- 浏览: 943096 次
- 性别:
- 来自: 北京
文章分类
- 全部博客 (385)
- 搜索引擎学习 (62)
- 算法 (1)
- 数据库 (15)
- web开发 (38)
- solr开发 (17)
- nutch 1.2 系统学习 (8)
- cms (1)
- 系统架构 (11)
- linux 与 unix 编程 (16)
- android (15)
- maven (1)
- 关注物流 (1)
- 网址收集 (1)
- 分布式,集群 (1)
- mysql (5)
- apache (1)
- 资料文档备份 (7)
- 上班有感 (0)
- 工作流 (15)
- javascript (1)
- weblogic (1)
- eclipse 集成 (1)
- JMS (7)
- Hibernate (1)
- 性能测试 (1)
- spring (6)
- 缓存cache (1)
- mongodb (2)
- webservice (1)
- HTML5 COCOS2D-HTML5 (1)
- BrowserQuest (2)
最新评论
-
avi9111:
内陷到android, ios, winphone里面也是随便 ...
【HTML5游戏开发】二次开发 BrowserQuest 第一集 -
avi9111:
呵呵,做不下去了吧,没有第二集了吧,游戏是个深坑,谨慎进入,其 ...
【HTML5游戏开发】二次开发 BrowserQuest 第一集 -
excaliburace:
方案3亲测完全可用,顺便解决了我其他方面的一些疑问,非常感谢
spring security 2添加用户验证码 -
yuanliangding:
Spring太强大了。
Spring Data JPA 简单介绍 -
小高你好:
什么是hibernate懒加载?什么时候用懒加载?为什么要用懒加载?
一、搞定acegi时要注意的几个地方:
1、用户注册和删除用户时清除缓存中对应该用户的相关信息。
2、登录时附加验证码等信息的扩展以及注意密码加密方式。
3、角色表中新增的角色名必须要与配置文件中设置的匹配,否则无效。
4、设置成Method类型的资源,必须在有至少一个角色给予赋值后,其它未赋予改资源的角色才会受访问权的限制,否则,也就是当没有赋值给任何一个角色时,该资源相当于是无效的,即该资源不受访问权的限制。
5、角色表中需要有个名字为"ROLE_ANONYMOUS"的角色("ROLE"是配置文件中配置的匹配字符串),一般将首页的资源赋予给这个角色。
二、着重点
1、先看配置文件applicationContext-acegi-security.xml,附件中
2、对applicationContext-acegi-security.xml配置文件中的几点进行说明
处理登录请求的过滤器 authenticationProcessingFilter
默认的配置如下:
xml 代码
- < bean id = "authenticationProcessingFilter"
- class = "org.acegisecurity.ui.webapp.AuthenticationProcessingFilter" >
- < property name = "authenticationManager"
- ref = "authenticationManager" />
- < property name = "authenticationFailureUrl"
- value = "/login.jsp?login_error=1" />
- < property name = "defaultTargetUrl" value = "/admin/index.jsp" />
- < property name = "filterProcessesUrl"
- value = "/j_acegi_security_check" />
- < property name = "rememberMeServices" ref = "rememberMeServices" />
- bean >
我改成了如下的配置:
xml 代码
- < bean id = "authenticationProcessingFilter"
- class = "org.springside.security.filter.util.AuthenticationProcessingFilter" >
- < property name = "continueChainBeforeSuccessfulAuthentication" value = "true" > property >
- < property name = "authenticationManager"
- ref = "authenticationManager" />
- < property name = "authenticationFailureUrl"
- value = "/accessDenied.jsp" />
- < property name = "defaultTargetUrl" value = "/index.jsp" />
- < property name = "filterProcessesUrl"
- value = "/userm.do" />
- < property name = "rememberMeServices" ref = "rememberMeServices" />
- bean >
其实就是重写了acegi自带的AuthenticationProcessingFilter
因为我在用户登录的时候还附加了验证码
并且换了登录的action路径(改成了"/userm.do?method=login"),以及用户登陆的用户名和密码的名称(默认的是j_username和j_password,我改成了username和password),这些东西都在我重写的AuthenticationProcessingFilter中得到控制。附件中有完整的AuthenticationProcessingFilter代码。
java 代码
- package org.springside.security.filter.util;
- import java.io.IOException;
- import java.util.Properties;
- import javax.servlet.Filter;
- import javax.servlet.FilterChain;
- import javax.servlet.FilterConfig;
- import javax.servlet.RequestDispatcher;
- import javax.servlet.ServletException;
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
- import javax.servlet.http.HttpServletResponse;
- import org.acegisecurity.AcegiMessageSource;
- import org.acegisecurity.Authentication;
- import org.acegisecurity.AuthenticationException;
- import org.acegisecurity.AuthenticationManager;
- import org.acegisecurity.context.SecurityContextHolder;
- import org.acegisecurity.event.authentication.InteractiveAuthenticationSuccessEvent;
- import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;
- import org.acegisecurity.ui.AuthenticationDetailsSource;
- import org.acegisecurity.ui.AuthenticationDetailsSourceImpl;
- import org.acegisecurity.ui.WebAuthenticationDetails;
- import org.acegisecurity.ui.rememberme.NullRememberMeServices;
- import org.acegisecurity.ui.rememberme.RememberMeServices;
- import org.acegisecurity.ui.savedrequest.SavedRequest;
