devbox
花生_TL007
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Spring Security3 自定义登录,验证码登录_spring-security.xml 验证码 和配置类

作者:花生_TL007 | 2024-04-06 07:12:31

spring-security.xml 验证码 和配置类

Security3 安全架构 这里主要说的就是spring-security.xml 配置 因为网上这个资料确实很少

首先 pom  

org.springframework.security 的包 我现在版本是3.1.4的  注意依赖都要导入的 包名就不写了!

web.xml

security 的过滤器链

  1. <filter>
  2.    <filter-name>springSecurityFilterChain</filter-name>
  3.    <filter-class>
  4.       org.springframework.web.filter.DelegatingFilterProxy
  5.    </filter-class>
  6. </filter>
  7. <filter-mapping>
  8.    <filter-name>springSecurityFilterChain</filter-name>
  9.    <url-pattern>/*</url-pattern>
  10. </filter-mapping>

现在开始正题

spring-security.xml 配置  这个配置主要是用来重写attemptAuthentication方法的 这个是重点

  1. <http auto-config="true"   use-expressions="true"   access-denied-page="/403.jsp"   >
  2.         <!--login-processing-url 参数为登录的提交请求url -->
  3.         <form-login login-processing-url="/home"  login-page="/doctorLogin"  always-use-default-target="false" default-target-url="/"/>
  4.         <intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
  5.         <logout invalidate-session="true" logout-success-url="/doctorLogin" logout-url="/logout"/> <!--退出登录-->
  6.         <custom-filter before="FORM_LOGIN_FILTER" ref="verificationLogin"></custom-filter>  <!--自定义拦截器  before 之前 FORM_LOGIN_FILTER 登录拦截-->     
  7.         <session-management>
  8.             <concurrency-control max-sessions="1" error-if-maximum-exceeded="false" expired-url="/doctorLogin?error=2"/><!--只允许单线登录-->
  9.         </session-management>
  10.     </http>
  11.     <beans:bean id="verificationLogin" class="com.hearing.cloud.background.loginFilter.LoginFilterAuthentication"> <!--登录拦截器-->
  12.         <beans:property name="authenticationManager" ref="authenticationManager"/>   <!--身份验证  必须的-->
  13.         <beans:property name="authenticationSuccessHandler" ref="SuccessHandler" />  <!--验证通过  必须的-->
  14.         <beans:property name="authenticationFailureHandler" ref="FailureHandler" />  <!--验证失败  必须的-->
  15.     </beans:bean>
  16.     <authentication-manager alias="authenticationManager">           <!--身份验证-->
  17.         <authentication-provider user-service-ref="userDaoImpl">     <!--用户数据查询-->
  18.         </authentication-provider>
  19.     </authentication-manager>
  20.     <beans:bean id="SuccessHandler" class="com.hearing.cloud.background.loginFilter.LoginSuccessHandler"></beans:bean> <!--验证通过逻辑-->
  21.     <beans:bean id="FailureHandler" class="com.hearing.cloud.background.loginFilter.LoginFailureHandler"></beans:bean> <!--验证失败逻辑-->

