1. 首頁
  2. 問答
  3. 如何配置彈簧安全3.2使用dao認證和使用java config的自定義認證過濾器

如何配置彈簧安全3.2使用dao認證和使用java config的自定義認證過濾器

2014-01-31 84 views
3

我已經使用dao認證和自定義認證過濾器來搜索spring安全示例,但是我發現,所有示例都使用xml文件配置,如何配置彈簧安全3.2使用dao認證和使用java config的自定義認證過濾器

我的問題是如何配置自定義過濾器即UsernamePasswordAuthenticationFilter

我的基於XML的securityConfig文件看起來像:

<http auto-config="false" use-expressions="true"> 

    <intercept-url pattern="/" access="permitAll" />   
    <intercept-url pattern="/auth/login.html" access="permitAll" />  
    <intercept-url pattern="/auth/logout.html" access="permitAll" />   
    <intercept-url pattern="/auth/accessDenied.html" access="permitAll" />  
    <intercept-url pattern="/admin/**" access="hasAnyRole('ROLE_ADMIN')" /> 
    <intercept-url pattern="/user/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" /> 


    <access-denied-handler error-page="/auth/accessDenied.html"/> 

    <form-login login-page='/auth/login.html' 
     default-target-url="/" 
     authentication-success-handler-ref="myAuthenticationSuccessHandler" 
     authentication-failure-url="/auth/loginfailed.html" /> 

    <logout success-handler-ref="myLogoutSuccessHandler" 
      invalidate-session="true" delete-cookies="JSESSIONID" /> 

    <remember-me key="uniqueAndSecret" token-validity-seconds="86400" /> 

    <session-management session-fixation-protection="migrateSession" 
      session-authentication-error-url="/auth/loginfailed.html"> 
     <concurrency-control max-sessions="1" 
       error-if-maximum-exceeded="true" 
       expired-url="/auth/login.html" 
       session-registry-alias="sessionRegistry"/> 
    </session-management> 

</http> 

<beans:bean id="myAuthenticationSuccessHandler" 
    class="com.asn.handler.AsnUrlAuthenticationSuccessHandler" /> 

<beans:bean id="myLogoutSuccessHandler" 
    class="com.asn.handler.AsnLogoutSuccessHandler" /> 

<beans:bean id="userDetailsService" class="com.asn.service.UserDetailsServiceImpl"/> 

<authentication-manager alias="authenticationManager">  
    <authentication-provider user-service-ref="userDetailsService"> 
     <password-encoder ref="encoder"/>      
    </authentication-provider> 
    <!-- <authentication-provider> 
     <user-service> 
      <user name="user1" password="user1Pass" authorities="ROLE_USER" /> 
      <user name="admin1" password="admin1Pass" authorities="ROLE_ADMIN" /> 
     </user-service> 
    </authentication-provider> --> 
</authentication-manager> 

<!-- For hashing and salting user passwords --> 
<beans:bean id="encoder" 
     class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

我想配置的成Java配置基於轉換.. 我已經試過這樣是行不通:

SecurityConfig類:

@Configuration 
@EnableWebMvcSecurity 
public class SecurityConfig extends WebSecurityConfigurerAdapter { 

    @Resource 
    private UserDetailsService userDetailsService; 
    @Autowired 
    private PasswordEncoder encoder; 

    /*@Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth)throws Exception { 
     logger.info("configureGlobal(AuthenticationManagerBuilder auth) invoked.."); 
     auth.userDetailsService(userDetailsService).passwordEncoder(encoder);  
    }*/ 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 
     http.csrf().disable().authorizeRequests() 
      .antMatchers("/resources/**","/assets/**","/files/**").permitAll() 
      .antMatchers("/auth","/").permitAll()       

       .anyRequest().authenticated() //every request requires the user to be authenticated 
       .and() 
      .formLogin() //form based authentication is supported 
       .loginPage("/auth/login") 
       .permitAll() 
       .and() 
      .logout() 
       .permitAll(); 

     http.exceptionHandling().accessDeniedPage("/auth/accessDenied"); 

     http.sessionManagement().sessionFixation().migrateSession() 
      .sessionAuthenticationStrategy(concunSessContAuthStr()); 
    } 

    @Bean(name="sessionRegistry") 
    public SessionRegistryImpl sessionRegistryBean(){ 
     logger.info("sessionRegistryBean() invoked.."); 
     return new SessionRegistryImpl(); 
    } 

    @Bean 
    public UsernamePasswordAuthenticationFilter authFilter() throws Exception{ 
     logger.info("authFilter() invoked.."); 
     CustomUsernamePasswordAuthenticationFilter upaf = new CustomUsernamePasswordAuthenticationFilter(); 
     upaf.setAuthenticationManager(".."); //here, how to set AuthenticationManager ?? 
     upaf.setSessionAuthenticationStrategy(concunSessContAuthStr()); 
     return upaf; 
    } 


