Spring Security 2 使用笔记

最近在项目中用到了Spring Security 2

为了实现自己的一些逻辑，所以粗略的读了一次他的代码，和文档。

文档中介绍了Spring Security 的大体框架和原理。

但是对于如何扩展Spring Security，使它更适合自己的项目并没有详细的介绍，这点比较遗憾。

所以硬着头皮，大致过了一次他的代码。

 

以下是我扩展的需求：

1、用户登录是判断用户登录错误次数是否超过指定次数，如三次，若超过则锁定用户

2、登录成功更新用户的信息，如最后登录时间，登录IP等，并保存到数据库。

3、登录失败则增加用户登录失败的次数。

 

对于上面的这些需求，读了源代码之后，你会发现Spring Security的框架十分灵活。

代码也很清晰。

 

首先，用户登录时，经过了一系列的过滤器，他的过滤器使用Spring来管理的。

其中一个名为AuthenticationProcessFilter的过滤器，专门为网页验证提供。

跟了一下这个过滤器，发现他继承的抽象类AbstractProcessingFilter中有几个可以扩展的方法：

    protected void onPreAuthentication(HttpServletRequest request,HttpServletResponse response) throws AuthenticationException, IOException {
    }

    protected void onSuccessfulAuthentication(HttpServletRequest request,HttpServletResponse response,Authentication authResult) throws IOException {
   }

    protected void onUnsuccessfulAuthentication(HttpServletRequest request,HttpServletResponse response,
           AuthenticationException failed) throws IOException {
   }

 

看方法名大家应该能想到他的用处，就是在验证前，验证成功后，验证失败后，提供扩展的逻辑操作。

所以我们可以通过继承AuthenticationProcessFilter并重写这几个方法来增加自己的逻辑。

 

重新实现了过滤器之后要重新设置Spring Security 2的过滤器链，而且原来的auto-config也不能使用。否则将无效

配置如下：

	<http entry-point-ref="authenticationEntryPoint">


		<intercept-url pattern="/js/*" filters="none" />


		<intercept-url pattern="/styles/*" filters="none" />


		<intercept-url pattern="/images/*" filters="none" />


		<intercept-url pattern="/login" filters="none" />


		<intercept-url pattern="/reg" filters="none" />


		<intercept-url pattern="/" filters="none" />


		<intercept-url pattern="/registerMember" filters="none" />


		<intercept-url pattern="/index.jsp" access="ROLE_USER" /> 


		<intercept-url pattern="/member/*" access="ROLE_USER" />


		<!-- <form-login login-processing-url="/checkMember" login-page="/login" authentication-failure-url="/login?error=true" default-target-url="/" /> -->


		<anonymous />


		<logout logout-url="/logout" logout-success-url="/" />


		<remember-me key="e37f4b31-0c45-11dd-bd0b-0800200c9a66" />


	</http>





       <authentication-manager alias="authenticationManager"/>


	


	<beans:bean class="com.mysport.security.filter.EnhanceAuthenticationProcessFilter">


		<custom-filter position="AUTHENTICATION_PROCESSING_FILTER" />


		<beans:property name="authenticationManager" ref="authenticationManager" />


		<beans:property name="authenticationFailureUrl" value="/login?error=true" />


		<beans:property name="defaultTargetUrl" value="/" />


		<beans:property name="filterProcessesUrl" value="/checkMember" />


		<beans:property name="memberService" ref="memberService" />


	</beans:bean>


	


	<beans:bean id="authenticationEntryPoint" class="org.springframework.security.ui.


