我有一个Spring MVC应用程序,现在我想使用Cookie身份验证保护所有Controller URL。
1.)在用户代理中设置Cookie“A”之前,第三方站点将负责基本身份验证,然后它将重定向到我的/auth
URL。
2.)当调用/auth
URL时,过滤器/拦截器/控制器必须根据与第三方商定的规则集来验证Cookie。发布cookie“A”认证成功后,在用户代理中设置新的Cookie“B”,并在cookie中添加一些自定义会话令牌。
3.)现在,当用户浏览除/auth
之外的任何其他受保护页面时,过滤器/拦截器/控制器必须在允许之前验证Cookie“B”。如果cookie“B”验证失败,则重定向到某个错误页面。
我目前正在使用Spring MVC 4.0.3.RELEASE。我尝试了几个小时来使用Spring Security,Interceptor来解决这个问题,但却无法获得任何正确的方法。
veb.hml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Perforce123</display-name>
<servlet>
<servlet-name>SpringDispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</init-param>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>com.test.label</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SpringDispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<context-param>
<param-name>contextClass</param-name>
<param-value>
org.springframework.web.context.support.AnnotationConfigWebApplicationContext
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<filter>
<filter-name>hiddenHttpMethodFilter</filter-name>
<filter-class>org.springframework.web.filter.HiddenHttpMethodFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>hiddenHttpMethodFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
pom.hml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.test.label</groupId>
<artifactId>Perforce123</artifactId>
<version>1.0</version>
<packaging>war</packaging>
<name>Perforce123</name>
<url>http://maven.apache.org</url>
<properties>
<java.version>1.7</java.version>
<spring.version>4.0.3.RELEASE</spring.version>
<cglib.version>2.2.2</cglib.version>
</properties>
<dependencies>
<!-- Spring core & mvc -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring.version}</version>
<exclusions>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
<version>${spring.version}</version>
<exclusions>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-orm</artifactId>
<version>${spring.version}</version>
<type>jar</type>
<scope>compile</scope>
<exclusions>
<exclusion>
<artifactId>commons-logging</artifactId>
<groupId>commons-logging</groupId>
</exclusion>
</exclusions>
</dependency>
<!-- CGLib for @Configuration -->
<dependency>
<groupId>cglib</groupId>
<artifactId>cglib-nodep</artifactId>
<version>${cglib.version}</version>
<scope>runtime</scope>
</dependency>
<!-- Servlet Spec -->
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>javax.servlet.jsp</groupId>
<artifactId>javax.servlet.jsp-api</artifactId>
<version>2.3.1</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>jstl</groupId>
<artifactId>jstl</artifactId>
<version>1.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/mysql/mysql-connector-java -->
<!-- <dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>5.1.9</version>
</dependency> -->
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.2</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.3</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<version>1.7.25</version>
</dependency>
<dependency>
<groupId>org.xerial</groupId>
<artifactId>sqlite-jdbc</artifactId>
<version>3.20.0</version>
</dependency>
</dependencies>
<build>
<finalName>Perforce123</finalName>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<version>3.3</version>
<configuration>
<source>${java.version}</source>
<target>${java.version}</target>
</configuration>
</plugin>
<!-- <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.12.4</version>
</plugin> -->
</plugins>
</build>
</project>
Mvc配置类
@Configuration
@ComponentScan(basePackages="com.test.label")
@EnableWebMvc
@PropertySource(value= {"classpath:application.properties"})
public class MvcConfiguration extends WebMvcConfigurerAdapter{
private static Logger logger =
LoggerFactory.getLogger(MvcConfiguration.class);
@Bean(name="myProp")
public static PropertySourcesPlaceholderConfigurer propertyPlaceHolderConfigurer() {
return new PropertySourcesPlaceholderConfigurer();
}
@Bean
public ViewResolver getViewResolver(){
InternalResourceViewResolver resolver = new InternalResourceViewResolver();
resolver.setPrefix("/WEB-INF/views/");
resolver.setSuffix(".jsp");
return resolver;
}
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
registry.addResourceHandler("/resources/**").addResourceLocations("/resources/");
}
}
请帮助提供工作代码,或链接到此用例的一些工作示例。提前致谢。
这个答案不是为您提供工作代码,而是为您提供指导。
attemptAuthentication
方法中编写业务逻辑。对我来说,我要么返回null
,要么返回AbstractAuthenticationToken
。我有一个POJO为我的需要实施AbstractAuthenticationToken
。
@Override
@Autowired
public void setAuthenticationManager(
AuthenticationManager authenticationManager) {
super.setAuthenticationManager(authenticationManager);
}
successfulAuthentication
和unsuccessfulAuthentication
方法,如下所示,
@Override
protected void successfulAuthentication(HttpServletRequest request,
HttpServletResponse response, FilterChain chain,
Authentication authResult) throws IOException, ServletException {
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(authResult);
SecurityContextHolder.setContext(context);
chain.doFilter(request, response);
}
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request,
HttpServletResponse response, AuthenticationException failed)
throws IOException, ServletException {
SecurityContextHolder.clearContext();
}`
org.springframework.security.authentication.AuthenticationProvider
,因为在你的步骤1中,你会调用这样的东西 - getAuthenticationManager().authenticate(
token)
在authenticate
方法中,您基本上可以编写详细的身份验证业务逻辑
HttpSecurity
功能,但我正在编写此步骤,以便通过执行此类操作,为安全性提供身份验证提供程序和编写的过滤器,
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(your_provider);
}
此安全类将扩展WebSecurityConfigurerAdapter
并使用@EnableWebSecurity
进行注释
您还必须使用beforeFilter
或afterFilter
方法在预定义的弹簧安全过滤器之一之前放入自定义过滤器。这是一个漫长的步骤,你会发现很多关于互联网的文档,如何覆盖HttpSecurity
并在那里放入你的过滤器和提供商。
请参阅Add http security filter in java config
部分 - 在Spring Boot here上集成安全过滤器