    @Bean 
    public DaoAuthenticationProvider customAuthenticationManagerBean() { 

     DaoAuthenticationProvider dap = new DaoAuthenticationProvider(); 
     dap.setUserDetailsService(userDetailsService); 
     dap.setPasswordEncoder(encoder); 
     return dap; 
    } 

    @Bean 
    public ConcurrentSessionControlAuthenticationStrategy concunSessContAuthStr(){ 
     logger.info("concunSessContAuthStr() invoked.."); 
     ConcurrentSessionControlAuthenticationStrategy cscas= new ConcurrentSessionControlAuthenticationStrategy(sessionRegistryBean()); 
     cscas.setMaximumSessions(2); 
     cscas.setExceptionIfMaximumExceeded(true); 
     return cscas; 
    } 

}

任何建議如何配置?

謝謝!

來源

2014-01-31 Rembo

回答

6

爲了使用自定義的類取代UsernamePasswordAuthenticationFilter請執行以下操作:

  • 創建一個新的類FormLoginConfigurer具有以下內容(原org.springframework.security.config.annotation.web.configurers.FormLoginConfigurer是不幸的是最終的,不可擴展),通知該呼叫到super(new CustomAuthenticationProcessingFilter(),null)

    package demo; 

import org.springframework.security.config.annotation.web.HttpSecurityBuilder; 
import org.springframework.security.config.annotation.web.configurers.AbstractAuthenticationFilterConfigurer; 
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; 
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; 
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; 
import org.springframework.security.web.util.matcher.RequestMatcher; 

public class FormLoginConfigurer<H extends HttpSecurityBuilder<H>> extends AbstractAuthenticationFilterConfigurer<H,FormLoginConfigurer<H>,UsernamePasswordAuthenticationFilter> { 

public FormLoginConfigurer() { 
    super(new CustomAuthenticationProcessingFilter(),null); 
    usernameParameter("username"); 
    passwordParameter("password"); 
} 

public FormLoginConfigurer<H> loginPage(String loginPage) { 
    return super.loginPage(loginPage); 
} 

public FormLoginConfigurer<H> usernameParameter(String usernameParameter) { 
    getAuthenticationFilter().setUsernameParameter(usernameParameter); 
    return this; 
} 

public FormLoginConfigurer<H> passwordParameter(String passwordParameter) { 
    getAuthenticationFilter().setPasswordParameter(passwordParameter); 
    return this; 
} 

@Override 
public void init(H http) throws Exception { 
    super.init(http); 
    initDefaultLoginFilter(http); 
} 

@Override 
protected RequestMatcher createLoginProcessingUrlMatcher(
     String loginProcessingUrl) { 
    return new AntPathRequestMatcher(loginProcessingUrl, "POST"); 
} 

private String getUsernameParameter() { 
    return getAuthenticationFilter().getUsernameParameter(); 
} 

private String getPasswordParameter() { 
    return getAuthenticationFilter().getPasswordParameter(); 
} 

private void initDefaultLoginFilter(H http) { 
    DefaultLoginPageGeneratingFilter loginPageGeneratingFilter = http.getSharedObject(DefaultLoginPageGeneratingFilter.class); 
    if(loginPageGeneratingFilter != null && !isCustomLoginPage()) { 
     loginPageGeneratingFilter.setFormLoginEnabled(true); 
     loginPageGeneratingFilter.setUsernameParameter(getUsernameParameter()); 
     loginPageGeneratingFilter.setPasswordParameter(getPasswordParameter()); 
     loginPageGeneratingFilter.setLoginPageUrl(getLoginPage()); 
     loginPageGeneratingFilter.setFailureUrl(getFailureUrl()); 
     loginPageGeneratingFilter.setAuthenticationUrl(getLoginProcessingUrl()); 
    } 
}

    }

  • configure(HttpSecurity)方法去除formLogin()通話,並使用以下初始化,而不是:

    FormLoginConfigurer formLogin = new FormLoginConfigurer(); 
http.apply(formLogin); 
formLogin.loginPage("/auth/login") 
     .permitAll();

  • 認證管理器將提供給您的實例自動

  • 您可以自定義調用你的類使用的SessionAuthenticationStrategyhttp.sessionManagement(),或者你可以添加邏輯來任何你需要

另一種選擇是註冊新FormLoginConfigurer哪些更新濾波器作爲額外的過濾器:

  • configure(HttpSecurity http)方法調用

    http.addFilter(authFilter());

  • 確保配置過濾器的所有選項手動

  • 提防該系統還將增加另一個實例您的用戶名PasswordPasswordAuthenticationFilter

爲了添加自定義AuthenticationProvider

  • 覆蓋方法configure(AuthenticationManagerBuilder auth)並添加提供程序:

    @Override 
protected void configure(AuthenticationManagerBuilder auth) throws Exception { 
    auth.authenticationProvider(customAuthenticationManagerBean()); 
}

來源

2014-07-24 12:53:27

相關問題

 相關問題