2
我第一次實現了Spring Security並且使用了持久性令牌方法。然後我實現了Spring Social,經過漫長的鬥爭,終於能夠實現它。我的UserConnection表中正在創建相應的行。春季社交與春季安全 - UserDetailsService在SignInAdapter後被調用
我的問題是,當用戶登錄到我的應用程序與Facebook,我的SignInAdapterImp被調用,因爲它應該。我在這裏做用戶認證。但是,之後,我的UserDetailsServiceImp立即被調用,這本質上是試圖再次驗證用戶。這是我設置的用於驗證非社會用戶的類。
我猜測它與我的Spring Security設置有關,所以我發佈了我的security.xml文件。任何和所有的幫助表示讚賞。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xsi:schemaLocation="
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd">
<!-- To allow standards-based @Secured annotation -->
<!-- global-method-security secured-annotations="enabled" /-->
<!-- http pattern="/signup" security="none"/>
<http pattern="/singin" security="none"/ -->
<http create-session="stateless" entry-point-ref="restAuthenticationEntryPoint" use-expressions="true">
<intercept-url pattern="/connect/**" access="ROLE_USER" />
<!--NOT NEEDED WITH ANNOTATIONS: intercept-url pattern="/services/schedule/**" access="ROLE_USER, ROLE_ADMIN"/ -->
<custom-filter ref="userPassAuthenticationFilter" before="FORM_LOGIN_FILTER"/>
<custom-filter ref="rememberMeFilter" position="FIRST" />
<!-- Adds a logout filter to Spring Security filter chain -->
<logout logout-url="/services/auth/logout" delete-cookies="true" invalidate-session="true" success-handler-ref="restLogoutSuccessHandler"/>
<remember-me key="rememberMeKey" user-service-ref="customUserDetailsService"/>
</http>
<!-- initialized the AuthenticationEntryPoint bean -->
<beans:bean id="restAuthenticationEntryPoint" class="com.touchvision.pilot.security.RestAuthenticationEntryPoint" />
<!-- the customAuthenticationFilter custom filter definition -->
<beans:bean id="userPassAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="rememberMeServices" ref="rememberMeServices"/>
<beans:property name="authenticationSuccessHandler" ref="mySuccessHandler"/>
<beans:property name="filterProcessesUrl" value="/services/auth/login"/>
<beans:property name="usernameParameter" value="username"/>
<beans:property name="passwordParameter" value="password"/>
<beans:property name="postOnly" value="false"/>
</beans:bean>
<!-- the Remember Me bean definition -->
<beans:bean id="rememberMeServices" class="org.springframework.security.web.authentication.rememberme.PersistentTokenBasedRememberMeServices">
<beans:property name="key" value="springRocks"/>
<beans:property name="alwaysRemember" value="true" />
<!-- NOT NEEDED WITH ALWAYSREMEMBER: beans:property name="parameter" value="persistLogin"/ --> <!-- This is used to change the param from _spring_security_remember_me -->
<beans:property name="userDetailsService" ref="customUserDetailsService"/>
<beans:property name="tokenRepository" ref="tokenRepository"/>
</beans:bean>
<!-- the remember-me filter bean -->
<beans:bean id="rememberMeFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<beans:property name="rememberMeServices" ref="rememberMeServices"/>
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<!-- the remember-me authentication provider bean definition -->
<beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<beans:property name="key" value="springRocks"/>
</beans:bean>
<!-- Instantiates the bean for the token provider -->
<beans:bean id="tokenRepository" class="org.springframework.security.web.authentication.rememberme.JdbcTokenRepositoryImpl">
<beans:property name="createTableOnStartup" value="false"/>
<beans:property name="dataSource" ref="dataSource"/>
</beans:bean>
<!-- Configures a custom authentication success handler that returns HTTP status code 200 -->
<beans:bean id="mySuccessHandler" class="com.touchvision.pilot.security.RestAuthenticationSuccessHandler"/>
<!-- Configures a custom authentication failure handler that returns HTTP status code 401 -->
<beans:bean id="restAuthenticationFailureHandler" class="com.touchvision.pilot.security.RestAuthenticationFailureHandler"/>
<!-- Configures a custom logout success handler that returns HTTP status code 200 -->
<beans:bean id="restLogoutSuccessHandler" class="com.touchvision.pilot.security.RestLogoutSuccessHandler"/>
<!-- Declare an authentication-manager to use a custom userDetailsService -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder ref="passwordEncoder"/>
</authentication-provider>
<authentication-provider ref="rememberMeAuthenticationProvider" />
</authentication-manager>
<!-- Use a Md5 encoder since the user's passwords are stored as Md5 in the database -->
<beans:bean class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" id="passwordEncoder"/>
<!-- A custom service where Spring will retrieve users and their corresponding access levels -->
<beans:bean id="customUserDetailsService" class="com.touchvision.pilot.security.CustomUserDetailsService"/>
</beans:beans>
編輯:這裏是我的SignInAdapter簽到()實現:
@Override
public String signIn(String localUserId, Connection<?> connection, NativeWebRequest request) {
logger.info("*************** in SignInAdapterImp signIn() w/ localUserId = " + localUserId +" ****************");
User user = userRepo.findById(Integer.parseInt(localUserId));
// Create a list of grants for this user
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
logger.info("Grant ROLE_USER to this user");
authorities.add(new GrantedAuthorityImpl("ROLE_USER"));
Authentication authentication = new UsernamePasswordAuthenticationToken(user.getEmail(), user.getPassword(), authorities);
SecurityContextHolder.getContext().setAuthentication(authentication);
// set remember-me cookie
persistentTokenRememberMeServices.loginSuccess(
(HttpServletRequest) request.getNativeRequest(),
(HttpServletResponse) request.getNativeResponse(),
authentication);
return null;
}
你能顯示SignInAdapter.signIn(...)實現的代碼嗎?你有沒有嘗試打開org.springframework.security包的調試日誌記錄(可能在這些調用之間有一些有趣的事情)? – 2013-03-14 09:47:12
感謝您的幫助!我添加了我正在使用的signIn()實現。另外,我正在使用log4j,並且已經打開了調試日誌記錄。我如何特別打開org.springframework.security包的日誌記錄? – SBerg413 2013-03-14 14:42:02
就像'log4j.logger.org.springframework.security = DEBUG'(如果使用屬性conf文件)。 – 2013-03-14 14:55:55