Spring security4.1.4 如何实现api接口和页面的双重拦截

dileber先暂缓一下，最近在作服务器认证方面的东西

貌似市面上关于双重拦截的比较少，而且版本都比较旧 ，我今天就给大家讲讲spring secutiry的双重拦截，下回我再讲讲shiro的双重拦截。最近做东西比较杂乱～～哈哈

首先讲一下spring Security入和对接口和页面同时拦截

首先是配置文件

<beans:beans xmlns="http://www.springframework.org/schema/security"             xmlns:beans="http://www.springframework.org/schema/beans"              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"             xsi:schemaLocation="http://www.springframework.org/schema/beans   http://www.springframework.org/schema/beans/spring-beans-3.0.xsd   http://www.springframework.org/schema/security   http://www.springframework.org/schema/security/spring-security-3.2.xsd">    <!-- enable use-expressions -->    <http auto-config="true" use-expressions="true" entry-point-ref="MyAuthenticationEntryPoint">

不拦截的接口

        <intercept-url pattern="/customer" access="permitAll"></intercept-url>

       拦截的api        <intercept-url pattern="api/cv1/**" access="hasRole('ROLE_USER')" />       拦截的网页        <intercept-url pattern="/customer/**" access="hasRole('ROLE_USER')" />       页面登录        <custom-filter ref="loginFilter" after="FORM_LOGIN_FILTER"/>ajax登录        <custom-filter ref="ajaxLoginFilter" before="FORM_LOGIN_FILTER"/>开启csrf，之前的博客我也有说个csrf 你们自己看看就好        <!-- enable csrf protection -->        <!--<csrf/>-->    </http>    <beans:bean id="MyAuthenticationEntryPoint" class="com.cs.jucaibang.back_end.utils.springsecurity.MyAuthenticationEntryPoint">        <beans:property name="loginFormUrl" value="/customer/login" />    </beans:bean>    <!-- 验证ajax请求,配置 开始-->    <beans:bean id="ajaxLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">        <beans:property name="authenticationManager" ref="authenticationManager"/>        <beans:property name="authenticationFailureHandler" ref="ajaxFailureHandler"/>        <beans:property name="authenticationSuccessHandler" ref="ajaxSuccessHandler"/>        <beans:property name="filterProcessesUrl" value="/api/login"/>        <beans:property name="passwordParameter" value="passWord"/>        <beans:property name="usernameParameter" value="userName"/>    </beans:bean>    <beans:bean id="ajaxFailureHandler" class="com.utils.springsecurity.AjaxAuthenticationFailureHandler">    </beans:bean>    <beans:bean id="ajaxSuccessHandler" class="com.utils.springsecurity.AjaxAuthenticationSuccessHandler">    </beans:bean>    <!-- 验证ajax请求,配置 结束-->    <!--普通请求，配置开始 -->    <beans:bean id="loginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">        <beans:property name="authenticationManager" ref="authenticationManager"/>        <beans:property name="authenticationFailureHandler" ref="failureHandler"/>        <beans:property name="authenticationSuccessHandler" ref="successHandler"/>        <beans:property name="filterProcessesUrl" value="/customer/login"/>        <beans:property name="passwordParameter" value="passWord"/>        <beans:property name="usernameParameter" value="userName"/>    </beans:bean>    <beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">        <beans:property name="defaultFailureUrl" value="/err/403" />    </beans:bean>    <beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">        <beans:property name="alwaysUseDefaultTargetUrl" value="false"/>        <beans:property name="defaultTargetUrl" value="/"/>    </beans:bean>    <!--普通请求，配置结束 -->      <!-- Select users and user_roles from database -->    <authentication-manager  alias="authenticationManager">        <authentication-provider ref='commonAuthenticationProvider'/>        <!--        <authentication-provider>            <jdbc-user-service                 data-source-ref="dataSource"                users-by-username-query=                "select username,password, enabled from users where username=?"                authorities-by-username-query=                "select username, role from user_roles where username =?  " />        </authentication-provider>-->    </authentication-manager>           <global-method-security secured-annotations="enabled" /></beans:beans>