                                                                         webapp.AuthenticationProcessingFilterEntryPoint"> 


    	<beans:property name="loginFormUrl" value="/login" /> 


    </beans:bean> 

 

如果使用Remember Me则要以类似的方式实现RememberMeProcessingFilter

1、要去掉http中的

<remember-me key="yourkey" />

2、实现rememberMeService

    <beans:bean id="rememberMeServices" class="org.springframework.security.ui.rememberme.TokenBasedRememberMeServices" >
    	<beans:property name="key" value="yourkey" />
    	<beans:property name="userDetailsService" ref="securityManager" />
    </beans:bean>

 3、实现自己的RememberMeProcessingFilter

	<beans:bean class="com.mysport.security.filter.EnhanceRememberMeProcessingFilter">
		<custom-filter position="REMEMBER_ME_FILTER" />
		<beans:property name="authenticationManager" ref="authenticationManager" />
		<beans:property name="rememberMeServices" ref="rememberMeServices" />
		<beans:property name="memberService" ref="memberService" />
	</beans:bean>

 4、最重要的，重新将rememberMeAuthenticationProvider添加到providers中，主要是设置对应的key，否则cookie在解密时无法正确解出内容

    <beans:bean id="rememberMeAuthenticationProvider" class="org.springframework.security.providers.rememberme.RememberMeAuthenticationProvider">
    	<custom-authentication-provider />
    	<beans:property name="key" value="yourkey" />
    </beans:bean>

 

 

评论

3 楼 hhww0101 2010-11-11  

2010-11-11 11:00:21,320 DEBUG SessionImpl:220 - opened session at timestamp: 5281564349726720
2010-11-11 11:00:21,320 DEBUG JDBCTransaction:54 - begin
2010-11-11 11:00:21,320 DEBUG ConnectionManager:421 - opening JDBC connection
2010-11-11 11:00:21,320 DEBUG JDBCTransaction:59 - current autocommit status: false
2010-11-11 11:00:21,320 DEBUG AbstractBatcher:366 - about to open PreparedStatement (open PreparedStatements: 0, globally: 0)
2010-11-11 11:00:21,320 DEBUG SQL:401 - select this_.id as id15_0_, this_.create_time as create2_15_0_, this_.cryptpassword as cryptpas3_15_0_, this_.emailaddress as emailadd4_15_0_, this_.enabled as enabled15_0_, this_.fullname as fullname15_0_, this_.loginname as loginname15_0_, this_.update_time as update8_15_0_ from userbase this_ where this_.loginname=?
2010-11-11 11:00:21,320 DEBUG AbstractBatcher:382 - about to open ResultSet (open ResultSets: 0, globally: 0)
2010-11-11 11:00:21,320 DEBUG AbstractBatcher:389 - about to close ResultSet (open ResultSets: 1, globally: 1)
2010-11-11 11:00:21,320 DEBUG AbstractBatcher:374 - about to close PreparedStatement (open PreparedStatements: 1, globally: 1)
2010-11-11 11:00:21,320 DEBUG StatefulPersistenceContext:837 - initializing non-lazy collections
2010-11-11 11:00:21,320 DEBUG JDBCTransaction:152 - rollback
2010-11-11 11:00:21,320 DEBUG JDBCTransaction:163 - rolled back JDBC Connection
2010-11-11 11:00:21,320 DEBUG ConnectionManager:302 - transaction completed on session with on_close connection release mode; be sure to close the session to release JDBC resources!
2010-11-11 11:00:21,320 DEBUG ConnectionManager:441 - releasing JDBC connection [ (open PreparedStatements: 0, globally: 0) (open ResultSets: 0, globally: 0)]
2010-11-11 11:00:21,320 DEBUG ConnectionManager:302 - transaction completed on session with on_close connection release mode; be sure to close the session to release JDBC resources!

我整合了quartz定时调度任务，结果输入错误的用户名或密码，后台日志感觉不正常啊。
前台页面也不懂，在ff下看到 Failed to load source for: http://localhost:8080/micrite/j_spring_security_check 加载源代码失败！

2 楼 zhanglei_btest 2009-09-10  

楼主 把自己的代码贴一下 供我们看一下

1 楼 alymail 2009-08-05  

我恰好也有这样的需求，但是试着配置了一下，发现页面都显示不出来，用iehttpheader，查看发现页面一直在重定向，楼主知道什么原因吗？