使用Spring security来实现登录验证
2013-04-10 14:22
405 查看
1.我们采用数据库存储的用户信息与用户输入的表单信息进行验证比对。
在 web.xml中进行filter配置
在Spring中的配置
接下来所有的请求都由DelegatingFilterProxy接管。
delegate为下面这么多filter.
FilterChainProxy[Filter Chains: [[ org.springframework.security.web.util.AnyRequestMatcher@1, [org.springframework.security.web.context.SecurityContextPersistenceFilter@65ef7efe, org.springframework.security.web.session.ConcurrentSessionFilter@4e7a89fa, org.springframework.security.web.authentication.logout.LogoutFilter@4ef8a456, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@25ed329b, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@77957190, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7452e245, org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter@6d855bac, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4e45b160, org.springframework.security.web.session.SessionManagementFilter@41803dc5, org.springframework.security.web.access.ExceptionTranslationFilter@4a57721b, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@330470be]]]]
FilterChainProxy中对这些filter进行处理
在VirtualFilterChain中是通过doFilter实现
我们主要在UsernamePasswordAuthenticationFilter中实现用户名密码验证。
在 web.xml中进行filter配置
<filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>
在Spring中的配置
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <global-method-security pre-post-annotations="enabled" /> <beans:bean id="authDataSource" class="org.apache.commons.dbcp.BasicDataSource"> <beans:property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"> </beans:property> <beans:property name="url" value="jdbc:oracle:thin:@**:1521:dev" /> <beans:property name="username" value="username" /> <beans:property name="password" value="password" /> </beans:bean> <beans:bean id="postSuccHandler" class="**.auth.AjaxPostSuccHandler"> <beans:property name="defaultTargetUrl" value="/mgr/index.html" /> </beans:bean> <beans:bean id="postFailHandler" class="**.auth.AjaxPostFailureHandler"> </beans:bean> <beans:bean id="userDetailsService" class="org.springframework.security.core.userdetails.jdbc.JdbcDaoImpl"> <beans:property name="dataSource" ref="authDataSource" /> <beans:property name="usersByUsernameQuery" value="select user_id,password,status from users where user_id = ?" /> <beans:property name="authoritiesByUsernameQuery" value="select user_id,title from users where user_id = ?" /> </beans:bean> <http use-expressions="true"> <intercept-url pattern="/" access="isAuthenticated()" /> <intercept-url pattern="/index.html" access="isAuthenticated()" /> <intercept-url pattern="/index-debug.html" access="isAuthenticated()" /> <intercept-url pattern="/**" access="permitAll" /> <form-login login-page="/login.html" default-target-url="/index.html" authentication-failure-url="/login.html?error=1" authentication-success-handler-ref="postSuccHandler" authentication-failure-handler-ref="postFailHandler" /> <logout logout-success-url="/login.html" /> <remember-me data-source-ref="authDataSource" /> <session-management invalid-session-url="/login.html" session-fixation-protection="newSession"> <concurrency-control max-sessions="10" /> </session-management> </http> <authentication-manager> <authentication-provider user-service-ref="userDetailsService"> <password-encoder hash="sha-256"></password-encoder> </authentication-provider> </authentication-manager> </beans:beans>
接下来所有的请求都由DelegatingFilterProxy接管。
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws ServletException, IOException { // Lazily initialize the delegate if necessary. Filter delegateToUse = null; synchronized (this.delegateMonitor) { if (this.delegate == null) { WebApplicationContext wac = findWebApplicationContext(); if (wac == null) { throw new IllegalStateException("No WebApplicationContext found: no ContextLoaderListener registered?"); } this.delegate = initDelegate(wac); } delegateToUse = this.delegate; } // Let the delegate perform the actual doFilter operation. invokeDelegate(delegateToUse, request, response, filterChain); }
delegate为下面这么多filter.
