Spring Security3实现自定义用户名、密码

最新推荐文章于 2023-12-11 19:52:01 发布
最新推荐文章于 2023-12-11 19:52:01 发布
阅读量146 收藏
点赞数
文章标签: java python
原文链接:https://my.oschina.net/Barudisshu/blog/283126
版权

2019独角兽企业重金招聘Python工程师标准>>> hot3.png

实现原理很简单,编写一个类实现BeanPostProcessor接口,并实现该接口的postProcessBeforeInitialization方法,该方法将在初始化时创建一个实例对象。实现该方法可以对UsernamePasswordAuthenticationFilter进行构造注入重构。

首先看看Spring Security3中的UsernamePasswordAuthenticationFilter的实现代码: 

package org.springframework.security.web.authentication;


import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.util.TextEscapeUtils;
import org.springframework.util.Assert;


/**
 * Processes an authentication form submission. Called {@code AuthenticationProcessingFilter} prior to Spring Security
 * 3.0.
 * <p>
 * Login forms must present two parameters to this filter: a username and
 * password. The default parameter names to use are contained in the
 * static fields {@link #SPRING_SECURITY_FORM_USERNAME_KEY} and {@link #SPRING_SECURITY_FORM_PASSWORD_KEY}.
 * The parameter names can also be changed by setting the {@code usernameParameter} and {@code passwordParameter}
 * properties.
 * <p>
 * This filter by default responds to the URL {@code /j_spring_security_check}.
 *
 * @author Ben Alex
 * @author Colin Sampaleanu
 * @author Luke Taylor
 * @since 3.0
 */
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
    //~ Static fields/initializers =====================================================================================

    public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";
    public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";
    /**
     * @deprecated If you want to retain the username, cache it in a customized {@code AuthenticationFailureHandler}
     */
    @Deprecated
    public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";

    private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
    private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;
    private boolean postOnly = true;

    //~ Constructors ===================================================================================================

    public UsernamePasswordAuthenticationFilter() {
        super("/j_spring_security_check");
    }

    //~ Methods ========================================================================================================

    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());
        }

        String username = obtainUsername(request);
        String password = obtainPassword(request);

        if (username == null) {
            username = "";
        }

        if (password == null) {
            password = "";
        }

        username = username.trim();

        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);

        return this.getAuthenticationManager().authenticate(authRequest);
    }

    /**
     * Enables subclasses to override the composition of the password, such as by including additional values
     * and a separator.<p>This might be used for example if a postcode/zipcode was required in addition to the
     * password. A delimiter such as a pipe (|) should be used to separate the password and extended value(s). The
     * <code>AuthenticationDao</code> will need to generate the expected password in a corresponding manner.</p>
     *
     * @param request so that request attributes can be retrieved
     *
     * @return the password that will be presented in the <code>Authentication</code> request token to the
     *         <code>AuthenticationManager</code>
     */
    protected String obtainPassword(HttpServletRequest request) {
        return request.getParameter(passwordParameter);
    }

    /**
     * Enables subclasses to override the composition of the username, such as by including additional values
     * and a separator.
     *
     * @param request so that request attributes can be retrieved
     *
     * @return the username that will be presented in the <code>Authentication</code> request token to the
     *         <code>AuthenticationManager</code>
     */
    protected String obtainUsername(HttpServletRequest request) {
        return request.getParameter(usernameParameter);
    }

    /**
     * Provided so that subclasses may configure what is put into the authentication request's details
     * property.
     *
     * @param request that an authentication request is being created for
     * @param authRequest the authentication request object that should have its details set
     */
    protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
        authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
    }

    /**
     * Sets the parameter name which will be used to obtain the username from the login request.
     *
     * @param usernameParameter the parameter name. Defaults to "j_username".
     */
    public void setUsernameParameter(String usernameParameter) {
        Assert.hasText(usernameParameter, "Username parameter must not be empty or null");
        this.usernameParameter = usernameParameter;
    }

