ajax登錄彈簧webMVC和彈簧安全

Question

我一直在使用Spring Security 3.0爲我們的網站登錄機制使用專用的登錄網頁。現在我需要該登錄網頁來代替我們網站中每個網頁上的燈箱/彈出窗口，在登錄時我會得到一個AJAX結果，無論它是否成功。 Spring Security和Spring webmvc 3.0的最佳做法是什麼？

Answer 1

在客戶端，您可以通過ajax模擬正常的表單提交到您的登錄網址。舉例來說，在jQuery的：

$.ajax({ 
    url: "${pageContext.request.contextPath}/j_spring_security_check", 
    type: "POST", 
    data: $("#loginFormName").serialize(), 
    beforeSend: function (xhr) { 
     xhr.setRequestHeader("X-Ajax-call", "true"); 
    }, 
    success: function(result) { 
     if (result == "ok") { 
      ... 
     } else if (result == "error") { 
      ... 
     } 
    } 
}); 

在服務器端，您可以自定義AuthenticationSuccessHandler和AuthenticationFailureHandler返回一個值，而不是重定向的。因爲你可能需要一個正常的登錄頁面，以及（對於試圖通過直接的URL訪問受保護的頁面），你應該告訴從正常呼叫AJAX調用，例如，使用標題：

public class AjaxAuthenticationSuccessHandler implements AuthenticationSuccessHandler { 
    private AuthenticationSuccessHandler defaultHandler; 

    public AjaxAuthenticationSuccessHandler() { 

    } 
    public AjaxAuthenticationSuccessHandler(AuthenticationSuccessHandler defaultHandler) { 
     this.defaultHandler = defaultHandler; 
    } 

    public void onAuthenticationSuccess(HttpServletRequest request, 
     HttpServletResponse response, Authentication auth) 
     throws IOException, ServletException { 
    if ("true".equals(request.getHeader("X-Ajax-call"))) { 
     response.getWriter().print("ok"); 
     response.getWriter().flush(); 
    } else { 
     defaultHandler.onAuthenticationSuccess(request, response, auth); 
    } 
} 
} 

Answer 2

我沒有類似的東西（感謝axtavt）：

public class AjaxAuthenticationSuccessHandler extends 
    SimpleUrlAuthenticationSuccessHandler { 

public void onAuthenticationSuccess(HttpServletRequest request, 
     HttpServletResponse response, Authentication auth) 
     throws IOException, ServletException { 
    if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) { 
     response.getWriter().print(
       "{success:true, targetUrl : \'" 
         + this.getTargetUrlParameter() + "\'}"); 
     response.getWriter().flush(); 
    } else { 
     super.onAuthenticationSuccess(request, response, auth); 
    } 
}} 

我選擇了延長簡單的成功處理程序上的非Ajax請求的默認行爲。這是XML使它的工作：

<http auto-config="false" use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint"> 
    <custom-filter position="FORM_LOGIN_FILTER" ref="authenticationFilter" /> 
... 
... 
</http> 

<beans:bean id="authenticationProcessingFilterEntryPoint" 
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> 
    <beans:property name="loginFormUrl" value="/index.do" /> 
    <beans:property name="forceHttps" value="false" /> 
</beans:bean> 

<beans:bean id="authenticationFilter" class= 
    "org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 
    <beans:property name="authenticationManager" ref="authenticationManager"/> 
    <beans:property name="filterProcessesUrl" value="/j_spring_security_check"/> 
    <beans:property name="sessionAuthenticationStrategy" ref="sas" /> 
    <beans:property name="authenticationFailureHandler" ref="failureHandler"/> 
    <beans:property name="authenticationSuccessHandler" ref="successHandler"/> 
</beans:bean> 

<beans:bean id="successHandler" class="foo.AjaxAuthenticationSuccessHandler"> 
    <beans:property name="defaultTargetUrl" value="/login.html"/> 
</beans:bean> 

<beans:bean id="failureHandler" class="foo.AjaxAuthenticationFailureHandler" />