   //UsernamePasswordAuthenticationFilter的实现 重写 attemptAuthentication方法 逻辑随意修改

  1. package com.hearing.cloud.background.loginFilter;
  2.  
  3. import com.hearing.cloud.background.model.OrdinaryUser;
  4. import com.hearing.cloud.background.model.User;
  5. import com.hearing.cloud.background.service.IOrdinaryUserManager;
  6. import com.hearing.cloud.background.service.IUserManager;
  7. import com.hearing.cloud.background.util.ActionUtil;
  8. import org.springframework.beans.factory.annotation.Autowired;
  9. import org.springframework.security.authentication.AuthenticationServiceException;
  10. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
  11. import org.springframework.security.authentication.encoding.ShaPasswordEncoder;
  12. import org.springframework.security.core.Authentication;
  13. import org.springframework.security.core.AuthenticationException;
  14. import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
  15. import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
  16. import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
  17. import org.springframework.util.Assert;
  18.  
  19. import javax.servlet.http.HttpServletRequest;
  20. import javax.servlet.http.HttpServletResponse;
  21. import java.util.Map;
  22.  
  23. //这里一般都是继承UsernamePasswordAuthenticationFilter 但是 我这里没有继承他  我继承了他爷爷 AbstractAuthenticationProcessingFilter
  24. public class LoginFilterAuthentication extends AbstractAuthenticationProcessingFilter {
  25.  
  26.  
  27.     public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";
  28.     public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";
  29.     /** @deprecated */
  30.     @Deprecated
  31.     public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";
  32.     private String usernameParameter = "j_username";
  33.     private String passwordParameter = "j_password";
  34.     private boolean postOnly = true;
  35.     private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy();
  36.     //继承爷爷的原因是 我重新构造这个参数, 默认的是 /j_spring_security_check  我认为太丑
  37.     public LoginFilterAuthentication() {
  38.         super("/home");
  39.     }
  40.     @Autowired
  41.     private IOrdinaryUserManager ordinaryUserManager;
  42.     @Autowired
  43.     private IUserManager iUserManager;
  44.     @Autowired
  45.     private ShaPasswordEncoder shaPasswordEncoder;
  46.     public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
  47.         if (this.postOnly &&!request.getMethod().equals("POST")) {
  48.             throw new AuthenticationServiceException(
  49.                     "Authentication method not supported: " + request.getMethod());
  50.         }
  51.         UsernamePasswordAuthenticationToken authRequest=null;
  52.         //前端的选择,0是用户名登录, 1是验证码登录
  53.         Map<String,String> map = ActionUtil.getParameters(request);
  54.         String selects=map.get("selects");
  55.  
  56.         if("0".equals(selects)){ //正常登陆 因为我们没有在xml中配置加密,所以我们手动加密,更灵活一些 
  57.            authRequest = new UsernamePasswordAuthenticationToken(账号, 密码);
  58.         }else{ //电话号码登录 密码就不用加密了 直接登录
  59.             //验证码对比结果
  60.             boolean falg=true;
  61.             if(falg) { //验证通过
  62.                     authRequest = new UsernamePasswordAuthenticationToken(账号, 密码);
  63.             }else{//验证失败 我们要手动抛出一个异常,在后面的验证失败类中去捕获
  64.                 authRequest = new UsernamePasswordAuthenticationToken("", "");
  65.                 throw new AuthenticationServiceException("验证码错误");
  66.             }
  67.             request.getSession().removeAttribute("phone");
  68.         }
  69.         // Allow subclasses to set the "details" property
  70.         setDetails(request, authRequest);
  71.         // 执行校验(使用DaoAuthenticationProvider进行校验)
  72.         return this.getAuthenticationManager().authenticate(authRequest);
  73.     }
  74.  
  75.  
  76.  
  77.     protected String obtainPassword(HttpServletRequest request) {
  78.         return request.getParameter(this.passwordParameter);
  79.     }
  80.  
  81.     protected String obtainUsername(HttpServletRequest request) {
  82.         return request.getParameter(this.usernameParameter);
  83.     }
  84.  
  85.     protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
  86.         authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
  87.     }
  88.  
  89.     public void setUsernameParameter(String usernameParameter) {
  90.         Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
  91.         this.usernameParameter = usernameParameter;
  92.     }
  93.  
  94.     public void setPasswordParameter(String passwordParameter) {
  95.         Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
  96.         this.passwordParameter = passwordParameter;
  97.     }
  98.  
  99.     public void setPostOnly(boolean postOnly) {
  100.         this.postOnly = postOnly;
  101.     }
  102.  
  103.  
  104.  
  105.  
  106. }

   //查询用户的实现 实现 UserDetailsService的 loadUserByUsername方法 返回一个UserDetails  

  1. @Repository(value = "userDaoImpl")
  2. public class UserDaoImpl extends GenericDaoHibernate<User, String> implements IUserDao, UserDetailsService {
  3.  
  4.     /**
  5.     * 用户登录
  6.     */
  7.     @SuppressWarnings({"deprecation", "rawtypes"})
  8.     public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException         
  9.     {
  10.          //逻辑我就不写了  你们想怎么写就怎么写,记得查询出来的 user 转换成 UserDetails  
  11.     }
  12. }

 

  //验证成功的方法 需要继承SimpleUrlAuthenticationSuccessHandler和实现AuthenticationSuccessHandler接口

