acegi

nhy520

浏览: 943096 次
性别:
来自: 北京

最近访客更多访客>>

yunzhu

k0521klb

remote_silence

prog

博主相关

博客

微博

相册

留言

关于我

文章分类

社区版块

存档分类

Acegi Security Servlet UI JSP

一、搞定acegi时要注意的几个地方：

1、用户注册和删除用户时清除缓存中对应该用户的相关信息。

2、登录时附加验证码等信息的扩展以及注意密码加密方式。

3、角色表中新增的角色名必须要与配置文件中设置的匹配，否则无效。

4、设置成Method类型的资源，必须在有至少一个角色给予赋值后，其它未赋予改资源的角色才会受访问权的限制，否则，也就是当没有赋值给任何一个角色时，该资源相当于是无效的，即该资源不受访问权的限制。

5、角色表中需要有个名字为"ROLE_ANONYMOUS"的角色（"ROLE"是配置文件中配置的匹配字符串），一般将首页的资源赋予给这个角色。

二、着重点

1、先看配置文件applicationContext-acegi-security.xml,附件中

2、对applicationContext-acegi-security.xml配置文件中的几点进行说明

处理登录请求的过滤器 authenticationProcessingFilter

默认的配置如下：

xml 代码

< bean id = "authenticationProcessingFilter"
class = "org.acegisecurity.ui.webapp.AuthenticationProcessingFilter" >
< property name = "authenticationManager"
ref = "authenticationManager" />
< property name = "authenticationFailureUrl"
value = "/login.jsp?login_error=1" />
< property name = "defaultTargetUrl" value = "/admin/index.jsp" />
< property name = "filterProcessesUrl"
value = "/j_acegi_security_check" />
< property name = "rememberMeServices" ref = "rememberMeServices" />
bean >

我改成了如下的配置：

xml 代码

< bean id = "authenticationProcessingFilter"
class = "org.springside.security.filter.util.AuthenticationProcessingFilter" >
< property name = "continueChainBeforeSuccessfulAuthentication" value = "true" > property >
< property name = "authenticationManager"
ref = "authenticationManager" />
< property name = "authenticationFailureUrl"
value = "/accessDenied.jsp" />
< property name = "defaultTargetUrl" value = "/index.jsp" />
< property name = "filterProcessesUrl"
value = "/userm.do" />
< property name = "rememberMeServices" ref = "rememberMeServices" />
bean >

其实就是重写了acegi自带的AuthenticationProcessingFilter

因为我在用户登录的时候还附加了验证码

并且换了登录的action路径（改成了"/userm.do?method=login"），以及用户登陆的用户名和密码的名称（默认的是j_username和j_password，我改成了username和password），这些东西都在我重写的AuthenticationProcessingFilter中得到控制。附件中有完整的AuthenticationProcessingFilter代码。

