java - RememberMeAuthenticationFilter 和 Java 配置 : Custom implementation to override onSuccessfulAuthentication - how to do it in a clean way?

Question

提供 AuthenticationSuccessHandler对于 RememberMeAuthenticationFilter打破了过滤器链，因此我想覆盖它的 onSuccessfulAuthentication方法通过提供 RememberMeAuthenticationFilter 的自定义实现.但是当使用简单的 Java Config 时，这似乎相当复杂或精细。

提供 ApplicationEventPublisher如果需要访问 HttpServletRequest，这不是一种解决方案或 HttpServletResponse .

我设法做到了，但它看起来像一个黑客 - 有更好的方法吗？

我是这样做的:

http.rememberMe().addObjectPostProcessor(new ObjectPostProcessor<RememberMeAuthenticationFilter>() {

    @Override
    public <O extends RememberMeAuthenticationFilter> O postProcess(O object) {

        RememberMeAuthenticationFilter newFilter = new RememberMeAuthenticationFilter(
                (AuthenticationManager) getByReflection(object, "authenticationManager"),
                (RememberMeServices) getByReflection(object, "rememberMeServices")
        ) {
            @Override
            protected void onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) {
                // business logic
            }
        };
        return (O) newFilter;
    }

    private <O extends RememberMeAuthenticationFilter> Object getByReflection(O object, String name) {
        Field field = ReflectionUtils.findField(object.getClass(), name);
        ReflectionUtils.makeAccessible(field);
        return ReflectionUtils.getField(field, object);
    }
});

Answer 1

如果您想在身份验证过程(具有记住我的功能)成功时实现自定义行为，您可以尝试:

自定义记住我身份验证过滤器

定义一个新的过滤器，例如:

public class CustomRememberMeAuthenticationFilter extends RememberMeAuthenticationFilter {
  @Override
  protected void onSuccessfulAuthentication(final HttpServletRequest request, final HttpServletResponse response, final Authentication authResult) {
    super.onSuccessfulAuthentication(request, response, authResult);
    if (authResult != null) {
        // process post authentication logic here..
    }
  }
}

在安全链中设置客户文件:

@Override
protected void configure(HttpSecurity http) throws Exception {
  http
    .csrf().disable()
    .authorizeRequests()
    .antMatchers("/","/login*").permitAll()
    //...
  http
    .addFilter(rememberMeAuthenticationFilter())
    //...
}

@Bean
protected RememberMeAuthenticationFilter rememberMeAuthenticationFilter(){
    return new CustomRememberMeAuthenticationFilter(authenticationManager(),rememberMeServices());
}

查询 this为了创建您的 (authenticationManager(),rememberMeServices()

在前面的代码段中，刚刚添加了自定义过滤器。如果不起作用，您必须研究并在链中找到确切的过滤器以插入您的自定义过滤器:addFilterBefore、addFilterAfter、addFilterAt。

检查这个 add filter methods

最后删除默认 http.rememberMe() 以便使用您自己的过滤器。因为记住我命名空间元素已经插入了一个 RememberMeAuthenticationFilter 所以它仍然会优先于你的，因为它在过滤器链中出现在它之前。

引用

https://github.com/DGYao/spring-boot-demo/blob/master/src/main/java/com/springboot/web/WebSecurityConfigurer.java

https://craftingjava.com/blog/user-management-remember-me-jwt-token/

How can I use a custom configured RememberMeAuthenticationFilter in spring security?

https://www.baeldung.com/spring-security-remember-me

https://www.baeldung.com/spring-security-custom-filter#1-java-configuration

https://stackoverflow.com/a/22668530/3957754

https://docs.spring.io/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#remember-me-impls

How can I use a custom configured RememberMeAuthenticationFilter in spring security?

https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html

persisted remember-me authentication after using custom filter

https://www.codejava.net/coding/how-to-implement-remember-password-remember-me-for-java-web-application

Spring Security custom RememberMeAuthenticationFilter not getting fired