spring security 4.1 中自定义登录界面和扩展login controller

spring security 4.1.3 中自定义登录界面 并且扩展 login controller的实现和配置方法

参考文档 : 自定义Login/Logout Filter、AuthenticationProvider、AuthenticationToken
Spring Security Reference
1. 需求：
在项目中需要用spring security来进行权限管理。并且需要对login的功能进行扩展。比如：登录成功以后，把用户名放入session中
2. 配置
web.xml

<?xml version="1.0" encoding="UTF-8"?><web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee           http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="Whale" version="3.1">    <display-name>Whale</display-name>    <filter>        <filter-name>encodingFilter</filter-name>        <filter-class>org.springframework.web.filter.CharacterEncodingFilter</filter-class>        <async-supported>true</async-supported>        <init-param>            <param-name>encoding</param-name>            <param-value>UTF-8</param-value>        </init-param>    </filter>    <filter-mapping>        <filter-name>encodingFilter</filter-name>        <url-pattern>/*</url-pattern>    </filter-mapping>    <listener>        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>    </listener>    <context-param>        <param-name>contextConfigLocation</param-name>        <param-value>            classpath:META-INF/applicationContext.xml,            classpath:META-INF/applicationContext-security.xml        </param-value>    </context-param>    <!-- 防止内存泄漏 -->    <listener>        <listener-class>org.springframework.web.util.IntrospectorCleanupListener</listener-class>    </listener>    <servlet>        <servlet-name>SpringMVC</servlet-name>        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>        <init-param>            <param-name>contextConfigLocation</param-name>            <param-value>classpath:META-INF/spring-mvc.xml</param-value>        </init-param>        <load-on-startup>1</load-on-startup>        <async-supported>true</async-supported>    </servlet>    <servlet-mapping>        <servlet-name>SpringMVC</servlet-name>        <url-pattern>/</url-pattern>    </servlet-mapping>    <!-- spring security -->    <filter>        <filter-name>springSecurityFilterChain</filter-name>        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>    </filter>    <filter-mapping>        <filter-name>springSecurityFilterChain</filter-name>        <url-pattern>/*</url-pattern>    </filter-mapping>    <!-- end -->    <welcome-file-list>        <welcome-file>/views/welcome.jsp</welcome-file>    </welcome-file-list>    <servlet-mapping>        <servlet-name>jsp</servlet-name>        <url-pattern>*.jsp</url-pattern>    </servlet-mapping>    <session-config>        <session-timeout>10</session-timeout>    </session-config></web-app>

applicationContext-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.3.xsd    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.1.xsd">    <http auto-config="false">        <intercept-url pattern="/" access="permitAll" />        <intercept-url pattern="/admin**" access="hasRole('ADMIN')" />        <intercept-url pattern="/dba**" access="hasRole('DBA')" />        <!-- 自定义登录的界面 -->        <form-login login-page="/views/login.jsp" username-parameter="username" password-parameter="password" authentication-failure-url="/views/accessDenied.jsp" />        <!-- 自定登录的filter -->        <custom-filter before="FORM_LOGIN_FILTER" ref="customLoginFilter" />        <!-- 自定退出的filter -->        <custom-filter before="LOGOUT_FILTER" ref="customLogoutFilter" />    </http>    <authentication-manager alias="authenticationManager">        <authentication-provider>            <user-service>                <user name="user" password="user" authorities="ROLE_USER" />                <user name="admin" password="root123" authorities="ROLE_ADMIN" />                <user name="dba" password="dba" authorities="ROLE_ADMIN,ROLE_DBA" />            </user-service>        </authentication-provider>    </authentication-manager>    <!-- 指定登录filter的实现类 -->    <beans:bean id="customLoginFilter" class="com.ninelephas.whale.springsecurity.CustomLoginFilter">        <beans:property name="authenticationManager" ref="authenticationManager" />    </beans:bean>    <!-- 指定退出filter的实现类 -->    <beans:bean id="customLogoutFilter" class="com.ninelephas.whale.springsecurity.CustomLogoutFilter">        <!-- 处理退出的虚拟url -->        <beans:property name="filterProcessesUrl" value="/logout" />        <!-- 退出处理成功后的默认显示url -->        <beans:constructor-arg index="0" value="/" />        <beans:constructor-arg index="1">            <!-- 退出成功后的handler列表 -->            <beans:array>                <beans:bean id="securityContextLogoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />                <!-- 加入了开发人员自定义的退出成功处理 -->                <beans:bean id="customLogoutSuccessHandler" class="com.ninelephas.whale.springsecurity.CustomLogoutHandler" />            </beans:array>        </beans:constructor-arg>    </beans:bean></beans:beans>

1. 这里要注意几点：
   a. http auto-config=”false” 不能设置成auto-config=”true”
   b. 自定义登录的界面
   
<form-login login-page="/views/login.jsp" username-parameter="username" password-parameter="password" authentication-failure-url="/views/accessDenied.jsp" />

   c. 自定义登录的filter
   
<custom-filter before="FORM_LOGIN_FILTER" ref="customLoginFilter" />

   d. 定义 authentication-manager 的别名，指定给filter来使用
   
<authentication-manager alias="authenticationManager">

   e. 指定登录filter的实现类
   
<beans:bean id="customLoginFilter" class="com.ninelephas.whale.springsecurity.CustomLoginFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

2. customLoginFilter 的代码如下:

/** * @Title: CustomLoginFilter.java * @Package com.ninelephas.whale.springsecurity * @Description: TODO *               Copyright: Copyright (c) 2016 *               Company:九象网络科技（上海）有限公司 *  * @author roamerxv * @date 2016年9月6日 上午11:23:31 * @version V1.0.0 */package com.ninelephas.whale.springsecurity;import java.io.IOException;import javax.servlet.FilterChain;import javax.servlet.ServletException;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.logging.log4j.LogManager;import org.apache.logging.log4j.Logger;import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;import org.springframework.security.core.Authentication;import org.springframework.security.core.AuthenticationException;import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;/** * @ClassName: CustomLoginFilter * @Description: TODO * @author Comsys-roamerxv * @date 2016年9月6日 上午11:23:31 * */public class CustomLoginFilter extends UsernamePasswordAuthenticationFilter {    /**     * Logger for this class     */    private static final Logger logger = LogManager.getLogger(CustomLoginFilter.class.getName());    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {        logger.debug("attemptAuthentication(HttpServletRequest, HttpServletResponse) - start"); //$NON-NLS-1$        String username = obtainUsername(request).toUpperCase().trim();        String password = obtainPassword(request);        Authentication returnAuthentication = null;        try {            UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);            returnAuthentication = this.getAuthenticationManager().authenticate(authRequest);        } catch (Exception e) {            logger.error(e);            throw e ;        }        logger.debug("attemptAuthentication(HttpServletRequest, HttpServletResponse) - end"); //$NON-NLS-1$        return returnAuthentication;    }    @Override    protected void successfulAuthentication(HttpServletRequest request,        HttpServletResponse response,        FilterChain chain,        Authentication authResult) throws IOException, ServletException {        logger.debug("successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication) - start"); //$NON-NLS-1$        super.successfulAuthentication(request, response, chain, authResult);        logger.debug("登录成功！");        logger.debug("successfulAuthentication(HttpServletRequest, HttpServletResponse, FilterChain, Authentication) - end"); //$NON-NLS-1$    }    @Override    protected void unsuccessfulAuthentication(HttpServletRequest request,        HttpServletResponse response, AuthenticationException failed)        throws IOException, ServletException {        logger.debug("unsuccessfulAuthentication(HttpServletRequest, HttpServletResponse, AuthenticationException) - start"); //$NON-NLS-1$        super.unsuccessfulAuthentication(request, response, failed);        logger.debug("登录失败！");        logger.debug("unsuccessfulAuthentication(HttpServletRequest, HttpServletResponse, AuthenticationException) - end"); //$NON-NLS-1$    }}

CustomLogoutFilter.java

/** * @Title: CustomLogoutFilter.java * @Package com.ninelephas.whale.springsecurity * @Description: TODO *               Copyright: Copyright (c) 2016 *               Company:九象网络科技（上海）有限公司 *  * @author roamerxv * @date 2016年9月6日 下午3:13:07 * @version V1.0.0 */package com.ninelephas.whale.springsecurity;import org.apache.logging.log4j.Logger;import org.apache.logging.log4j.LogManager;import org.springframework.security.web.authentication.logout.LogoutFilter;import org.springframework.security.web.authentication.logout.LogoutHandler;import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;/** * @ClassName: CustomLogoutFilter * @Description: TODO * @author Comsys-roamerxv * @date 2016年9月6日 下午3:13:07 * */public class CustomLogoutFilter extends LogoutFilter {    /**     * Logger for this class     */    private static final Logger logger = LogManager.getLogger(CustomLogoutFilter.class.getName());    /**     *      * 创建一个新的实例 CustomLogoutFilter.     * <p>     * Title:     * </p>     * <p>     * Description:     * </p>     *      * @param logoutSuccessHandler     * @param handlers     */    public CustomLogoutFilter(String logoutSuccessUrl, LogoutHandler... handlers) {        super(logoutSuccessUrl, handlers);        logger.debug("CustomLogoutFilter(String, LogoutHandler[]) - start"); //$NON-NLS-1$        logger.debug("CustomLogoutFilter(String, LogoutHandler[]) - end"); //$NON-NLS-1$    }    public CustomLogoutFilter(LogoutSuccessHandler logoutSuccessHandler, LogoutHandler... handlers) {        super(logoutSuccessHandler, handlers);        logger.debug("CustomLogoutFilter(LogoutSuccessHandler, LogoutHandler[]) - start"); //$NON-NLS-1$        logger.debug("CustomLogoutFilter(LogoutSuccessHandler, LogoutHandler[]) - end"); //$NON-NLS-1$    }}

CustomLogoutHandler.java

/** * @Title: CustomLogoutHandler.java * @Package com.ninelephas.whale.springsecurity * @Description: TODO * Copyright: Copyright (c) 2016 * Company:九象网络科技（上海）有限公司 *  * @author roamerxv * @date 2016年9月6日 下午3:38:30 * @version V1.0.0 */package com.ninelephas.whale.springsecurity;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import org.apache.logging.log4j.LogManager;import org.apache.logging.log4j.Logger;import org.springframework.security.core.Authentication;import org.springframework.security.web.authentication.logout.LogoutHandler;/**  * @ClassName: CustomLogoutHandler  * @Description: TODO  * @author Comsys-roamerxv  * @date 2016年9月6日 下午3:38:30  *  */public class CustomLogoutHandler implements LogoutHandler {    /**     * Logger for this class     */    private static final Logger logger = LogManager.getLogger(CustomLogoutHandler.class.getName());    /**      * 创建一个新的实例 CustomLogoutHandler.       * <p>Title: </p>      * <p>Description: </p>      * @param logoutSuccessHandler      * @param handlers      */    public CustomLogoutHandler() {    }    public void logout(HttpServletRequest request,HttpServletResponse response, Authentication authentication){        logger.debug("logout(HttpServletRequest, HttpServletResponse, Authentication) - start"); //$NON-NLS-1$        logger.debug("logout(HttpServletRequest, HttpServletResponse, Authentication) - end"); //$NON-NLS-1$    }}