实现

AuthenticationFailureHandler

/** * Created by yy on 2016/1/12. */public class AjaxAuthenticationFailureHandler implements AuthenticationFailureHandler {    public AjaxAuthenticationFailureHandler() {    }    @Override    public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {        httpServletResponse.setContentType("application/json");        httpServletResponse.setCharacterEncoding("UTF-8");        PrintWriter out = httpServletResponse.getWriter();        DataWrapper dataWrapper = new DataWrapper();        dataWrapper.setStatus(-1);        dataWrapper.setMsg("登录失败");        out.println(StringHelper.JsonHelper.toJson(dataWrapper));        out.flush();        out.close();    }}

同上

/** * Created by yy on 2016/1/12. */public class AjaxAuthenticationSuccessHandler implements AuthenticationSuccessHandler {    public AjaxAuthenticationSuccessHandler() {    }    @Autowired    UserService service;    @Override    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {        httpServletResponse.setContentType("application/json");        httpServletResponse.setCharacterEncoding("UTF-8");        PrintWriter out = httpServletResponse.getWriter();        ModelUserAuth user = (ModelUserAuth) authentication.getPrincipal();        WrapperJcbLogin result=service.spring_login(user.getUserName(), httpServletRequest);        out.println(StringHelper.JsonHelper.toJson(result));        out.flush();        out.close();    }}

同上

/** * Created by yy on 2016/1/12. */public class MyAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();    static Pattern apiPattern= Pattern.compile("^/[a-z]v[0-1]/(w|r)/");    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)            throws IOException, ServletException {        String redirectUrl = null;        String url = request.getRequestURI();        Matcher m=apiPattern.matcher(url);        if( m.find()){            response.setContentType("application/json");            response.setCharacterEncoding("UTF-8");            PrintWriter out = response.getWriter();            DataWrapper dataWrapper = new DataWrapper();            dataWrapper.setStatus(-1);            dataWrapper.setMsg("您还未登录");            out.println(StringHelper.JsonHelper.toJson(dataWrapper));            out.flush();            out.close();        }else{            if (this.isUseForward()) {                if (this.isForceHttps() && "http".equals(request.getScheme())) {                    // First redirect the current request to HTTPS.                    // When that request is received, the forward to the login page will be used.                    redirectUrl = buildHttpsRedirectUrlForRequest(request);                }                if (redirectUrl == null) {                    String loginForm = determineUrlToUseForThisRequest(request, response, authException);                    RequestDispatcher dispatcher = request.getRequestDispatcher(loginForm);                    dispatcher.forward(request, response);                    return;                }            } else {                // redirect to login page. Use https if forceHttps true                redirectUrl = buildRedirectUrlToLoginPage(request, response, authException);            }            redirectStrategy.sendRedirect(request, response, redirectUrl);        }    }}

/** * Created by yy on 2016/1/11. * 对spring security 拦截的重写 * */public class MySpringAccessDeniedHandler implements AccessDeniedHandler {    @Override    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) throws IOException, ServletException {        boolean isAjax = "XMLHttpRequest".equals(httpServletRequest.getHeader("X-Requested-With"));        //如果是ajax请求        if (isAjax) {            httpServletResponse.setContentType("application/json");            httpServletResponse.setCharacterEncoding("UTF-8");            PrintWriter out = httpServletResponse.getWriter();            DataWrapper dataWrapper = new DataWrapper();            dataWrapper.setStatus(-1);            dataWrapper.setMsg("403");            out.println(StringHelper.JsonHelper.toJson(dataWrapper));            out.flush();            out.close();            return;        }        else if (!httpServletResponse.isCommitted()) {            if (clientErrorPage != null) {                // Put exception into request scope (perhaps of use to a view)                httpServletRequest.setAttribute(WebAttributes.ACCESS_DENIED_403, accessDeniedException);                // Set the 403 status code.                httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);                // forward to error page.                RequestDispatcher dispatcher = httpServletRequest.getRequestDispatcher(clientErrorPage);                dispatcher.forward(httpServletRequest, httpServletResponse);            } else {                httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());            }        }    }    private String clientErrorPage;    public void setClientErrorPage(String clientErrorPage) {        if((clientErrorPage != null)&&!clientErrorPage.startsWith("/")){            throw new IllegalArgumentException("errorPage must begin with '/'");        }        this.clientErrorPage = clientErrorPage;    }}

如上几步就可以成功配置双重拦截了