是否可以在 Spring 中以基于表单的身份验证发送更多数据?
我对 Spring 框架 和 Spring 安全性比较陌生。
我使用了自定义身份验证方案,HTML:
<form action="j_spring_security_check">
<input type="text" name="j_username" value="abc"/>
<input type="text" name="j_password" value="abc"/>
<input type="text" name="myCustom1" value="pqr"/> <!-- maybe type="hidden" -->
<input type="text" name="myCustom2" value="pqr"/> <!-- maybe type="hidden" -->
</form>
和相应的代码:
public class CustomAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider
{
@Override protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken)
throws AuthenticationException
{
System.out.println("Method invoked : additionalAuthenticationChecks isAuthenticated ? :"+usernamePasswordAuthenticationToken.isAuthenticated());
}
@Override protected UserDetails retrieveUser(String username,UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException
{
System.out.println("Method invoked : retrieveUser");
//I have Username,password:
//HOW CAN I ACCESS "myCustom1", "myCustom2" here ?
}
}
I am relatively new to the Spring Framework and Spring security.
I have used a custom authentication scheme, HTML:
<form action="j_spring_security_check">
<input type="text" name="j_username" value="abc"/>
<input type="text" name="j_password" value="abc"/>
<input type="text" name="myCustom1" value="pqr"/> <!-- maybe type="hidden" -->
<input type="text" name="myCustom2" value="pqr"/> <!-- maybe type="hidden" -->
</form>
and the corresponding code:
public class CustomAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider
{
@Override protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken)
throws AuthenticationException
{
System.out.println("Method invoked : additionalAuthenticationChecks isAuthenticated ? :"+usernamePasswordAuthenticationToken.isAuthenticated());
}
@Override protected UserDetails retrieveUser(String username,UsernamePasswordAuthenticationToken authentication)
throws AuthenticationException
{
System.out.println("Method invoked : retrieveUser");
//I have Username,password:
//HOW CAN I ACCESS "myCustom1", "myCustom2" here ?
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
以上都是很棒且完美的解决方案。
但我使用了一种解决方案,效果非常好。
用于 ThreadLocal
spring security xml 的多租户 ID
访问您的身份验证类中的请求对象
然后使用请求对象获取您的自定义参数
All above are great and perfect solutions.
But I have used a workaround kind of solution which works perfectly fine.
Used multitenant id for ThreadLocal
spring security xml
Access request object in your Authentication Class
Then use the request object to get your custom parameters
如果您需要使用额外的表单参数来操作用户名和密码,您可以实现自己的 AuthenticationProcessingFilter
http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.html
此类将具有对 HttpRequest 的完全访问权限,因此具有对您提交的所有附加参数的完全访问权限。如果您的目标是以某种方式使用这些值来修改用户名和密码,那么您就可以在此处执行此操作。
If you need to use additional form parameters in order to manipulate the username and password, you can implement your own AuthenticationProcessingFilter
http://static.springsource.org/spring-security/site/apidocs/org/springframework/security/ui/webapp/AuthenticationProcessingFilter.html
This class will have full access to the HttpRequest and therefore all the additional parameters you submit. If your goal is to somehow use these values to modify the username and password, this is where you would do it.
这里的技巧是,您需要创建一个新的 AuthenicationToken (可能)扩展 UsernameAndPasswordAuthenicationToken ,正如 @emills 所说,您需要实现一个新的 AuthenciationProcessingFilter 将请求值映射到令牌并将这些值提交到 AuthenicationManager 。
基本上,在 spring-security
AuthenicationToken中实现自定义身份验证链有几个部分AuthenicationProvider所需的凭据- 向 AuthenicationManager 注册,接受您的 AuthenicationToken 并验证用户,并返回一个具有授予权限集的令牌AuthenciationFilter- 实际上不必是一个过滤器,只需使用 AbstractProcessingFilter 将使您的生活变得更轻松The trick here is that you need to create a new AuthenicationToken (maybe) extending UsernameAndPasswordAuthenicationToken and as @emills says you need to then implement a new AuthenciationProcessingFilter to map the request values to the token and submit these to the AuthenicationManager.
Basically there are a couple of parts to implementing a custom authenication chain in spring-security
AuthenicationToken- details of the authenication request and it's result, ie contains credentials you require to authenticateAuthenicationProvider- registered with the AuthenicationManager, accepts your AuthenicationToken and validates the user and returns a token with the granted authorities setAuthenciationFilter- doesn't actually have to be a filter just using AbstractProcessingFilter will make your life a little easier我会这样:
这是保存属性的类:
现在您拥有用户名、密码和详细信息。
I would go this way:
This is the class that holds the properties:
Now you have the username, password and the details.
我做过类似的事情,但与任何人在这里建议的不同。我并不是说这是“正确”的方法 - 但它对我来说非常有效。在主体对象中有用户,在 AuthenticationToken 中还有一个详细信息对象,您可以存储其他登录信息的 Map(String, String)。
现在,在代码中的任何位置,您都可以使用 SecurityContext 来传播此安全相关信息,而无需将其耦合到 UserDetails 对象,或将其作为参数传递。我在 Spring Security Filter 链末尾的 SecurityFilter 中执行此代码。
I've done a similar thing, but different then anyone has suggested here. I am not saying this is the "right" way to do it - but it's worked very well for me. In the Principal object there is the user and there is also a Details object in the AuthenticationToken that you can store a Map(String, String) of other login info.
Now anywhere in your code you get use the SecurityContext to propagate this security related info without having to couple it to your UserDetails object, or pass it as arguments. I do this code in a SecurityFilter at the end of the Spring Security Filter chain.