`

扩展acegi以支持验证码等

    博客分类:
  • Java
阅读更多
在acegi中的登陆页面:
<form action="<c:url value="j_acegi_security_check"/>" method="POST">
登陆的请求是发给/ j_acegi_security_check,在我们的系统中往往要在登陆中做一些登陆前和登陆后的操作。如记录用户的行为,加入验证码等。
在acegi的配置文件中加入以下的过滤器:
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>
通过改写authenticationProcessingFilter可以实现以上目的:
<bean id="authenticationProcessingFilter"
class="org.artemis.manager.auth.AuthenticationProcessingFilter">
<property name="authenticationManager"
ref="authenticationManager" />
<!-- 认证失败后,重定向的url -->
<property name="authenticationFailureUrl"
value="/login.jsp?login_error=1" />
<!-- 认证成功后,重定向的url -->
<property name="defaultTargetUrl" value="/" />
<!-- 该过滤器拦截的url,通常是/j_acegi_security_check,和登录页面(login.jsp)的登录表单的action相同 -->
<property name="filterProcessesUrl"
value="/j_acegi_security_check" />
<property name="rememberMeServices" ref="rememberMeServices" />
</bean>

package org.artemis.manager.auth;
…………………………
public class AuthenticationProcessingFilter  implements Filter, InitializingBean, ApplicationEventPublisherAware {
public static final String ACEGI_SAVED_REQUEST_KEY = "ACEGI_SAVED_REQUEST_KEY";
    public static final String ACEGI_SECURITY_LAST_EXCEPTION_KEY = "ACEGI_SECURITY_LAST_EXCEPTION";

    public static final String ACEGI_SECURITY_FORM_USERNAME_KEY = "j_username";
    public static final String ACEGI_SECURITY_FORM_PASSWORD_KEY = "j_password";
    public static final String ACEGI_SECURITY_LAST_USERNAME_KEY = "ACEGI_SECURITY_LAST_USERNAME";

private ApplicationEventPublisher eventPublisher;
    private AuthenticationDetailsSource authenticationDetailsSource = new AuthenticationDetailsSourceImpl();
    private AuthenticationManager authenticationManager;
   
    private String authenticationFailureUrl;
    private String defaultTargetUrl;
    private String filterProcessesUrl = getDefaultFilterProcessesUrl();
    private boolean alwaysUseDefaultTargetUrl = false;
   
    private RememberMeServices rememberMeServices = new NullRememberMeServices();
    protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
    private Properties exceptionMappings = new Properties();
    private boolean continueChainBeforeSuccessfulAuthentication = false;
    public boolean isContinueChainBeforeSuccessfulAuthentication() {
return continueChainBeforeSuccessfulAuthentication;
}
public void setContinueChainBeforeSuccessfulAuthentication(
boolean continueChainBeforeSuccessfulAuthentication) {
this.continueChainBeforeSuccessfulAuthentication = continueChainBeforeSuccessfulAuthentication;
}
public String getDefaultFilterProcessesUrl() {
        return "/j_acegi_security_check";
    }
public void destroy() {}

public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
if (!(request instanceof HttpServletRequest)) {
            throw new ServletException("Can only process HttpServletRequest");
        }
        if (!(response instanceof HttpServletResponse)) {
            throw new ServletException("Can only process HttpServletResponse");
        }
        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;

        String username = obtainUsername(httpRequest);
        String password = obtainPassword(httpRequest);
        if (username == null) {
            username = "";
        }
        if (password == null) {
            password = "";
        }
    if (requiresAuthentication(httpRequest, httpResponse)) {
            Authentication authResult;
            try {
            //加入验证码
                if(!onPreAuthentication(httpRequest, httpResponse)){
                    httpRequest.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY,
                            username);
                throw new AuthenticationCodeException("请输入正确的验证码!");
                }

