在acegi中的登陆页面:
<form action="<c:url value="j_acegi_security_check"/>" method="POST">
登陆的请求是发给/ j_acegi_security_check,在我们的系统中往往要在登陆中做一些登陆前和登陆后的操作。如记录用户的行为,加入验证码等。
在acegi的配置文件中加入以下的过滤器:
<bean id="filterChainProxy"
class="org.acegisecurity.util.FilterChainProxy">
<property name="filterInvocationDefinitionSource">
<value>
CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
PATTERN_TYPE_APACHE_ANT
/**=httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
</value>
</property>
</bean>
通过改写authenticationProcessingFilter可以实现以上目的:
<bean id="authenticationProcessingFilter"
class="org.artemis.manager.auth.AuthenticationProcessingFilter">
<property name="authenticationManager"
ref="authenticationManager" />
<!-- 认证失败后,重定向的url -->
<property name="authenticationFailureUrl"
value="/login.jsp?login_error=1" />
<!-- 认证成功后,重定向的url -->
<property name="defaultTargetUrl" value="/" />
<!-- 该过滤器拦截的url,通常是/j_acegi_security_check,和登录页面(login.jsp)的登录表单的action相同 -->
<property name="filterProcessesUrl"
value="/j_acegi_security_check" />
<property name="rememberMeServices" ref="rememberMeServices" />
</bean>
package org.artemis.manager.auth;
…………………………
public class AuthenticationProcessingFilter implements Filter, InitializingBean, ApplicationEventPublisherAware {
public static final String ACEGI_SAVED_REQUEST_KEY = "ACEGI_SAVED_REQUEST_KEY";
public static final String ACEGI_SECURITY_LAST_EXCEPTION_KEY = "ACEGI_SECURITY_LAST_EXCEPTION";
public static final String ACEGI_SECURITY_FORM_USERNAME_KEY = "j_username";
public static final String ACEGI_SECURITY_FORM_PASSWORD_KEY = "j_password";
public static final String ACEGI_SECURITY_LAST_USERNAME_KEY = "ACEGI_SECURITY_LAST_USERNAME";
private ApplicationEventPublisher eventPublisher;
private AuthenticationDetailsSource authenticationDetailsSource = new AuthenticationDetailsSourceImpl();
private AuthenticationManager authenticationManager;
private String authenticationFailureUrl;
private String defaultTargetUrl;
private String filterProcessesUrl = getDefaultFilterProcessesUrl();
private boolean alwaysUseDefaultTargetUrl = false;
private RememberMeServices rememberMeServices = new NullRememberMeServices();
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private Properties exceptionMappings = new Properties();
private boolean continueChainBeforeSuccessfulAuthentication = false;
public boolean isContinueChainBeforeSuccessfulAuthentication() {
return continueChainBeforeSuccessfulAuthentication;
}
public void setContinueChainBeforeSuccessfulAuthentication(
boolean continueChainBeforeSuccessfulAuthentication) {
this.continueChainBeforeSuccessfulAuthentication = continueChainBeforeSuccessfulAuthentication;
}
public String getDefaultFilterProcessesUrl() {
return "/j_acegi_security_check";
}
public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
if (!(request instanceof HttpServletRequest)) {
throw new ServletException("Can only process HttpServletRequest");
}
if (!(response instanceof HttpServletResponse)) {
throw new ServletException("Can only process HttpServletResponse");
}
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String username = obtainUsername(httpRequest);
String password = obtainPassword(httpRequest);
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
if (requiresAuthentication(httpRequest, httpResponse)) {
Authentication authResult;
try {
//加入验证码
if(!onPreAuthentication(httpRequest, httpResponse)){
httpRequest.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY,
username);
throw new AuthenticationCodeException("请输入正确的验证码!");
}
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
password);
setDetails(httpRequest, authRequest);
httpRequest.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY,username);
authResult = this.getAuthenticationManager().authenticate(authRequest);
// Authentication success
if (continueChainBeforeSuccessfulAuthentication) {
filterChain.doFilter(httpRequest, httpResponse);
}
//可以在此加入验证成功后的功能代码
successfulAuthentication(httpRequest, httpResponse, authResult);
String targetUrl = alwaysUseDefaultTargetUrl ? null : obtainFullRequestUrl(httpRequest);
if (targetUrl == null) {
targetUrl = getDefaultTargetUrl();
}
if (!targetUrl.startsWith("http://") && !targetUrl.startsWith("https://")) {
targetUrl = httpRequest.getContextPath() + targetUrl;
}
httpResponse.sendRedirect(httpResponse.encodeRedirectURL(targetUrl));
return ;
} catch (AuthenticationException failed) {
// Authentication failed
unsuccessfulAuthentication(httpRequest, httpResponse, failed);
String failureUrl = exceptionMappings.getProperty(failed.getClass().getName(), authenticationFailureUrl);
if (!failureUrl.startsWith("http://") && !failureUrl.startsWith("https://")) {
failureUrl = httpRequest.getContextPath() + failureUrl;
}
httpResponse.sendRedirect(httpResponse.encodeRedirectURL(failureUrl));
return;
}
}
filterChain.doFilter(request, response);
}
public Authentication attemptAuthentication(HttpServletRequest request,HttpServletResponse response)
throws AuthenticationException, IOException{
String username = obtainUsername(request);
String password = obtainPassword(request);
// System.out.println("username: "+username +" passward:"+password) ;