FilterChainProxy[Filter Chains: [[ org.springframework.security.web.util.AnyRequestMatcher@1, [org.springframework.security.web.context.SecurityContextPersistenceFilter@65ef7efe, org.springframework.security.web.session.ConcurrentSessionFilter@4e7a89fa, org.springframework.security.web.authentication.logout.LogoutFilter@4ef8a456, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@25ed329b, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@77957190, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7452e245, org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter@6d855bac, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4e45b160, org.springframework.security.web.session.SessionManagementFilter@41803dc5, org.springframework.security.web.access.ExceptionTranslationFilter@4a57721b, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@330470be]]]]
FilterChainProxy中对这些filter进行处理
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { boolean clearContext = request.getAttribute(FILTER_APPLIED) == null; if(clearContext) { try { request.setAttribute(FILTER_APPLIED, Boolean.TRUE); doFilterInternal(request, response, chain); } finally { SecurityContextHolder.clearContext(); request.removeAttribute(FILTER_APPLIED); } } else { doFilterInternal(request, response, chain); } } private void doFilterInternal(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { FirewalledRequest fwRequest = firewall.getFirewalledRequest((HttpServletRequest) request); HttpServletResponse fwResponse = firewall.getFirewalledResponse((HttpServletResponse) response); List<Filter> filters = getFilters(fwRequest); if (filters == null || filters.size() == 0) { if (logger.isDebugEnabled()) { logger.debug(UrlUtils.buildRequestUrl(fwRequest) + (filters == null ? " has no matching filters" : " has an empty filter list")); } fwRequest.reset(); chain.doFilter(fwRequest, fwResponse); return; } VirtualFilterChain vfc = new VirtualFilterChain(fwRequest, chain, filters); vfc.doFilter(fwRequest, fwResponse); }
在VirtualFilterChain中是通过doFilter实现
public void doFilter(ServletRequest request, ServletResponse response) throws IOException, ServletException { if (currentPosition == size) { if (logger.isDebugEnabled()) { logger.debug(UrlUtils.buildRequestUrl(firewalledRequest) + " reached end of additional filter chain; proceeding with original chain"); } // Deactivate path stripping as we exit the security filter chain this.firewalledRequest.reset(); originalChain.doFilter(request, response); } else { currentPosition++; Filter nextFilter = additionalFilters.get(currentPosition - 1); if (logger.isDebugEnabled()) { logger.debug(UrlUtils.buildRequestUrl(firewalledRequest) + " at position " + currentPosition + " of " + size + " in additional filter chain; firing Filter: '" + nextFilter.getClass().getSimpleName() + "'"); } nextFilter.doFilter(request, response, this); } }
我们主要在UsernamePasswordAuthenticationFilter中实现用户名密码验证。
相关文章推荐
- Ajax实现用户登录验证--原生JavaScript使用POST方法
- Qt实现客户端/服务器端登录验证|数据传输使用md5加密
- 使用spring security 实现权限的验证
- symfony使用security实现验证登录
- 使用SSM(Spring+SpringMVC+Mybatis)框架搭建服务器实现登录验证
- 使用SSH框架实现用户登录验证
- 使用Servlet过滤器实现用户登录验证
- 使用filter过滤器实现用户登录验证
- Spring security实现登录验证+权限控制
- Spring Boot使用HandlerInterceptorAdapter和WebMvcConfigurerAdapter实现原始的登录验证
- 使用Python的Flask框架表单插件Flask-WTF实现Web登录验证
- ASP.NET jQuery 食谱11 (通过使用jQuery validation插件简单实现用户登录页面验证功能)
- 简单两步快速实现shiro的配置和使用,包含登录验证、角色验证、权限验证以及shiro登录注销流程(基于spring的方式,使用maven构建)
- 使用Ajax异步刷新实现登录用户验证
- 使用AjaxPro框架实现无刷新用户登录验证【原创】
- 使用vue-route 的 beforeEach 实现导航守卫(路由跳转前验证登录)功能
- postgresql 登录使用GSS方式验证的实现原理分析
- 使用AjaxPro框架实现无刷新用户登录验证【原创】
- Spring Security Oauth2.0 实现短信验证码登录示例
- 使用Spring Security进行自动登录验证