如何在 spring security 中使用具有 authentication-success-handler-ref 等效项的自定义过滤器答案

【问题标题】：How to use custom filter with authentication-success-handler-ref equivalent in spring security如何在 spring security 中使用具有 authentication-success-handler-ref 等效项的自定义过滤器
【发布时间】：2014-07-18 13:28:03
【问题描述】：

我想将一些带有登录详细信息的参数传递给 Spring Security，例如一些项目 ID。然后在我想根据用户类型重定向到页面之后。为此，我使用 自定义过滤器 发送附加参数。我使用 authentication-success-handler-ref 进行重定向。我的问题是，我在使用和 自定义过滤器 时遇到了位置冲突。请帮我完成我的任务。

这是我的配置

<http   use-expressions="true">
        <intercept-url pattern="/login" access="permitAll" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/logout" access="permitAll" />
        <intercept-url pattern="/accessdenied" access="permitAll" />

       <custom-filter ref="ddAuthenticationFilter" position="FORM_LOGIN_FILTER" />
        <form-login authentication-failure-url="/accessdenied" 
        authentication-success-handler-ref="ddAuthenticationSuccessHandler"/>



    </http>

    <beans:bean id="ddAuthenticationFilter" class="com.dd.security.ExUsernamePasswordAuthenticationFilter"/>

    <beans:bean id="ddAuthenticationSuccessHandler" class="com.dd.security.DDAuthenticationSuccessHandler" />

【问题讨论】：

标签： spring spring-mvc spring-security

【解决方案1】：

我对您的问题理解如下：我想以登录的形式提交一个 itemId，在成功登录后用于重定向。

为了建立这样一个过程，你需要做以下事情。

从您的配置中删除 <form-login ...>。你应该有：

<http use-expressions="true" entry-point-ref="authenticationEntryPoint">
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/resources/**" access="permitAll" />
    <intercept-url pattern="/logout" access="permitAll" />
    <intercept-url pattern="/accessdenied" access="permitAll" />

    <custom-filter ref="ddAuthenticationFilter" position="FORM_LOGIN_FILTER" />
    <security:logout />
</http>

别忘了为注销添加<security:logout />，entry-point-ref 属性指向authenticationEntryPoint。

为指向您的登录页面的entry-point-ref 添加LoginUrlAuthenticationEntryPoint：

<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <constructor-arg name="loginFormUrl" value="/login" />
</bean>

重构您的ddAuthenticationFilter 以满足以下配置：

<bean id="ddAuthenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="filterProcessesUrl" value="/j_spring_security_check" />
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
    <property name="authenticationSuccessHandler" ref="ddAuthenticationSuccessHandler" />
    <property name="authenticationDetailsSource">
        <bean class="security.CustomWebAuthenticationDetailsSource" />
    </property>
</bean>

<bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/accessdenied" />
</bean>

创建一个新类CustomWebAuthenticationDetailsSource：

package security;

import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

import javax.servlet.http.HttpServletRequest;

public class CustomWebAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> {
    @Override
    public WebAuthenticationDetails buildDetails(HttpServletRequest context) {
        return new CustomWebAuthenticationDetails(context);
    }
}

以及相关的CustomWebAuthenticationDetails：

package security;

import org.springframework.security.web.authentication.WebAuthenticationDetails;
import javax.servlet.http.HttpServletRequest;

public class CustomWebAuthenticationDetails extends WebAuthenticationDetails {

    private final String itemId;

    public CustomWebAuthenticationDetails(HttpServletRequest request) {
        super(request);
        itemId = request.getParameter("itemId");
    }

    public String getItemId() {
        return itemId;
    }

    //TODO override hashCode, equals and toString to include itemId
    @Override
    public int hashCode() { /* collapsed */ }
    @Override
    public boolean equals(Object obj) { /* collapsed */ }
    @Override
    public String toString() { /* collapsed */ }
}

你的ddAuthenticationSuccessHandler 应该有类似这个例子的逻辑：

package com.dd.security;

import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.util.StringUtils;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class DDAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
        CustomWebAuthenticationDetails details = (CustomWebAuthenticationDetails) authentication.getDetails();
        if(StringUtils.hasText(details.getItemId())) {
            //TODO sanity and security check for itemId needed
            String redirectUrl = "item/" + details.getItemId();
            response.sendRedirect(redirectUrl);
        }
        throw new IllegalStateException("itemId in authentication details not found");
    }
}

可以在here 找到一个工作示例

【讨论】：

谢谢@ksokol，它对我很有帮助。
很高兴听到这个消息。祝你好运！
经过阅读我发现，从 Spring 3.1 开始，您可以通过在 form-login 节点上使用 authentication-details-source-ref 来简化配置。 Take alook here
@ksokol 嗨非常有用，但它显示“无法将 org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter 类型的属性值转换为所需类型 'org.springframework.security.authentication.AuthenticationDetailsSource ' 对于属性 'authenticationDetailsSource';"你能告诉我我做错了什么吗
@Anurag 不幸的是，您的描述太模糊，无法帮助您。您应该发布您的 Spring Security 配置、堆栈跟踪和如何重现错误的指南。也许您可以在 Stackoverflow 上发布一个新问题？