    /**
     * Sets the parameter name which will be used to obtain the password from the login request..
     *
     * @param passwordParameter the parameter name. Defaults to "j_password".
     */
    public void setPasswordParameter(String passwordParameter) {
        Assert.hasText(passwordParameter, "Password parameter must not be empty or null");
        this.passwordParameter = passwordParameter;
    }

    /**
     * Defines whether only HTTP POST requests will be allowed by this filter.
     * If set to true, and an authentication request is received which is not a POST request, an exception will
     * be raised immediately and authentication will not be attempted. The <tt>unsuccessfulAuthentication()</tt> method
     * will be called as if handling a failed authentication.
     * <p>
     * Defaults to <tt>true</tt> but may be overridden by subclasses.
     */
    public void setPostOnly(boolean postOnly) {
        this.postOnly = postOnly;
    }

    public final String getUsernameParameter() {
        return usernameParameter;
    }

    public final String getPasswordParameter() {
        return passwordParameter;
    }
}



下面编写类UsernamePasswordAuthenticationFilterPostProcessor实现构造注入重构: 

import org.springframework.beans.BeansException;
import org.springframework.beans.factory.config.BeanPostProcessor;
import org.springframework.core.Ordered;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

/**
 * 实现用户名、密码参数重构
 * @author Barudisshu
 */
public class UsernamePasswordAuthenticationFilterPostProcessor implements BeanPostProcessor, Ordered {

    private final String usernameParameter;
    private final String passwordParameter;

    /**
     * 完全构造函数
     *
     * @param usernameParameter 用户名.
     * @param passwordParameter 密码.
     */
    public UsernamePasswordAuthenticationFilterPostProcessor(String usernameParameter, String passwordParameter) {
        this.usernameParameter = usernameParameter;
        this.passwordParameter = passwordParameter;
    }

    /**
     * 如果该类为UsernamePasswordAuthenticationFilter的一个实例,它的用户名和密码将在post动作中设值。
     *
     * @param bean     要实现的Bean.
     * @param beanName Spring Bean的名称.
     * @return 处理后的Bean.
     * @throws BeansException 异常.
     */
    @Override
    public Object postProcessBeforeInitialization(final Object bean, final String beanName) throws BeansException {
        if (bean instanceof UsernamePasswordAuthenticationFilter) {
            UsernamePasswordAuthenticationFilter filter = (UsernamePasswordAuthenticationFilter) bean;
            filter.setUsernameParameter(this.usernameParameter);
            filter.setPasswordParameter(this.passwordParameter);
        }
        return bean;
    }

    /**
     * 不进行处理的情况
     *
     * @param bean     要实现的Bean.
     * @param beanName Spring Bean的名称.
     * @return 处理后的Bean.
     * @throws BeansException 异常.
     */
    @Override
    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
        return bean;
    }

    /**
     * Returns the order of this post processor.
     *
     * @return LOWEST_PRECEDENCE always.
     */
    @Override
    public int getOrder() {
        return LOWEST_PRECEDENCE;
    }
}



在Spring-Security.xml配置文件中添加Bean的构造注入: 
<!--不采用默认j_username、j_password,实现自定义构造参数-->
    <bean id="usernamePasswordAuthenticationFilterPostProcessor" class="net.individuals.security.UsernamePasswordAuthenticationFilterPostProcessor">
        <constructor-arg index="0" value="username"/>
        <constructor-arg index="1" value="password"/>
    </bean>