java 代码

package org.springside.security.filter.util;
import java.io.IOException;
import java.util.Properties;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.RequestDispatcher;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.acegisecurity.AcegiMessageSource;
import org.acegisecurity.Authentication;
import org.acegisecurity.AuthenticationException;
import org.acegisecurity.AuthenticationManager;
import org.acegisecurity.context.SecurityContextHolder;
import org.acegisecurity.event.authentication.InteractiveAuthenticationSuccessEvent;
import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.acegisecurity.ui.AuthenticationDetailsSource;
import org.acegisecurity.ui.AuthenticationDetailsSourceImpl;
import org.acegisecurity.ui.WebAuthenticationDetails;
import org.acegisecurity.ui.rememberme.NullRememberMeServices;
import org.acegisecurity.ui.rememberme.RememberMeServices;
import org.acegisecurity.ui.savedrequest.SavedRequest;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.struts.Globals;
import org.apache.struts.action.ActionMessage;
import org.apache.struts.action.ActionMessages;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEventPublisher;
import org.springframework.context.ApplicationEventPublisherAware;
import org.springframework.context.support.MessageSourceAccessor;
import org.springframework.util.Assert;
import com.yahaitt.exception.AuthenticationCodeException;
public class AuthenticationProcessingFilter implements Filter,
InitializingBean, ApplicationEventPublisherAware {
public static final String ACEGI_SAVED_REQUEST_KEY = "ACEGI_SAVED_REQUEST_KEY" ;
public static final String ACEGI_SECURITY_LAST_EXCEPTION_KEY = "ACEGI_SECURITY_LAST_EXCEPTION" ;
public static final String ACEGI_SECURITY_FORM_USERNAME_KEY = "username" ;
public static final String ACEGI_SECURITY_FORM_PASSWORD_KEY = "password" ;
public static final String ACEGI_SECURITY_LAST_USERNAME_KEY = "ACEGI_SECURITY_LAST_USERNAME" ;
protected final Log logger = LogFactory.getLog( this .getClass());
private ApplicationEventPublisher eventPublisher;
private AuthenticationDetailsSource authenticationDetailsSource = new AuthenticationDetailsSourceImpl();
private AuthenticationManager authenticationManager;
private String authenticationFailureUrl;
private String defaultTargetUrl;
private String filterProcessesUrl = getDefaultFilterProcessesUrl();
private boolean alwaysUseDefaultTargetUrl = false ;
private RememberMeServices rememberMeServices = new NullRememberMeServices();
protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
private Properties exceptionMappings = new Properties();
private boolean continueChainBeforeSuccessfulAuthentication = false ;
public boolean isContinueChainBeforeSuccessfulAuthentication() {
return continueChainBeforeSuccessfulAuthentication;
}
public void setContinueChainBeforeSuccessfulAuthentication(
boolean continueChainBeforeSuccessfulAuthentication) {
this .continueChainBeforeSuccessfulAuthentication = continueChainBeforeSuccessfulAuthentication;
}
public String getDefaultFilterProcessesUrl() {
return "/j_acegi_security_check" ;
}
public void destroy() {
}
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain filterChain) throws IOException, ServletException {
if (!(request instanceof HttpServletRequest)) {
throw new ServletException( "Can only process HttpServletRequest" );
}
if (!(response instanceof HttpServletResponse)) {
throw new ServletException( "Can only process HttpServletResponse" );
}
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
String username = obtainUsername(httpRequest);
String password = obtainPassword(httpRequest);
if (username == null ) {
username = "" ;
}
if (password == null ) {
password = "" ;
}
if (requiresAuthentication(httpRequest, httpResponse)) {
Authentication authResult;
try {
// 加入验证码
onPreAuthentication(httpRequest, httpResponse);
authResult = attemptAuthentication(httpRequest);
// UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
// username, password);
// setDetails(httpRequest, authRequest);
// httpRequest.getSession().setAttribute(
// ACEGI_SECURITY_LAST_USERNAME_KEY, username);
// authResult = this.getAuthenticationManager().authenticate(
// authRequest);
// Authentication success
// successfulAuthentication(httpRequest, httpResponse, authResult);
//如果authResult = this.getAuthenticationManager().authenticate(authRequest);函数执行后无异常，则说明认证通过了，此时可以直接进行下轮的过滤器
//即跳转到进入这个filter的url（user_login.jsp页面中form的action指向等，此时执行下面的filterChain.doFilter(httpRequest, httpResponse);后就能够跳转到UserMAction的login函数中执行）
// filterChain.doFilter(httpRequest, httpResponse);
if (continueChainBeforeSuccessfulAuthentication) {
filterChain.doFilter(httpRequest, httpResponse);
}
// // 可以在此加入验证成功后的功能代码
successfulAuthentication(httpRequest, httpResponse, authResult);
// String targetUrl = alwaysUseDefaultTargetUrl ? null
// : obtainFullRequestUrl(httpRequest);
//// if (targetUrl == null) {
//// targetUrl = getDefaultTargetUrl();
//// }
//// if (!targetUrl.startsWith("http://")
//// && !targetUrl.startsWith("https://")) {
//// targetUrl = httpRequest.getContextPath() + targetUrl;
//// }
//
// targetUrl = request.getParameter("pagefrom");
//
