yahaitt
- 浏览: 759947 次
- 性别:
- 来自: 杭州
-
文章分类
最新评论
-
Ripin_Yan:
写的挺透彻
session与cookie的区别? -
1045565111:
谢谢,运行起来了,非常不错~~~
EXTJS动态树的实现 -
hlxhf5000:
找了半天,机会都没有全套的下载
ExtJs视频教程集锦 -
slysuccess:
讲解的非常好!以前还不是太明白,现在终于明白了!谢谢博主
ExtJs中关于grid和store的应用分析(二) -
yixiandave:
怎么看都蛋疼啊。。
js继承的实现
一、搞定acegi时要注意的几个地方:
1、用户注册和删除用户时清除缓存中对应该用户的相关信息。
2、登录时附加验证码等信息的扩展以及注意密码加密方式。
3、角色表中新增的角色名必须要与配置文件中设置的匹配,否则无效。
4、设置成Method类型的资源,必须在有至少一个角色给予赋值后,其它未赋予改资源的角色才会受访问权的限制,否则,也就是当没有赋值给任何一个角色时,该资源相当于是无效的,即该资源不受访问权的限制。
5、角色表中需要有个名字为"ROLE_ANONYMOUS"的角色("ROLE"是配置文件中配置的匹配字符串),一般将首页的资源赋予给这个角色。
二、着重点
1、先看配置文件applicationContext-acegi-security.xml,附件中
2、对applicationContext-acegi-security.xml配置文件中的几点进行说明
处理登录请求的过滤器 authenticationProcessingFilter
默认的配置如下:
xml 代码
- <bean id="authenticationProcessingFilter"
- class="org.acegisecurity.ui.webapp.AuthenticationProcessingFilter">
- <property name="authenticationManager"
- ref="authenticationManager" />
- <property name="authenticationFailureUrl"
- value="/login.jsp?login_error=1" />
- <property name="defaultTargetUrl" value="/admin/index.jsp" />
- <property name="filterProcessesUrl"
- value="/j_acegi_security_check" />
- <property name="rememberMeServices" ref="rememberMeServices" />
- bean>
我改成了如下的配置:
xml 代码
- <bean id="authenticationProcessingFilter"
- class="org.springside.security.filter.util.AuthenticationProcessingFilter">
- <property name="continueChainBeforeSuccessfulAuthentication" value="true">property>
- <property name="authenticationManager"
- ref="authenticationManager" />
- <property name="authenticationFailureUrl"
- value="/accessDenied.jsp" />
- <property name="defaultTargetUrl" value="/index.jsp" />
- <property name="filterProcessesUrl"
- value="/userm.do" />
- <property name="rememberMeServices" ref="rememberMeServices" />
- bean>
其实就是重写了acegi自带的AuthenticationProcessingFilter
因为我在用户登录的时候还附加了验证码
并且换了登录的action路径(改成了"/userm.do?method=login"),以及用户登陆的用户名和密码的名称(默认的是j_username和j_password,我改成了username和password),这些东西都在我重写的AuthenticationProcessingFilter中得到控制。附件中有完整的AuthenticationProcessingFilter代码。
java 代码
- package org.springside.security.filter.util;
- import java.io.IOException;
- import java.util.Properties;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.RequestDispatcher;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import org.acegisecurity.AcegiMessageSource;
- import org.acegisecurity.Authentication;
- import org.acegisecurity.AuthenticationException;
- import org.acegisecurity.AuthenticationManager;
- import org.acegisecurity.context.SecurityContextHolder;
- import org.acegisecurity.event.authentication.InteractiveAuthenticationSuccessEvent;
- import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
- import org.acegisecurity.ui.AuthenticationDetailsSource;
- import org.acegisecurity.ui.AuthenticationDetailsSourceImpl;
- import org.acegisecurity.ui.WebAuthenticationDetails;
- import org.acegisecurity.ui.rememberme.NullRememberMeServices;
- import org.acegisecurity.ui.rememberme.RememberMeServices;
- import org.acegisecurity.ui.savedrequest.SavedRequest;
- import org.apache.commons.logging.Log;
- import org.apache.commons.logging.LogFactory;
- import org.apache.struts.Globals;
- import org.apache.struts.action.ActionMessage;
- import org.apache.struts.action.ActionMessages;
- import org.springframework.beans.factory.InitializingBean;
- import org.springframework.context.ApplicationEventPublisher;
- import org.springframework.context.ApplicationEventPublisherAware;
- import org.springframework.context.support.MessageSourceAccessor;
- import org.springframework.util.Assert;
- import com.yahaitt.exception.AuthenticationCodeException;
- public class AuthenticationProcessingFilter implements Filter,
- InitializingBean, ApplicationEventPublisherAware {
- public static final String ACEGI_SAVED_REQUEST_KEY = "ACEGI_SAVED_REQUEST_KEY";
- public static final String ACEGI_SECURITY_LAST_EXCEPTION_KEY = "ACEGI_SECURITY_LAST_EXCEPTION";
- public static final String ACEGI_SECURITY_FORM_USERNAME_KEY = "username";
- public static final String ACEGI_SECURITY_FORM_PASSWORD_KEY = "password";
- public static final String ACEGI_SECURITY_LAST_USERNAME_KEY = "ACEGI_SECURITY_LAST_USERNAME";
- protected final Log logger = LogFactory.getLog(this.getClass());
- private ApplicationEventPublisher eventPublisher;
- private AuthenticationDetailsSource authenticationDetailsSource = new AuthenticationDetailsSourceImpl();
