一、前言
在上一篇http://blog.csdn.net/k10509806/archive/2011/04/28/6369131.aspx文章中,提到的MyUserDetailServiceImpl获取用户权限,在用户没有登陆的时候,Spring Security会让我们自动跳转到默认的登陆界面,但在实际应用绝大多数是用我们自己的登陆界面的,其中就包括一些我们自己的逻辑,比如验证码。所以本人又研究一下,终于摸清了一些如何配置自己的登陆界面的办法。在这里献丑了。
二、Spring Security的过滤器
通过DEBUG可以看到Spring Security的Filter的顺序
Security filter chain: [
ConcurrentSessionFilter
SecurityContextPersistenceFilter
LogoutFilter
MyUsernamePasswordAuthenticationFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
RememberMeAuthenticationFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
MySecurityFilter
FilterSecurityInterceptor
]
Spring Security的登陆验证用的就是MyUsernamePasswordAuthenticationFilter,所以要实现我们自己的验证,可以写一个类并继承MyUsernamePasswordAuthenticationFilter类,重写attemptAuthentication方法。
三、applicationContext-Security.xml配置
- <?xml version="1.0" encoding="UTF-8"?>
- <beans:beans xmlns="http://www.springframework.org/schema/security"
- xmlns:beans="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
-
- <debug/>
- <http pattern="/js/**" security="none"/>
- <http pattern="/resource/**" security="none"></http>
- <http pattern="/login.jsp" security="none"/>
-
- <http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint">
- <logout/>
-
- <remember-me />
- <session-management invalid-session-url="/timeout.jsp">
- <concurrency-control max-sessions="10" error-if-maximum-exceeded="true" />
- </session-management>
-
- <custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />
- <custom-filter ref="securityFilter" before="FILTER_SECURITY_INTERCEPTOR"/>
- </http>
-
-
- <beans:bean id="loginFilter"
- class="com.huaxin.security.MyUsernamePasswordAuthenticationFilter">
-
- <beans:property name="filterProcessesUrl" value="/j_spring_security_check"></beans:property>
-
- <beans:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler"></beans:property>
-
- <beans:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"></beans:property>
- <beans:property name="authenticationManager" ref="myAuthenticationManager"></beans:property>
-
- <beans:property name="usersDao" ref="usersDao"></beans:property>
- </beans:bean>
- <beans:bean id="loginLogAuthenticationSuccessHandler"
- class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
- <beans:property name="defaultTargetUrl" value="/index.jsp"></beans:property>
- </beans:bean>
- <beans:bean id="simpleUrlAuthenticationFailureHandler"
- class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
-
- <beans:property name="defaultFailureUrl" value="/login.jsp"></beans:property>
- </beans:bean>
-
-
- <beans:bean id="securityFilter" class="com.huaxin.security.MySecurityFilter">
-
- <beans:property name="authenticationManager" ref="myAuthenticationManager" />
-
- <beans:property name="accessDecisionManager" ref="myAccessDecisionManager" />
-
- <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" />
- </beans:bean>
-
- <authentication-manager alias="myAuthenticationManager">
- <authentication-provider user-service-ref="myUserDetailServiceImpl" />
- </authentication-manager>
-
- <beans:bean id="myAccessDecisionManager" class="com.huaxin.security.MyAccessDecisionManager"></beans:bean>
- <beans:bean id="mySecurityMetadataSource" class="com.huaxin.security.MySecurityMetadataSource">
- <beans:constructor-arg name="resourcesDao" ref="resourcesDao"></beans:constructor-arg>
- </beans:bean>
- <beans:bean id="myUserDetailServiceImpl" class="com.huaxin.security.MyUserDetailServiceImpl">
- <beans:property name="usersDao" ref="usersDao"></beans:property>
- </beans:bean>
-
-
- <beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
- <beans:property name="loginFormUrl" value="/login.jsp"></beans:property>
- </beans:bean>
- </beans:beans>
这里特别要说明一下,我们的<http>标签不能配置auto-config,因为这样配置后,依然会采用Spring Security的Filter Chain会与下面我们配的custom-filter冲突,最好会抛异常。还有配置一个切入点entry-point-ref="authenticationProcessingFilterEntryPoint",为了在未登陆的时候,跳转到哪个页面,不配也会抛异常。
<custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" /> position表示替换掉Spring Security原来默认的登陆验证Filter。
四、MyUsernamePasswordAuthenticationFilter
有时间,大家看看源码吧。
五、login.jsp
- <body>
- <span style="color:red"><%=session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) %></span>
- <form action="j_spring_security_check" method="post">
- Account:<Input name="username"/><br/>
- Password:<input name="password" type="password"/><br/>
- <input value="submit" type="submit"/>
- </form>
- </body>
六、完了,源码大家可以看下我上一篇文章http://blog.csdn.net/k10509806/archive/2011/04/28/6369131.aspx。