2015-11-14 73 views
1

我使用Spring和自定義實現UsernamePasswordAuthenticationFilter。我想在成功認證後執行一些自定義代碼(例如:使用剛認證的用戶名登錄消息)。使用UsernamePasswordAuthenticationFilter將自定義後驗證代碼放在哪裏

我應該覆蓋哪種方法或者如何註冊成功認證的處理程序?

重寫successfulAuthentication()方法,放在那裏我的自定義代碼並完成調用原始方法(super.successfulAuthentication();)是否好主意?或者還有其他一些最佳做法?

+0

我提供了一個不同的方法來達到你想要什麼,請檢查出來,讓我知道它是否能解決你的問題。 – SyntaX

回答

2

我對成功的 認證通過後執行自定義任務的方法是在 春季安全使用自定義身份驗證成功處理程序。

你可以如下做到這一點:

創建自定義AuthenticationSuccessHandlerTMGAuthenticationSuccessHandler。如果檢測到用戶使用默認的機器生成密碼,我創建了一個將用戶重定向到密碼更改頁面的示例代碼。

@Component("tMGAuthSuccessHandler") 
public class TMGAuthSuccessHandler implements AuthenticationSuccessHandler { 

    private AuthenticationSuccessHandler target = new SavedRequestAwareAuthenticationSuccessHandler(); 

    @Autowired 
    private UserService userService; 

    private static final Logger LOGGER = LoggerFactory.getLogger(TMGAuthSuccessHandler.class); 

    @Override 
    public void onAuthenticationSuccess(HttpServletRequest servletRequest, HttpServletResponse servletResponse, Authentication authentication) 
      throws IOException, ServletException { 

     if (hasDefaultPassword(authentication)) { 
      LOGGER.debug("Default password detected for username: " + authentication.getName()); 
      servletResponse.sendRedirect("changePassword"); 
     } else { 
      target.onAuthenticationSuccess(servletRequest, servletResponse, authentication); 
     } 
    } 

    /** 
    * Checks whether default password is used in login. 
    */ 
    private boolean hasDefaultPassword(Authentication authentication) { 

     String username = authentication.getName(); 
     User user = userService.findOnUsername(username, true, false, false, false); 
     if (user != null && user.getLoginAuditTrail() != null && user.getLoginAuditTrail().isDefaultPasswordUsed() != null) { 
      return user.getLoginAuditTrail().isDefaultPasswordUsed(); 
     } 
     return false; 
    } 

    /** 
    * Proceeds to the requested URL. 
    */ 
    public void proceed(HttpServletRequest servletRequest, HttpServletResponse servletResponse, Authentication authentication) throws IOException, 
      ServletException { 
     target.onAuthenticationSuccess(servletRequest, servletResponse, authentication); 
    } 
} 

修改securityContext.xml或包含彈簧安全相關配置的類似文件。將此定製版本添加到http配置爲authentication-success-handler-ref="tMGAuthSuccessHandler"。代碼片段如下所示:

<security:http use-expressions="true" authentication-manager-ref="webAppAuthManager"> 

    <!-- signin and signout --> 
    <security:intercept-url pattern="/signin" access="permitAll" /> 
    <security:intercept-url pattern="/logout" access="permitAll" /> 
    <security:intercept-url pattern="/accessDenied" access="permitAll"/> 
    <security:intercept-url pattern="/**" access="isAuthenticated()" /> 

    <!-- sign in Configuration --> 
    <security:form-login login-page="/signin" 
     username-parameter="username" 
     password-parameter="password" 
     authentication-failure-url="/signin?authFail=true" 
     authentication-success-handler-ref="inoticeAuthSuccessHandler" /> 

    <security:logout logout-url="/signout" invalidate-session="true" delete-cookies="JSESSIONID" logout-success-url="/signin?logout=true" /> 
</security:http> 

你現在很好走。

參考信用:How to use custom filter with authentication-success-handler-ref equivalent in spring security

相關問題