                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
                        password);
                setDetails(httpRequest, authRequest);
                httpRequest.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY,username);
                authResult = this.getAuthenticationManager().authenticate(authRequest);
                // Authentication success
                if (continueChainBeforeSuccessfulAuthentication) {
                filterChain.doFilter(httpRequest, httpResponse);
                }
                //可以在此加入验证成功后的功能代码
                successfulAuthentication(httpRequest, httpResponse, authResult);
                String targetUrl = alwaysUseDefaultTargetUrl ? null : obtainFullRequestUrl(httpRequest);
        if (targetUrl == null) {
            targetUrl = getDefaultTargetUrl();
        }
        if (!targetUrl.startsWith("http://") && !targetUrl.startsWith("https://")) {
        targetUrl = httpRequest.getContextPath() + targetUrl;
    }
    httpResponse.sendRedirect(httpResponse.encodeRedirectURL(targetUrl));
    return ;
            } catch (AuthenticationException failed) {
                // Authentication failed
                unsuccessfulAuthentication(httpRequest, httpResponse, failed);
                String failureUrl = exceptionMappings.getProperty(failed.getClass().getName(), authenticationFailureUrl);
                if (!failureUrl.startsWith("http://") && !failureUrl.startsWith("https://")) {
                failureUrl = httpRequest.getContextPath() + failureUrl;
    }
    httpResponse.sendRedirect(httpResponse.encodeRedirectURL(failureUrl));
                return;
            }
        }
   
        filterChain.doFilter(request, response);
}

public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response)
    throws AuthenticationException, IOException{
String username = obtainUsername(request);
        String password = obtainPassword(request);
       // System.out.println("username: "+username +"     passward:"+password) ;
        if (username == null) {
            username = "";
        }
        if (password == null) {
            password = "";
        }
        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
                password);
        setDetails(request, authRequest);
        request.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY,
            username);
        return this.getAuthenticationManager().authenticate(authRequest);
}

protected void setDetails(HttpServletRequest request,
        UsernamePasswordAuthenticationToken authRequest) {
    authRequest.setDetails(new WebAuthenticationDetails(request));
}


protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
        String uri = request.getRequestURI();
        int pathParamIndex = uri.indexOf(';');
        if (pathParamIndex > 0) {
            uri = uri.substring(0, pathParamIndex);
        }

        return uri.endsWith(request.getContextPath() + filterProcessesUrl);
    }


public void init(FilterConfig arg0) throws ServletException {}

public void afterPropertiesSet() throws Exception {}

public void setApplicationEventPublisher(ApplicationEventPublisher context) {
        this.eventPublisher = context;
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }



public boolean isAlwaysUseDefaultTargetUrl() {
return alwaysUseDefaultTargetUrl;
}

public void setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl) {
this.alwaysUseDefaultTargetUrl = alwaysUseDefaultTargetUrl;
}

public String getAuthenticationFailureUrl() {
return authenticationFailureUrl;
}

public void setAuthenticationFailureUrl(String authenticationFailureUrl) {
this.authenticationFailureUrl = authenticationFailureUrl;
}

public String getDefaultTargetUrl() {
return defaultTargetUrl;
}

public void setDefaultTargetUrl(String defaultTargetUrl) {
this.defaultTargetUrl = defaultTargetUrl;
}

public String getFilterProcessesUrl() {
return filterProcessesUrl;
}

public void setFilterProcessesUrl(String filterProcessesUrl) {
this.filterProcessesUrl = filterProcessesUrl;
}

protected String obtainPassword(HttpServletRequest request) {
String password=request.getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY);
if(password!=null){
        return MD5.toMD5(request.getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY));
}
    return password;
    }

  
    protected String obtainUsername(HttpServletRequest request) {
        return request.getParameter(ACEGI_SECURITY_FORM_USERNAME_KEY);
    }

    //加入验证码
protected boolean onPreAuthentication(HttpServletRequest request, HttpServletResponse response)
     throws AuthenticationException, IOException {
String randNum=request.getParameter("randNum");
String rand=(String)request.getSession().getAttribute("rand");
if(rand.equals(randNum)){
return true;
}
return false;
}
     //可以在此加入验证成功后的功能代码
protected void onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
     Authentication authResult) throws IOException {}
protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
     AuthenticationException failed) throws IOException {}

protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
        Authentication authResult) throws IOException {    
        //logger.info("Authentication success: " + authResult.toString());
        SecurityContextHolder.getContext().setAuthentication(authResult);
        onSuccessfulAuthentication(request, response, authResult);
        rememberMeServices.loginSuccess(request, response, authResult);
        // Fire event
        if (this.eventPublisher != null) {
            eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
        }
}
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
        AuthenticationException failed) throws IOException {
        SecurityContextHolder.getContext().setAuthentication(null);
        //logger.info("Updated SecurityContextHolder to contain null Authentication");
        try {
            request.getSession().setAttribute(ACEGI_SECURITY_LAST_EXCEPTION_KEY, failed);
        } catch (Exception ignored) {}
        onUnsuccessfulAuthentication(request, response, failed);
        rememberMeServices.loginFail(request, response);
}
public static String obtainFullRequestUrl(HttpServletRequest request) {
        SavedRequest savedRequest = (SavedRequest) request.getSession()
                                                          .getAttribute(ACEGI_SAVED_REQUEST_KEY);
        return (savedRequest == null) ? null : savedRequest.getFullRequestUrl();
    }
public Properties getExceptionMappings() {
return exceptionMappings;
}
public void setExceptionMappings(Properties exceptionMappings) {
this.exceptionMappings = exceptionMappings;
}
public MessageSourceAccessor getMessages() {
return messages;
}
public void setMessages(MessageSourceAccessor messages) {
this.messages = messages;
}
public RememberMeServices getRememberMeServices() {
return rememberMeServices;
}
public void setRememberMeServices(RememberMeServices rememberMeServices) {
this.rememberMeServices = rememberMeServices;
}
public ApplicationEventPublisher getEventPublisher() {
return eventPublisher;
}
public void setEventPublisher(ApplicationEventPublisher eventPublisher) {
this.eventPublisher = eventPublisher;
}
public AuthenticationDetailsSource getAuthenticationDetailsSource() {
return authenticationDetailsSource;
}
public AuthenticationManager getAuthenticationManager() {
return authenticationManager;
}
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
}


如何编写验证码由于篇幅问题在此不多说了。在doFilter方法中我们加入onPreAuthentication,通过比较用户输入的验证码和存在session中的验证码,如果相同才进行下一步的验证操作,否则返回登陆页面做出相应的提示。登陆成功后可以在successfulAuthentication方法中加入一些登陆后操作。
分享到:
评论

相关推荐

    jcaptcha的验证码例子

    在实际开发中,你可能还需要考虑一些额外的细节,比如优化验证码的性能、调整图像的复杂度以平衡用户体验和安全性,以及处理音频验证码以满足视觉障碍用户的需要。 总之,`jCaptcha`提供了一种强大且灵活的方式来...

    通过场景分析acegi的设计原理

    - 可能还需要输入额外的安全信息(例如,验证码)以提高安全性。 **2. 多种验证方式的选择** - ACEGI支持多种身份验证方式,系统可以根据策略选择最适合的方式进行验证。 - 这些方式包括但不限于从数据库查询或...

    spring security 3

    - **多因素认证**:探讨了如何实现更高级别的安全性,例如结合短信验证码、指纹识别等方式来进行多因素认证。 5. **授权机制** - **基于角色的访问控制(RBAC)**:介绍如何利用Spring Security提供的RoleVoter等...

    spring安全机制文档

    - **多因素认证**:支持密码、短信验证码、生物特征等多种认证方式。 - **权限表达式**:使用`@PreAuthorize`和`@PostAuthorize`等注解,基于方法的安全性可以使用自定义的权限表达式进行控制。 - **自定义认证和...

    java开源包1

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包11

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包2

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包3

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包6

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包5

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包10

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包4

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包8

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包7

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包9

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    java开源包101

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    Java资源包01

    JCaptcha4Struts2 是一个 Struts2的插件,用来增加验证码的支持,使用时只需要用一个 JSP 标签 (&lt;jcaptcha:image label="Type the text "/&gt; ) 即可,直接在 struts.xml 中进行配置,使用强大的 JCaptcha来生成验证码...

    spring 安全文档 PDF

    Spring Security是Spring框架的一个扩展模块,提供了一套全面的安全解决方案,旨在为基于Java的应用程序提供认证(Authentication)和授权(Authorization)功能。它不仅仅是一个强大的访问控制框架,还提供了一系列...

    JAVA上百实例源码以及开源项目源代码

    支持旋转和透明度设置 摘要:Java源码,文件操作,图片水印 util实现Java图片水印添加功能,有添加图片水印和文字水印,可以设置水印位置,透明度、设置对线段锯齿状边缘处理、水印图片的路径,水印一般格式是gif,png,...

    使用spring+struts+hibernate实现的登录

    在IT行业中,SSH(Spring、Struts和Hibernate)是一个经典的Java Web开发框架组合,用于构建高效、可维护的Web应用...通过这个基础,你可以进一步扩展功能,比如添加注册、密码重置、验证码等更复杂的用户管理功能。

Global site tag (gtag.js) - Google Analytics