- private AuthenticationManager authenticationManager;
- private String authenticationFailureUrl;
- private String defaultTargetUrl;
- private String filterProcessesUrl = getDefaultFilterProcessesUrl();
- private boolean alwaysUseDefaultTargetUrl = false;
- private RememberMeServices rememberMeServices = new NullRememberMeServices();
- protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
- private Properties exceptionMappings = new Properties();
- private boolean continueChainBeforeSuccessfulAuthentication = false;
- public boolean isContinueChainBeforeSuccessfulAuthentication() {
- return continueChainBeforeSuccessfulAuthentication;
- }
- public void setContinueChainBeforeSuccessfulAuthentication(
- boolean continueChainBeforeSuccessfulAuthentication) {
- this.continueChainBeforeSuccessfulAuthentication = continueChainBeforeSuccessfulAuthentication;
- }
- public String getDefaultFilterProcessesUrl() {
- return "/j_acegi_security_check";
- }
- public void destroy() {
- }
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain filterChain) throws IOException, ServletException {
- if (!(request instanceof HttpServletRequest)) {
- throw new ServletException("Can only process HttpServletRequest");
- }
- if (!(response instanceof HttpServletResponse)) {
- throw new ServletException("Can only process HttpServletResponse");
- }
- HttpServletRequest httpRequest = (HttpServletRequest) request;
- HttpServletResponse httpResponse = (HttpServletResponse) response;
- String username = obtainUsername(httpRequest);
- String password = obtainPassword(httpRequest);
- if (username == null) {
- username = "";
- }
- if (password == null) {
- password = "";
- }
- if (requiresAuthentication(httpRequest, httpResponse)) {
- Authentication authResult;
- try {
- // 加入验证码
- onPreAuthentication(httpRequest, httpResponse);
- authResult = attemptAuthentication(httpRequest);
- // UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
- // username, password);
- // setDetails(httpRequest, authRequest);
- // httpRequest.getSession().setAttribute(
- // ACEGI_SECURITY_LAST_USERNAME_KEY, username);
- // authResult = this.getAuthenticationManager().authenticate(
- // authRequest);
- // Authentication success
- // successfulAuthentication(httpRequest, httpResponse, authResult);
- //如果authResult = this.getAuthenticationManager().authenticate(authRequest);函数执行后无异常,则说明认证通过了,此时可以直接进行下轮的过滤器
- //即跳转到进入这个filter的url(user_login.jsp页面中form的action指向等,此时执行下面的filterChain.doFilter(httpRequest, httpResponse);后就能够跳转到UserMAction的login函数中执行)
- // filterChain.doFilter(httpRequest, httpResponse);
- if (continueChainBeforeSuccessfulAuthentication) {
- filterChain.doFilter(httpRequest, httpResponse);
- }
- // // 可以在此加入验证成功后的功能代码
- successfulAuthentication(httpRequest, httpResponse, authResult);
- // String targetUrl = alwaysUseDefaultTargetUrl ? null
- // : obtainFullRequestUrl(httpRequest);
- //// if (targetUrl == null) {
- //// targetUrl = getDefaultTargetUrl();
- //// }
- //// if (!targetUrl.startsWith("http://")
- //// && !targetUrl.startsWith("https://")) {
- //// targetUrl = httpRequest.getContextPath() + targetUrl;
- //// }
- //
- // targetUrl = request.getParameter("pagefrom");
- //
- // httpResponse.sendRedirect(httpResponse
- // .encodeRedirectURL(targetUrl));
- return;
- } catch (AuthenticationException failed) {
- // Authentication failed
- unsuccessfulAuthentication(httpRequest, httpResponse, failed);
- // String failureUrl = exceptionMappings.getProperty(failed
- // .getClass().getName(), authenticationFailureUrl);
- // if (!failureUrl.startsWith("http://")
- // && !failureUrl.startsWith("https://")) {
- // failureUrl = httpRequest.getContextPath() + failureUrl;
- // }
- String pagefrom = request.getParameter("pagefrom");
- request.setAttribute("pagefrom", pagefrom);
- String pageURL = "/WEB-INF/pages/user_login.jsp";
- RequestDispatcher rd = request.getRequestDispatcher(pageURL);
- rd.forward(request, response);
- // httpResponse.sendRedirect(httpResponse
- // .encodeRedirectURL(failureUrl));
- return;
- }
- }
- filterChain.doFilter(request, response);
- }
- public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException,
- IOException {
- String username = obtainUsername(request);
- String password = obtainPassword(request);
- if (username == null) {
- username = "";
- }
- if (password == null) {
- password = "";
- }
- UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
- username, password);
- setDetails(request, authRequest);
- request.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY,
- username);
- return this.getAuthenticationManager().authenticate(authRequest);
- }
- protected void setDetails(HttpServletRequest request,
- UsernamePasswordAuthenticationToken authRequest) {
- authRequest.setDetails(new WebAuthenticationDetails(request));
- }
- protected boolean requiresAuthentication(HttpServletRequest request,
- HttpServletResponse response) {
- String uri = request.getRequestURI();
- int pathParamIndex = uri.indexOf(';');
- if (pathParamIndex > 0) {
- uri = uri.substring(0, pathParamIndex);
- }
- String method = request.getParameter("method");
- boolean islogin = "login".equals(method)?true:false;
- return (uri.endsWith(request.getContextPath() + filterProcessesUrl) && islogin);
- }
- public void init(FilterConfig arg0) throws ServletException {
- }
- public void afterPropertiesSet() throws Exception {
- }
- public void setApplicationEventPublisher(ApplicationEventPublisher context) {
- this.eventPublisher = context;
- }
- public void setAuthenticationDetailsSource(
- AuthenticationDetailsSource authenticationDetailsSource) {
- Assert.notNull(authenticationDetailsSource,
- "AuthenticationDetailsSource required");
- this.authenticationDetailsSource = authenticationDetailsSource;
- }
- public boolean isAlwaysUseDefaultTargetUrl() {
- return alwaysUseDefaultTargetUrl;
- }
- public void setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl) {
- this.alwaysUseDefaultTargetUrl = alwaysUseDefaultTargetUrl;
- }
- public String getAuthenticationFailureUrl() {
- return authenticationFailureUrl;
- }
- public void setAuthenticationFailureUrl(String authenticationFailureUrl) {
- this.authenticationFailureUrl = authenticationFailureUrl;
- }
- public String getDefaultTargetUrl() {
- return defaultTargetUrl;
- }
- public void setDefaultTargetUrl(String defaultTargetUrl) {
- this.defaultTargetUrl = defaultTargetUrl;
- }
- public String getFilterProcessesUrl() {
- return filterProcessesUrl;
- }
- public void setFilterProcessesUrl(String filterProcessesUrl) {
- this.filterProcessesUrl = filterProcessesUrl;
- }
- protected String obtainPassword(HttpServletRequest request) {
- String password = request.getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY);
- // if (password != null) {
- // return MD5.toMD5(request
- // .getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY));
- // }
- return password;
- }
- protected String obtainUsername(HttpServletRequest request) {
- return request.getParameter(ACEGI_SECURITY_FORM_USERNAME_KEY);
- }
- // 加入验证码
- protected void onPreAuthentication(HttpServletRequest request,
- HttpServletResponse response) throws AuthenticationException,
- IOException {
- String randNum = request.getParameter("randNum");
- String rand = (String) request.getSession().getAttribute("RandNo");
- if (rand == null || !rand.equals(randNum)) {
- throw new AuthenticationCodeException("请输入正确的验证码!");
- }
- }
- // 可以在此加入验证成功后的功能代码
- protected void onSuccessfulAuthentication(HttpServletRequest request,
- HttpServletResponse response, Authentication authResult)
- throws IOException {
- }
- protected void onUnsuccessfulAuthentication(HttpServletRequest request,
- HttpServletResponse response, AuthenticationException failed)
- throws IOException {
- ActionMessages errors = new ActionMessages();
- String username = request.getParameter("username");
- String password = request.getParameter("password");
- if(failed instanceof AuthenticationCodeException)
- {
- //验证码为空或出错
- errors.add("userwrong",new ActionMessage("user.randno.wrong"));
- }else if(null==username || "".equals(username))
- {
- //用户名为空
- errors.add("userwrong",new ActionMessage("user.username"));
- }else if(null==password || "".equals(password))
- {
- //密码为空
- errors.add("userwrong",new ActionMessage("user.password"));
- }else
- {
- //用户名或密码出错
- errors.add("userwrong",new ActionMessage("user.wrong"));
- }
- applicationContext-acegi-security.rar (4.5 KB)
- 描述: applicationContext-acegi-security.xml acegi配置文件
- 下载次数: 203
- AuthenticationProcessingFilter.rar (3.3 KB)
- 描述: AuthenticationProcessingFilter代码
- 下载次数: 195
分享到:
发表评论
相关推荐
8. **安全控制**:Spring Security(前身Acegi Security)被集成到SpringSide 3.0中,提供了一套全面的安全管理方案,包括身份验证、授权、会话管理等。 9. **日志管理**:SpringSide 3.0 使用Log4j或Logback作为...