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username,
password);
setDetails(request, authRequest);
request.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY,
username);
return this.getAuthenticationManager().authenticate(authRequest);
}
protected void setDetails(HttpServletRequest request,
UsernamePasswordAuthenticationToken authRequest) {
authRequest.setDetails(new WebAuthenticationDetails(request));
}
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
String uri = request.getRequestURI();
int pathParamIndex = uri.indexOf(';');
if (pathParamIndex > 0) {
uri = uri.substring(0, pathParamIndex);
}
return uri.endsWith(request.getContextPath() + filterProcessesUrl);
}
public void init(FilterConfig arg0) throws ServletException {}
public void afterPropertiesSet() throws Exception {}
public void setApplicationEventPublisher(ApplicationEventPublisher context) {
this.eventPublisher = context;
}
public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");
this.authenticationDetailsSource = authenticationDetailsSource;
}
public boolean isAlwaysUseDefaultTargetUrl() {
return alwaysUseDefaultTargetUrl;
}
public void setAlwaysUseDefaultTargetUrl(boolean alwaysUseDefaultTargetUrl) {
this.alwaysUseDefaultTargetUrl = alwaysUseDefaultTargetUrl;
}
public String getAuthenticationFailureUrl() {
return authenticationFailureUrl;
}
public void setAuthenticationFailureUrl(String authenticationFailureUrl) {
this.authenticationFailureUrl = authenticationFailureUrl;
}
public String getDefaultTargetUrl() {
return defaultTargetUrl;
}
public void setDefaultTargetUrl(String defaultTargetUrl) {
this.defaultTargetUrl = defaultTargetUrl;
}
public String getFilterProcessesUrl() {
return filterProcessesUrl;
}
public void setFilterProcessesUrl(String filterProcessesUrl) {
this.filterProcessesUrl = filterProcessesUrl;
}
protected String obtainPassword(HttpServletRequest request) {
String password=request.getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY);
if(password!=null){
return MD5.toMD5(request.getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY));
}
return password;
}
protected String obtainUsername(HttpServletRequest request) {
return request.getParameter(ACEGI_SECURITY_FORM_USERNAME_KEY);
}
//加入验证码
protected boolean onPreAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException {
String randNum=request.getParameter("randNum");
String rand=(String)request.getSession().getAttribute("rand");
if(rand.equals(randNum)){
return true;
}
return false;
}
//可以在此加入验证成功后的功能代码
protected void onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
Authentication authResult) throws IOException {}
protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) throws IOException {}
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
Authentication authResult) throws IOException {
//logger.info("Authentication success: " + authResult.toString());
SecurityContextHolder.getContext().setAuthentication(authResult);
onSuccessfulAuthentication(request, response, authResult);
rememberMeServices.loginSuccess(request, response, authResult);
// Fire event
if (this.eventPublisher != null) {
eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
}
}
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response,
AuthenticationException failed) throws IOException {
SecurityContextHolder.getContext().setAuthentication(null);
//logger.info("Updated SecurityContextHolder to contain null Authentication");
try {
request.getSession().setAttribute(ACEGI_SECURITY_LAST_EXCEPTION_KEY, failed);
} catch (Exception ignored) {}
onUnsuccessfulAuthentication(request, response, failed);
rememberMeServices.loginFail(request, response);
}
public static String obtainFullRequestUrl(HttpServletRequest request) {
SavedRequest savedRequest = (SavedRequest) request.getSession()
.getAttribute(ACEGI_SAVED_REQUEST_KEY);
return (savedRequest == null) ? null : savedRequest.getFullRequestUrl();
}
public Properties getExceptionMappings() {
return exceptionMappings;
}
public void setExceptionMappings(Properties exceptionMappings) {
this.exceptionMappings = exceptionMappings;
}
public MessageSourceAccessor getMessages() {
return messages;
}
public void setMessages(MessageSourceAccessor messages) {
this.messages = messages;
}
public RememberMeServices getRememberMeServices() {
return rememberMeServices;
}
public void setRememberMeServices(RememberMeServices rememberMeServices) {
this.rememberMeServices = rememberMeServices;
}
public ApplicationEventPublisher getEventPublisher() {
return eventPublisher;
}
public void setEventPublisher(ApplicationEventPublisher eventPublisher) {
this.eventPublisher = eventPublisher;
}
public AuthenticationDetailsSource getAuthenticationDetailsSource() {
return authenticationDetailsSource;
}
public AuthenticationManager getAuthenticationManager() {
return authenticationManager;
}
public void setAuthenticationManager(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
}
如何编写验证码由于篇幅问题在此不多说了。在doFilter方法中我们加入onPreAuthentication,通过比较用户输入的验证码 和存在session中的验证码,如果相同才进行下一步的验证操作,否则返回登陆页面做出相应的提示。登陆成功后可以在 successfulAuthentication方法中加入一些登陆后操作。
扩展acegi以支持验证码等
最新推荐文章于 2021-06-18 16:33:36 发布