OK,这样在Login表单中,就可以不再使用j_username、j_password这样的参数名了。

转载于:https://my.oschina.net/Barudisshu/blog/283126

weixin_34356555
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
SpringSecurity6 | 自定义认证规则
分享思想,留下痕迹。
12-09 1235
大家好,我是Leo哥🫣🫣🫣,接到上一节,我们学习了如何修改SpringSecurity默认用户,使用我们自己的自定义用户名密码来进行认证登录。但是有时候我们的开发者可能并不是所有的接口都需要进行拦截,就比如,登录,注册接口等这些是不是要进行拦截的,那么如何修改并自定义这些规则。没错这就是我们本节的重点。好了,话不多说让我们开始吧😎😎😎。在SpringSecurity6中,我们原本在原来SpringSecurity实现的方法已经被抛弃,已经完全不能用了。
Springboot项目整合springsecurity框架实现自定义登录认证
qq_41522183的博客
02-23 1879
目录Springsecurity框架整合实现自定义登录认证1.导入依赖:2.进行自定义登录配置3.进行UserDetailsService接口实现类的实现4.自定义认证核心代码类LoginValidateAuthenticationProvider5.认证成功处理器LoginSuccessHandler6.认证失败处理器LoginFailureHandler7.登录界面login.html8.各个路由请求路径9.springsecurity核心配置10.小结 Springsecurity框架整合实现自定义
formvalidation 密码验证密码_史上最简单的Spring Security教程(二十四):自定义用户名密码参数名及用户名密码验证路径...
weixin_39695672的博客
11-26 407
无论是表单登录配置器(FormLoginConfigurer),还是用户密码验证Filter(UsernamePasswordAuthenticationFilter),Spring Security 默认的用户名密码参数名均为 usernamepassword。表单登录配置:public FormLoginConfigurer() { super(new UsernamePa...
security 登陆成功 访问 403_spring security自定义处理登陆
weixin_42624889的博客
01-25 772
spring security自定义处理登陆pom <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> &...
Spring Security3源码分析-UsernamePasswordAuthenticationFilter分析
Dead_Knight的专栏
05-06 319
UsernamePasswordAuthenticationFilter过滤器对应的类路径为 org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter 实际上这个Filter类的doFilter是父类AbstractAuthenticationProcessingFilter的 ...
springboot3整合SpringSecurity实现登录校验与权限认证(万字超详细讲解)
最新发布
2301_78646673的博客
12-11 1万+
用户提交登录请求Spring Security 将请求交给 UsernamePasswordAuthenticationFilter 过滤器处理。UsernamePasswordAuthenticationFilter 获取请求中的用户名密码,并生成一个 AuthenticationToken 对象,将其交给 AuthenticationManager 进行认证。
form表单密码加密传输
Army的专栏
01-31 3万+
在使用用户名密码进行登录时,有时候为了安全需要把密码加密进行传输。 登录 /js/aes.js"> function submitForm(){ var theForm = document.forms[0]; if(theForm.j_username.value !='' && theForm.j_password.value !=''){ if(parent!=null
Spring security 自定义密码加密方式的使用范例。
09-15
通过上述步骤,你已经成功地在Spring Security实现自定义密码加密方式和认证结果处理。在实际项目中,你可能还需要关注其他方面,比如权限控制、记住我功能、CSRF保护等。Spring Security提供了一系列的API和...
spring-security实现自定义登录认证.rar
05-21
3. **实现UserDetailsService**:这是Spring Security的核心接口,用于获取用户的详细信息。你需要提供一个实现,如`MyUserDetailsService`,并重写`loadUserByUsername(String username)`方法,从数据库或其他数据...
Spring Boot Security 2.5.8 实现账号、手机号、邮件登录,记住密码等功能
11-13
总之,这个项目提供了全面的示例,展示如何利用Spring Boot Security 2.5.8实现多种登录方式,并结合记住密码和JWT功能,构建了一个健壮的安全认证系统。对于任何想要在Spring Boot应用中实施安全控制的开发者来说,...
springsecurity UsernamePasswordAuthenticationFilter PasswordEncoder
six_teen的博客