《SpringSide核心库4.1.0深度解析》 SpringSide是Java开发中的一款轻量级框架,它基于Spring框架,旨在简化企业级应用的开发流程。本文将深入探讨SpringSide-core-4.1.0的核心特性,以及其在实际项目中的应用。 一...
SpringSide4参考手册是一份详尽的文档,涵盖了使用SpringSide4.0版本开发应用时可能会用到的各种技术组件和模块。SpringSide是一个开源的Java开发平台,它集成了Spring框架和大量实用的组件,以方便开发人员构建复杂...
《SpringSide 3.2.2 源码解析与技术深度探讨》 SpringSide 是一个基于 Spring Framework 的 Java 开发工具集,旨在简化 Spring 应用程序的开发过程,提供一套快速、现代且规范的开发实践。SpringSide 3.2.2 版本是...
《springside开发全面讲解》是一份旨在帮助开发者深入了解并掌握springside框架的详尽教程。springside是一款基于Spring框架的轻量级开发工具集,它为Java开发提供了简洁、高效的解决方案,尤其适合中大型项目的开发...
pom.xml配置 ...mvn install:install-file -DgroupId=org.springside -DartifactId=springside-core -Dversion=4.2.2.GA -Dfile=./springside-core-4.2.2.GA.jar -Dpackaging=jar -DgeneratePom=true
《深入解析springside4.2.3-GA.jar:Java开发者的宝藏库》 在Java开发领域,SpringSide框架以其高效、灵活和强大的特性深受开发者喜爱。本文将围绕springside4.2.3-GA.jar这个核心组件,探讨其在Java应用中的重要...
《SpringSide:全面解析与应用》 SpringSide项目是一个基于Java的开源软件开发框架,它以Spring Framework为核心,旨在提供一套简洁、规范的项目构建和开发实践。在深入理解SpringSide之前,我们首先需要了解Spring...
【标题】"springside-案例"所涉及的是SpringSide项目,这是一个开源的Java开发框架,旨在简化Spring框架的使用,提高开发效率。SpringSide是一个精心设计的、用于快速构建企业级应用的模板项目,它提供了清晰的代码...
SpringSide3.3.4 安装部署详解 SpringSide3.3.4 安装部署是指在计算机上安装和部署 SpringSide3.3.4 软件的过程。在这个过程中,我们需要使用 Maven 工具来生成项目模板,安装 mini-web 应用程序,并配置相应的...
### springside3.3.4使用方法与SSH整合详解 #### 一、Springside简介 Springside项目是基于Spring框架的一个应用架构示例,它提供了一套完整的开发模式来构建企业级Java Web应用程序。Springside 3.3.4版本作为一...
《SpringSide 4.0.0.GA:JavaEE世界的春天之光》 SpringSide,一个以Spring Framework为核心,秉持Pragmatic编程理念的JavaEE应用参考实例,它旨在为开发者提供主流技术选型的示范,展示JavaEE世界中的最佳实践。这...
《SpringSide 4:Spring MVC 实战展示》 在IT领域,SpringSide 4是一个备受推崇的开源项目,它是一个全面展示Spring框架及其生态系统的实战示例。标题"Springside4 (showcase)"暗示了这是一个以展示SpringSide 4...
《springside.jar在Java应用中的使用详解》 在Java开发领域,springside.jar是一个备受推崇的开源项目,它为开发者提供了丰富的工具和最佳实践,以简化Spring框架的使用。本文将深入探讨springside.jar的核心功能,...