我还没有在AuthenticationSuccessEvent 中这样做过,但我会尝试做与LogoutFilter 相同的事情。
不幸的是,LogoutFilter 直接在其处理程序方法LogoutFilter.doFilter(ServletRequest req, ServletResponse res, FilterChain chain) 中进行注销处理,因此直接调用它是一种黑客行为,(但并非不可能)
@Autowired
LogoutFilter logoutFilter;
private void doLogout() {
MockHttpServletRequest request = new MockHttpServletRequest(
"GET",
"http://myApp" + this.logoutFilter.getFilterProcessingUrl());
this.logoutFilter.doFilter(request, new MockHttpServletResponse(),
new MockFilterChain());
}
但这是一个 hack。 -- Anway,我会从这个开始。它有效,并表明这个概念证明有效,然后我将实施一个更干净的解决方案:
获取向LogoutFilter 注册的所有LogoutHandlers 的列表并直接调用它们,然后触发logoutSuccessHandler.onLogoutSuccess(这正是 LogoutFilter 所做的)。
@Autowired
List<LogoutHandler> logoutHandlers;
@Autwired
LogoutSuccessHandler logoutSuccessHandler;
private void doLogout() {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
for (LogoutHandler handler : handlers)
handler.logout(request, response, auth);
logoutSuccessHandler.onLogoutSuccess(request, response, auth);
}
但是
如果您只是因为某些限制而想阻止用户登录,那么实现接口UserDetailsChecker 并使用AbstractUserDetailsAuthenticationProvider.preAuthenticationChecks 或.postAuthenticationChecks 注册您的实现会更容易和更简洁(您可能使用DaoAuthenticationProvider,它是AbstractUserDetailsAuthenticationProvider的子类)
(提示:void UserDetailsChecker.check(UserDetails toCheck)(这是UserDetailsChecker的唯一一种方法)-如果要阻止用户登录,则需要抛出异常。)
private class Demo implements UserDetailsChecker {
public void check(UserDetails user) {
if (!user.isAccountNonLocked())
throw new LockedException("User account is locked");
if (!user.isEnabled())
throw new DisabledException("User is disabled"));
if (!user.isAccountNonExpired())
throw new AccountExpiredException("User account has expired");
//And here comes you!
}
}