gpt4 book ai didi

java - Spring Security 自定义 RememberMeAuthenticationFilter 没有被解雇

转载 作者:行者123 更新时间:2023-12-02 06:01:15 37 4
gpt4 key购买 nike

我已经使用 Spring Security 3.1 在 Spring MVC 应用程序中实现了“记住我”功能

我的 security-context.xml 如下所示:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">

<import resource="servlet-context.xml" />
<security:global-method-security secured-annotations="enabled" />

<security:http auto-config="true" authentication-manager-ref="am">

<!-- Restrict URLs based on role -->
<security:intercept-url pattern="/public/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER" />

<!-- Override default login and logout pages -->
<security:form-login login-page="/public/login"
login-processing-url="/public/loginProcess"
default-target-url="/public/loginSuccess"
authentication-failure-url="/public/login?login_error=1"
always-use-default-target="true" />
<security:logout logout-url="/public/logout" logout-success-url="/public/login?logout=1" />
<security:remember-me services-alias="rmService" data-source-ref="dataSource"/>
<security:custom-filter position="LAST" ref="httpResponseAuthFilter" />
</security:http>

<security:authentication-manager id="am">
<security:authentication-provider >
<security:password-encoder ref="passwordEncoder" />
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
</security:authentication-manager>

<bean id="httpResponseAuthFilter"
class="mypackage.HttpResponseAuthenticationFilter" >
<property name="authenticationManager" ref="am"/>
<property name="rememberMeServices" ref="rmService"></property>
</bean>

</beans>

Filter 类的实现如下:

    public class HttpResponseAuthenticationFilter extends RememberMeAuthenticationFilter {

@Override
protected void onSuccessfulAuthentication(final HttpServletRequest request, final HttpServletResponse response,
final Authentication authResult) {

super.onSuccessfulAuthentication(request, response, authResult);

if (authResult != null) {
// process post authentication logic here..
}
}

}

使用上述配置,“记住我”功能可以正常工作,但在 Eclipse 调试器中运行时,我发现 HttpResponseAuthenticationFilter.onSuccessfulAuthentication() 不会被调用。

编辑

修改我的 security-context.xml 并使用标准 Spring bean 定义记住我服务并在配置中引用该服务后,看起来

    <security:http auto-config="true" authentication-manager-ref="am">
<!-- Restrict URLs based on role -->
<security:intercept-url pattern="/public/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="ROLE_USER" />

<!-- Override default login and logout pages -->
<security:form-login login-page="/public/login"
login-processing-url="/public/loginProcess"
default-target-url="/public/loginSuccess"
authentication-failure-url="/public/login?login_error=1"
always-use-default-target="true" />

<security:remember-me services-ref="rememberMeService"/>
<security:logout logout-url="/public/logout" logout-success-url="/public/login?logout=1" />
<security:custom-filter position="LAST" ref="httpResponseAuthFilter" />
</security:http>

<security:authentication-manager id="am">
<security:authentication-provider >
<security:password-encoder ref="passwordEncoder" />
<security:jdbc-user-service data-source-ref="dataSource" />
</security:authentication-provider>
<security:authentication-provider ref="rememberMeAuthenticationProvider" />
</security:authentication-manager>

<bean id="rememberMeAuthenticationProvider" class=
"org.springframework.security.authentication.RememberMeAuthenticationProvider">
<property name="key" value="riskAnalysis" />
</bean>

<bean id="httpResponseAuthFilter"
class="mypacakge.HttpResponseAuthenticationFilter" >
<property name="authenticationManager" ref="am"/>
<property name="rememberMeServices" ref="rememberMeService"></property>
</bean>

<bean id="rememberMeService"
class="org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices">
<property name="userDetailsService" ref="userDetailsService" />
<property name="key" value="riskAnalysis" />
</bean>

<bean id="userDetailsService"
class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl">
<property name="dataSource" ref="dataSource"/>
</bean>

这是我在日志中得到的内容:

*DEBUG:mypackage.HttpResponseAuthenticationFilter - SecurityContextHolder 未填充记住我 token ,因为它已包含:'org.springframework.security.authentication.RememberMeAuthenticationToken@303f2184:主体:org.springframework.security.core.userdetails.User @cb7ea6f6:用户名:tarun4;密码保护];启用:真;帐户未过期:true;凭证未过期:true;帐户非锁定:true;授予权限:ROLE_ADMIN、ROLE_USER;凭证:[ protected ];已验证:真实;详细信息:org.springframework.security.web.authentication.WebAuthenticationDetails@b364:RemoteIpAddress:0:0:0:0:0:0:0:1; session ID:空;授予权限:ROLE_ADMIN、ROLE_USER'*

所以看起来 session 中存在身份验证信息。

谢谢,塔伦

最佳答案

remember-me 命名空间元素已经插入了 RememberMeAuthenticationFilter,因此它仍然优先于您的元素,因为它在过滤器链中位于它之前。

如果您想使用自定义过滤器,您应该删除命名空间元素并使用标准 Spring bean 进行相关服务。有一个例子in the reference manual (Section 11.4.1)其中显示了所需的 bean 。

关于java - Spring Security 自定义 RememberMeAuthenticationFilter 没有被解雇,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22663488/

37 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com