);

         userDetails = new User(theUser.getUserEmale(), theUser.getUserPassword(), true, true, true, true, getAthorities(theUser.getRoleAccess()));


        return userDetails;
    }


    public Collection<GrantedAuthority> getAthorities(String role) {


        List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);


        authList.add(new SimpleGrantedAuthority(" "));


        if ( role.equals("ROLE_USER")) {

            authList.add(new SimpleGrantedAuthority("ROLE_USER"));
           }

           // Return list of granted authorities
           return authList;

    }   

}

我只是不明白我的自定义主体解析器应该如何使用安全性。它应该如何触发以及由什么触发???当我在登录页面上输入错误的用户名和密码时,它似乎不适用于我的UserSecurityService,只是因为我hasRole(ROLE_USER)在 spring-context.xml 中而再次将我重定向到登录页面。我相信这j_spring_security_check可能会有所作为,但对此表示怀疑。请帮我理解。

4

2 回答 2

3

请参考下面提到的链接,可能会有所帮助:-
  spring security custom authentication

于 2013-10-16T11:37:07.700 回答
0

方法loadUserByUsername的参数userName是从浏览器发布的值,将用户名与 DB 进行比较,从 DB 获取密码并传递给UserDetail从浏览器发布密码的对象,因此现在它将在内部比较密码并相应地进行身份验证

于 2014-06-24T10:16:25.013 回答