Spring security2.0增加验证码功能

x_root

浏览: 128087 次
性别:
来自: 广州

最近访客更多访客>>

lvhejin

q270094542

feng59380024

05rjyzl11

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

博客分类：

Java

Spring Security Servlet Bean UI

做权限控制的时候用了spring security2.0，但是后来又增加了登录页面需要验证码功能，想了一下，实现如下：

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.MessageSource;
import org.springframework.context.MessageSourceAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.security.AuthenticationException;
import org.springframework.security.SpringSecurityMessageSource;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.ui.FilterChainOrder;
import org.springframework.security.ui.SpringSecurityFilter;
import org.springframework.security.util.RedirectUtils;
import org.springframework.security.util.UrlUtils;
import org.springframework.util.Assert;

/**
 * 加入了验证码的过滤器
 * 
 * @author Alfoo Liu <liuxy2@xxx.com>
 * @since 2010-1-7 10:28:35
 */
public class AuthenticationCodeFilter extends SpringSecurityFilter implements InitializingBean, MessageSourceAware {
	public final static String SPRING_SECURITY_FORM_AUTHCODE_KEY = "j_authCode";
	private final static String AUTHCODE_KEY_IN_SESSION = "AUTHCODE";
	public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";
	public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";
	public static final String SPRING_SECURITY_LAST_EXCEPTION_KEY = "SPRING_SECURITY_LAST_EXCEPTION";
	private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
	private String authCodeParameter = SPRING_SECURITY_FORM_AUTHCODE_KEY;
	private String authenticationFailureUrl = "/login.dm?error=true";
	private boolean enableAuthCode = true;
	private final static Log log = LogFactory
			.getLog(AuthenticationCodeFilter.class);
	protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
	private boolean useRelativeContext = false;
	private String filterProcessesUrl = "/j_spring_security_check";
	
	@Override
	public void doFilterHttp(HttpServletRequest request,
			HttpServletResponse response, FilterChain chain)
			throws IOException, ServletException {
		// Place the last username attempted into HttpSession for views
		HttpSession session = request.getSession();
		// boolean s = session != null || getAllowSessionCreation();
		// 获取页面传过来的验证码值
		String authCode = this.obtainAuthCode(request);
		String username = obtainUsername(request);
		log.debug("auth code = " + authCode);
		if (enableAuthCode && requiresAuthentication(request, response)) {
			if (authCode == null || authCode.trim().length() == 0) {
				log.error("validate authcode failed, auth code is null.");
				session.setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY,
						username);
				
				AuthenticationException exception = new AuthenticationCodeErrorException(
						messages
								.getMessage(
										"AbstractUserDetailsAuthenticationProvider.empty_authcode",
										"Please input authcode."));// "验证码不能为空。"
				unsuccessfulAuthentication(request, response, exception);
				return;
			}

			String expected = (String) session
					.getAttribute(AUTHCODE_KEY_IN_SESSION);
			if (!authCode.equals(expected)) {// AuthCodeValidationException
				session.setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY,
						username);
				AuthenticationException exception = new AuthenticationCodeErrorException(
						messages
								.getMessage(
										"AbstractUserDetailsAuthenticationProvider.error_authcode",
										"authcode is error."));
				unsuccessfulAuthentication(request, response, exception);
				return;
			}
		}
		
		
		chain.doFilter(request, response);
	}

	protected void unsuccessfulAuthentication(HttpServletRequest request,
			HttpServletResponse response, AuthenticationException failed)
			throws IOException, ServletException {
		SecurityContextHolder.getContext().setAuthentication(null);

		if (logger.isDebugEnabled()) {
			logger
					.debug("Updated SecurityContextHolder to contain null Authentication");
		}

		request.getSession().setAttribute(
				SPRING_SECURITY_LAST_EXCEPTION_KEY, failed);

		if (authenticationFailureUrl == null) {
			response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
					"Authentication Failed:" + failed.getMessage());
		} else {
			sendRedirect(request, response, authenticationFailureUrl);
		}
	}

    protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
        String uri = request.getRequestURI();
        int pathParamIndex = uri.indexOf(';');

        if (pathParamIndex > 0) {
            // strip everything after the first semi-colon
            uri = uri.substring(0, pathParamIndex);
        }

        if ("".equals(request.getContextPath())) {
            return uri.endsWith(filterProcessesUrl);
        }

        return uri.endsWith(request.getContextPath() + filterProcessesUrl);
    }
    
    
	protected void sendRedirect(HttpServletRequest request,
			HttpServletResponse response, String url) throws IOException {

		RedirectUtils.sendRedirect(request, response, url, useRelativeContext);
	}

	public int getOrder() {
		return FilterChainOrder.AUTHENTICATION_PROCESSING_FILTER - 100;
	}

	protected String obtainAuthCode(HttpServletRequest request) {
		return request.getParameter(getAuthCodeParameter());
	}

	protected String obtainUsername(HttpServletRequest request) {
		return request.getParameter(usernameParameter);
	}

	public boolean isEnableAuthCode() {
		return enableAuthCode;
	}

	public void setEnableAuthCode(boolean enableAuthCode) {
		this.enableAuthCode = enableAuthCode;
	}

	public String getAuthCodeParameter() {
		return authCodeParameter;
	}

	public void setAuthCodeParameter(String authCodeParameter) {
		this.authCodeParameter = authCodeParameter;
	}

	public String getAuthenticationFailureUrl() {
		return authenticationFailureUrl;
	}

	public void setAuthenticationFailureUrl(String authenticationFailureUrl) {
		this.authenticationFailureUrl = authenticationFailureUrl;
	}
	
    public void setUseRelativeContext(boolean useRelativeContext) {
        this.useRelativeContext = useRelativeContext;
    }

	public void afterPropertiesSet() throws Exception {
		Assert.isTrue(UrlUtils.isValidRedirectUrl(authenticationFailureUrl), authenticationFailureUrl + " isn't a valid redirect URL");
	}

	public void setMessageSource(MessageSource messageSource) {
		this.messages = new MessageSourceAccessor(messageSource);
	}
}

applicationContext-security.xml配置如下：

<beans:bean id="authenticationProcessingFilter" class="com.asiainfo.webframe.core.security.AuthenticationCodeFilter">
	<custom-filter before="AUTHENTICATION_PROCESSING_FILTER" />
	<!--以下两项的配置应该要和form-login的配置相同-->
	<beans:property name="authenticationFailureUrl" value="/login.dm?error=true" />
</beans:bean>

http的配置仍然是auto-config="true"。

分享到：

IE的get请求的url长度问题 | 如何禁用IE8的加速器呢？

2010-05-25 15:16
浏览 1860
评论(0)
分类:企业架构
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

Spring security2.0增加验证码功能

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

Spring security2.0增加验证码功能

评论

发表评论

相关推荐

这个是不是commons-logging的bug？

about commons-logging

一个奇怪的问题

说说ejb的事务传播机制

从xml中初始化bean实例

IntelliJIdea10 正式版发布了

欢迎加入我的IntelliJ IDEA群

Linux资料大全

为什么使用JE的搜索功能什么都搜不出来？

jqGrid使用总结

如何让idea的编辑器不允许虚拟空间

掌握JAVA的标准

sequence数据迁移

xml序列化的性能问题

ibatis的分页问题

无聊的日期格式化

Freemarker内建变量

网络切换命令

如何使用Annotation

ant 文件一般写法

最近访客更多访客>>