// httpResponse.sendRedirect(httpResponse
// .encodeRedirectURL(targetUrl));
return ;
} catch (AuthenticationException failed) {
// Authentication failed
unsuccessfulAuthentication(httpRequest, httpResponse, failed);
// String failureUrl = exceptionMappings.getProperty(failed
// .getClass().getName(), authenticationFailureUrl);
// if (!failureUrl.startsWith("http://")
// && !failureUrl.startsWith("https://")) {
// failureUrl = httpRequest.getContextPath() + failureUrl;
// }
String pagefrom = request.getParameter( "pagefrom" );
request.setAttribute( "pagefrom" , pagefrom);
String pageURL = "/WEB-INF/pages/user_login.jsp" ;
RequestDispatcher rd = request.getRequestDispatcher(pageURL);
rd.forward(request, response);
// httpResponse.sendRedirect(httpResponse
// .encodeRedirectURL(failureUrl));
return ;
}
}
filterChain.doFilter(request, response);
}
public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException,
IOException {
String username = obtainUsername(request);
String password = obtainPassword(request);
if (username == null ) {
username = "" ;
}
if (password == null ) {
password = "" ;
}
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
setDetails(request, authRequest);
request.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY,
username);
return this .getAuthenticationManager().authenticate(authRequest);
}
protected void setDetails(HttpServletRequest request,
UsernamePasswordAuthenticationToken authRequest) {
authRequest.setDetails( new WebAuthenticationDetails(request));
}
protected boolean requiresAuthentication(HttpServletRequest request,
HttpServletResponse response) {
String uri = request.getRequestURI();
int pathParamIndex = uri.indexOf(';');
if (pathParamIndex > 0 ) {
uri = uri.substring( 0 , pathParamIndex);
}
String method = request.getParameter( "method" );
boolean islogin = "login" .equals(method)? true : false ;
return (uri.endsWith(request.getContextPath() + filterProcessesUrl) && islogin);
}
public void init(FilterConfig arg0) throws ServletException {
}
public void afterPropertiesSet() throws Exception {
}
public void setApplicationEventPublisher(ApplicationEventPublisher context) {
this .eventPublisher = context;
}
public void setAuthenticationDetailsSource(
AuthenticationDetailsSource authenticationDetailsSource) {
Assert.notNull(authenticationDetailsSource,
"AuthenticationDetailsSource required" );
this .authenticationDetailsSource = authenticationDetailsSource;
}
public boolean isAlwaysUseDefaultTargetUrl() {
return alwaysUseDefaultTargetUrl;
}
public void setAlwaysUseDefaultTargetUrl( boolean alwaysUseDefaultTargetUrl) {
this .alwaysUseDefaultTargetUrl = alwaysUseDefaultTargetUrl;
}
public String getAuthenticationFailureUrl() {
return authenticationFailureUrl;
}
public void setAuthenticationFailureUrl(String authenticationFailureUrl) {
this .authenticationFailureUrl = authenticationFailureUrl;
}
public String getDefaultTargetUrl() {
return defaultTargetUrl;
}
public void setDefaultTargetUrl(String defaultTargetUrl) {
this .defaultTargetUrl = defaultTargetUrl;
}
public String getFilterProcessesUrl() {
return filterProcessesUrl;
}
public void setFilterProcessesUrl(String filterProcessesUrl) {
this .filterProcessesUrl = filterProcessesUrl;
}
protected String obtainPassword(HttpServletRequest request) {
String password = request.getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY);
// if (password != null) {
// return MD5.toMD5(request
// .getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY));
// }
return password;
}
protected String obtainUsername(HttpServletRequest request) {
return request.getParameter(ACEGI_SECURITY_FORM_USERNAME_KEY);
}
// 加入验证码
protected void onPreAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException,
IOException {
String randNum = request.getParameter( "randNum" );
String rand = (String) request.getSession().getAttribute( "RandNo" );
if (rand == null || !rand.equals(randNum)) {
throw new AuthenticationCodeException( "请输入正确的验证码！" );
}
}
// 可以在此加入验证成功后的功能代码
protected void onSuccessfulAuthentication(HttpServletRequest request,
HttpServletResponse response, Authentication authResult)
throws IOException {
}
protected void onUnsuccessfulAuthentication(HttpServletRequest request,
HttpServletResponse response, AuthenticationException failed)
throws IOException {
ActionMessages errors = new ActionMessages();
String username = request.getParameter( "username" );
String password = request.getParameter( "password" );
if (failed instanceof AuthenticationCodeException)
{
//验证码为空或出错
errors.add( "userwrong" , new ActionMessage( "user.randno.wrong" ));
} else if ( null ==username || "" .equals(username))
{
//用户名为空
errors.add( "userwrong" , new ActionMessage( "user.username" ));
} else if ( null ==password || "" .equals(password))
{
//密码为空
errors.add( "userwrong" , new ActionMessage( "user.password" ));
} else
{
//用户名或密码出错
errors.add( "userwrong" , new ActionMessage( "user.wrong" ));
}

分享到：

2009-09-27 17:39
浏览 2025
评论(0)
查看更多

发表评论

您还没有登录,请您登录后再发表评论

最近访客更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

acegi

评论

发表评论

相关推荐

最近访客 更多访客>>

博主相关

文章分类

社区版块

存档分类

最新评论

acegi

评论

发表评论

相关推荐

最近访客更多访客>>