11-17 1736
最近开始学习了springsecurity框架,为写后台页面做个权限管理什么的打基础。 springsecurity是基础springboot的,所以创建一个springboot工程引入依赖就可以很轻松的整合springsecurity了。(类似的权限管理框架还有shiro) 1. 创建一个普通的springboot项目(不用勾选任何东西),我这边使用的springboot版本是2.2.1.RELEASE 依赖如下: pom.xml <dependencies> <!--sprin
Spring security常见用法(一)
攀登Fox的博客
05-05 764
目录1、自定义用户名密码2、自定义登录成功跳转地址3、自定义登录失败跳转地址4、常见授权匹配方式5、常见内置访问控制方法6、常见角色权限判断方法7、自定义无权限403返回信息 1、自定义用户名密码Spring security用户名默认为username字段,密码默认为password字段,这些是在过滤器UsernamePasswordAuthenticationFilter中定义好的。...
Spring Security教程外篇(1)---- AuthenticationException异常详解
热门推荐
jaune162的专栏,最新动态请关注:https://jaune162.blog
01-16 6万+
这个异常是在登录的时候出现错误时抛出的异常,比如账户锁定,证书失效等,先来看下AuthenticationException常用的的子类: UsernameNotFoundException 用户找不到 BadCredentialsException 坏的凭据 AccountStatusException 用户状态异常它包含如下子类 AccountExpiredException 账户过期
[spring security 那点事儿]配置方式
quzishen的专栏
09-02 1万+
这段时间一直开发的B2C的网购平台已经完成了将近一半的功能,突然觉得自己之前对于权限管理方面的hold决定将给后面带来不小的工作量,所以决定现在就加入权限判断的功能。很容易联想到spring security来做这个事情,先看看一个官方文档的翻译版本:http://www.family168.com/tutorial/springsecurity/html/springsecurity.html写的有些简略,但是足以能step by step的执行下去。这里总结一下今天通过命名空间方式的配置过程吧。既然要做
springSecurity 中不能抛出异常UserNameNotFoundException 解析
weixin_34365635的博客
01-19 1656
通过查看源码可得知: 1. 前言 抽象类中AbstractUserDetailsAuthenticationProvider 接口抛出异常AuthenticationException 下面源码注释这么描述 * * @throws AuthenticationException if the credentials c...
war应用启用安全性时,需要配置web.xml文件
can_do_it的专栏
07-14 258
all roles access /jspdir/* *.do allrole NONE FORM /login.jsp /login_error.jsp allrole 说...
element 修改表单值后表单验证无效_Spring Security 表单登录自定义用户名密码参数名及用户名密码验证路径
weixin_39980809的博客
11-28 170
无论是表单登录配置器(FormLoginConfigurer),还是用户密码验证Filter(UsernamePasswordAuthenticationFilter),Spring Security 默认的用户名密码参数名均为 usernamepassword。表单登录配置:public 用户密码验证Filter:public 同样的,还有用户密码验证Filter(UsernamePassw...
史上最简单的Spring Security教程(二十四):自定义用户名密码参数名及用户名密码验证路径
银河架构师的博客
08-24 2680
​无论是表单登录配置器(FormLoginConfigurer),还是用户密码验证Filter(UsernamePasswordAuthenticationFilter),Spring Security默认的用户名密码参数名均为usernamepassword。 表单登录配置: public FormLoginConfigurer() { super(new UsernamePasswordAuthenticationFilter(), null); usernamePa...
spring security 密码过期强制修改密码
路过君的博客
07-22 2197
定义认证失败处理器处理CredentialsExpiredException密码过期异常 public class AuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler { protected Logger logger = LoggerFactory.getLogger(this.getClass()); public AuthenticationFailureHandler() { .
springsecurity默认用户名密码
09-19
Spring Security 默认不提供用户名密码,而是通过配置文件进行自定义设置。在Spring Security的配置文件中,可以通过使用`UserDetailsService`接口的实现类来创建用户,并配置他们的用户名密码。下面是一个示例...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值