  1. package com.hearing.cloud.background.loginFilter;
  2.  
  3.  
  4. import org.springframework.beans.factory.annotation.Value;
  5. import org.springframework.security.core.Authentication;
  6. import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
  7. import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
  8. import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
  9. import org.springframework.security.web.savedrequest.RequestCache;
  10. import org.springframework.security.web.savedrequest.SavedRequest;
  11. import org.springframework.util.StringUtils;
  12.  
  13. import javax.servlet.ServletException;
  14. import javax.servlet.http.HttpServletRequest;
  15. import javax.servlet.http.HttpServletResponse;
  16. import java.io.IOException;
  17.  
  18. public class LoginSuccessHandler extends SimpleUrlAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
  19.     //我重写的目的 1.主要是这个位置 因为我要访问我的 跳转首页方法的逻辑接口
  20.     //2.是如果不改这里 登录会有两个后果,1.登录后关闭页面,在次打开,页面会显示路径无法加载,2. 
  21.     //第一次登录成功跳转页面是你首页加载的第一个js页面而不是首页,请认真对待
  22.     @Value("/") 
  23.     private String defaultTargetUrl;
  24.  
  25.     private RequestCache requestCache = new HttpSessionRequestCache();
  26.     @Override
  27.     public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
  28.         SavedRequest savedRequest = this.requestCache.getRequest(request, response);
  29.         if(savedRequest == null) {
  30.             super.onAuthenticationSuccess(request, response, authentication);
  31.         } else {
  32.             String targetUrlParameter = this.getTargetUrlParameter();
  33.             if(!this.isAlwaysUseDefaultTargetUrl() && (targetUrlParameter == null || !StringUtils.hasText(request.getParameter(targetUrlParameter)))) {
  34.                 this.clearAuthenticationAttributes(request);
  35.                 this.logger.debug("Redirecting to DefaultSavedRequest Url: " + defaultTargetUrl);
  36.                 this.getRedirectStrategy().sendRedirect(request, response, defaultTargetUrl);
  37.             } else {
  38.                 this.requestCache.removeRequest(request, response);
  39.                 super.onAuthenticationSuccess(request, response, authentication);
  40.             }
  41.         }
  42.     }
  43.     public void setRequestCache(RequestCache requestCache) {
  44.         this.requestCache = requestCache;
  45.     }
  46. }

 //验证失败  需要实现AuthenticationFailureHandler 接口

  1. package com.hearing.cloud.background.loginFilter;
  2.  
  3.  
  4. import org.springframework.security.core.AuthenticationException;
  5. import org.springframework.security.web.DefaultRedirectStrategy;
  6. import org.springframework.security.web.RedirectStrategy;
  7. import org.springframework.security.web.authentication.AuthenticationFailureHandler;
  8. import org.springframework.security.web.util.UrlUtils;
  9. import org.springframework.util.Assert;
  10.  
  11. import javax.servlet.ServletException;
  12. import javax.servlet.http.HttpServletRequest;
  13. import javax.servlet.http.HttpServletResponse;
  14. import javax.servlet.http.HttpSession;
  15. import java.io.IOException;
  16.  
  17.  
  18. public class LoginFailureHandler implements AuthenticationFailureHandler {
  19.  
  20.     private String defaultFailureUrl;
  21.     private boolean forwardToDestination = false;
  22.     private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
  23.     private boolean allowSessionCreation = true;
  24.  
  25.     public LoginFailureHandler() {
  26.     }
  27.  
  28.     public LoginFailureHandler(String defaultFailureUrl) {
  29.         this.setDefaultFailureUrl(defaultFailureUrl);
  30.     }
  31.  
  32.     public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException e) throws IOException, ServletException {
  33.         if(this.defaultFailureUrl == null) {
  34.             if("验证码错误".equals(e.getMessage())){
  35.                 redirectStrategy.sendRedirect(request, response, "/doctorLogin?error=3");
  36.             }else{
  37.                 redirectStrategy.sendRedirect(request, response, "/doctorLogin?error=1");
  38.             }
  39.         } else {
  40.             this.saveException(request, e);
  41.             if(this.forwardToDestination) {
  42.                 request.getRequestDispatcher(this.defaultFailureUrl).forward(request, response);
  43.             } else {
  44.                 this.redirectStrategy.sendRedirect(request, response, this.defaultFailureUrl);
  45.             }
  46.         }
  47.     }
  48.     public void setDefaultFailureUrl(String defaultFailureUrl) {
  49.         Assert.isTrue(UrlUtils.isValidRedirectUrl(defaultFailureUrl), "\'" + defaultFailureUrl + "\' is not a valid redirect URL");
  50.         this.defaultFailureUrl = defaultFailureUrl;
  51.     }
  52.     protected final void saveException(HttpServletRequest request, AuthenticationException exception) {
  53.         if(this.forwardToDestination) {
  54.             request.setAttribute("SPRING_SECURITY_LAST_EXCEPTION", exception);
  55.         } else {
  56.             HttpSession session = request.getSession(false);
  57.             if(session != null || this.allowSessionCreation) {
  58.                 request.getSession().setAttribute("SPRING_SECURITY_LAST_EXCEPTION", exception);
  59.             }
  60.         }
  61.  
  62.     }
  63.     protected boolean isUseForward() {
  64.         return this.forwardToDestination;
  65.     }
  66.  
  67.     public void setUseForward(boolean forwardToDestination) {
  68.         this.forwardToDestination = forwardToDestination;
  69.     }
  70.  
  71.     protected boolean isAllowSessionCreation() {
  72.         return this.allowSessionCreation;
  73.     }
  74.  
  75.     public void setAllowSessionCreation(boolean allowSessionCreation) {
  76.         this.allowSessionCreation = allowSessionCreation;
  77.     }
  78.  
  79.  
  80. }
声明:本文内容由网友自发贡献,转载请注明出处:【wpsshop博客】
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号