用户名密码验证过滤器问题

发布于 2024-12-04 06:00:56 字数 5151 浏览 0 评论 0原文

我有一个 Spring Security 3 应用程序，登录和注销运行良好。我想为我的应用程序实现我自己的 UsernamePasswordAuthenticationFilter 。我遵循了该教程：

http://mrather.blogspot.com/2010/02/ extending-usernamepasswordauthenticatio.html

我的过滤器类是：

package security;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class CustomUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException, ServletException {
        super.successfulAuthentication(request, response, authResult);
        System.out.println("==successful login==");
    }

    @Override
    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
        super.unsuccessfulAuthentication(request, response, failed);
        System.out.println("==failed login==");
    }
}

我的安全 xml 配置文件：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security
                    http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <global-method-security/>

    <http entry-point-ref="loginUrlAuthenticationEntryPoint"/>
    <beans:bean id="loginUrlAuthenticationEntryPoint"
                class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.html"/>
    </beans:bean>
    <beans:bean id="customUsernamePasswordAuthenticationFilter"
                class="security.CustomUsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationFailureHandler" ref="failureHandler"/>
        <beans:property name="authenticationSuccessHandler" ref="successHandler"/>
    </beans:bean>
    <beans:bean id="successHandler"
                class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/login.html"/>
    </beans:bean>
    <beans:bean id="failureHandler"
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/login.html?login_error=true"/>
    </beans:bean>
    <http auto-config="false" disable-url-rewriting="true">
        <custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter"/>
        <intercept-url pattern="/login.html" filters="none"/>
        <intercept-url pattern="/css/*" filters="none"/>
        <intercept-url pattern="/**" access="ROLE_USER"/>
    </http>
    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <password-encoder hash="sha-256"/>
            <user-service>
                <user name="sdf" password="6b86d273ff34fce19d6dddf5747ada4eaa22f1d49c01e52ddb7875b4b"
                      authorities="ROLE_USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

但是，当我运行我的应用程序时，它不会重定向到登录页面，而是默认情况下会转到索引页面并给出

404 Not found error

我的所有网页。有什么想法吗？我的应用程序配置得好吗？

PS：教程中写道：

注意：由于我们要替换默认的 FORM_LOGIN_FILTER，因此我们应该不使用

删除了：

    <form-login
            login-page="/login3.html"
            login-processing-url="/j_spring_security_check"
            default-target-url="/index.html"
            always-use-default-target="true"/>
    <logout logout-url="/j_spring_security_logout"
            logout-success-url="/login.html"/>

所以我从我的 XML 文件中

还需要定义 successHandler 和 failureHandler 因为我没有覆盖它们。如果我这样做是因为我要更换过滤器（或者因为 -http auto-config="false"

我不知道该行的真正目的，如果您解释一下，欢迎）应该为了安全我还定义了什么？

我是 Spring Security 3 和 Spring 的新手。

原文

I have a Spring Security 3 application that I login and logout works well. I wanted to implenment my own UsernamePasswordAuthenticationFilter for my application. I followed that tutorial:

http://mrather.blogspot.com/2010/02/extending-usernamepasswordauthenticatio.html

My Filter class is:

package security;

import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class CustomUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    @Override
    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException, ServletException {
        super.successfulAuthentication(request, response, authResult);
        System.out.println("==successful login==");
    }

    @Override
    protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
        super.unsuccessfulAuthentication(request, response, failed);
        System.out.println("==failed login==");
    }
}

My security xml configuration file:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
             xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security
                    http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <global-method-security/>

    <http entry-point-ref="loginUrlAuthenticationEntryPoint"/>
    <beans:bean id="loginUrlAuthenticationEntryPoint"
                class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.html"/>
    </beans:bean>
    <beans:bean id="customUsernamePasswordAuthenticationFilter"
                class="security.CustomUsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="authenticationFailureHandler" ref="failureHandler"/>
        <beans:property name="authenticationSuccessHandler" ref="successHandler"/>
    </beans:bean>
    <beans:bean id="successHandler"
                class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/login.html"/>
    </beans:bean>
    <beans:bean id="failureHandler"
                class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <beans:property name="defaultFailureUrl" value="/login.html?login_error=true"/>
    </beans:bean>
    <http auto-config="false" disable-url-rewriting="true">
        <custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter"/>
        <intercept-url pattern="/login.html" filters="none"/>
        <intercept-url pattern="/css/*" filters="none"/>
        <intercept-url pattern="/**" access="ROLE_USER"/>
    </http>
    <authentication-manager alias="authenticationManager">
        <authentication-provider>
            <password-encoder hash="sha-256"/>
            <user-service>
                <user name="sdf" password="6b86d273ff34fce19d6dddf5747ada4eaa22f1d49c01e52ddb7875b4b"
                      authorities="ROLE_USER"/>
            </user-service>
        </authentication-provider>
    </authentication-manager>

</beans:beans>

However when I run my application it doesn't redirect to login page, it goes to index page by default and gives

404 Not found error

for all my web pages. Any ideas? Did I configure my application well?

PS: That writes at tutorial:

Note: Since we are replacing the default FORM_LOGIN_FILTER, we should
not use

so I removed that:

    <form-login
            login-page="/login3.html"
            login-processing-url="/j_spring_security_check"
            default-target-url="/index.html"
            always-use-default-target="true"/>
    <logout logout-url="/j_spring_security_logout"
            logout-success-url="/login.html"/>

from my XML file.

Also is there need to define successHandler and failureHandler because I didn't overwrite them. If I do it because I am replacing the filter(or because of -http auto-config="false"

I don't know the real purpose of that line, if you explain you are welcome) should I define anything else for security?

I am new to Spring Security 3 and Spring.

分享到QQ

分享到微博