- import org.apache.commons.logging.Log;
- import org.apache.commons.logging.LogFactory;
- import org.apache.struts.Globals;
- import org.apache.struts.action.ActionMessage;
- import org.apache.struts.action.ActionMessages;
- import org.springframework.beans.factory.InitializingBean;
- import org.springframework.context.ApplicationEventPublisher;
- import org.springframework.context.ApplicationEventPublisherAware;
- import org.springframework.context.support.MessageSourceAccessor;
- import org.springframework.util.Assert;
- import com.yahaitt.exception.AuthenticationCodeException;
- public class AuthenticationProcessingFilter implements Filter,
- InitializingBean, ApplicationEventPublisherAware {
- public static final String ACEGI_SAVED_REQUEST_KEY = "ACEGI_SAVED_REQUEST_KEY" ;
- public static final String ACEGI_SECURITY_LAST_EXCEPTION_KEY = "ACEGI_SECURITY_LAST_EXCEPTION" ;
- public static final String ACEGI_SECURITY_FORM_USERNAME_KEY = "username" ;
- public static final String ACEGI_SECURITY_FORM_PASSWORD_KEY = "password" ;
- public static final String ACEGI_SECURITY_LAST_USERNAME_KEY = "ACEGI_SECURITY_LAST_USERNAME" ;
- protected final Log logger = LogFactory.getLog( this .getClass());
- private ApplicationEventPublisher eventPublisher;
- private AuthenticationDetailsSource authenticationDetailsSource = new AuthenticationDetailsSourceImpl();
- private AuthenticationManager authenticationManager;
- private String authenticationFailureUrl;
- private String defaultTargetUrl;
- private String filterProcessesUrl = getDefaultFilterProcessesUrl();
- private boolean alwaysUseDefaultTargetUrl = false ;
- private RememberMeServices rememberMeServices = new NullRememberMeServices();
- protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();
- private Properties exceptionMappings = new Properties();
- private boolean continueChainBeforeSuccessfulAuthentication = false ;
- public boolean isContinueChainBeforeSuccessfulAuthentication() {
- return continueChainBeforeSuccessfulAuthentication;
- }
- public void setContinueChainBeforeSuccessfulAuthentication(
- boolean continueChainBeforeSuccessfulAuthentication) {
- this .continueChainBeforeSuccessfulAuthentication = continueChainBeforeSuccessfulAuthentication;
- }
- public String getDefaultFilterProcessesUrl() {
- return "/j_acegi_security_check" ;
- }
- public void destroy() {
- }
- public void doFilter(ServletRequest request, ServletResponse response,
- FilterChain filterChain) throws IOException, ServletException {
- if (!(request instanceof HttpServletRequest)) {
- throw new ServletException( "Can only process HttpServletRequest" );
- }
- if (!(response instanceof HttpServletResponse)) {
- throw new ServletException( "Can only process HttpServletResponse" );
- }
- HttpServletRequest httpRequest = (HttpServletRequest) request;
- HttpServletResponse httpResponse = (HttpServletResponse) response;
- String username = obtainUsername(httpRequest);
- String password = obtainPassword(httpRequest);
- if (username == null ) {
- username = "" ;
- }
- if (password == null ) {
- password = "" ;
- }
- if (requiresAuthentication(httpRequest, httpResponse)) {
- Authentication authResult;
- try {
- // 加入验证码
- onPreAuthentication(httpRequest, httpResponse);
- authResult = attemptAuthentication(httpRequest);
- // UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
- // username, password);
- // setDetails(httpRequest, authRequest);
- // httpRequest.getSession().setAttribute(
- // ACEGI_SECURITY_LAST_USERNAME_KEY, username);
- // authResult = this.getAuthenticationManager().authenticate(
- // authRequest);
- // Authentication success
- // successfulAuthentication(httpRequest, httpResponse, authResult);
- //如果authResult = this.getAuthenticationManager().authenticate(authRequest);函数执行后无异常,则说明认证通过了,此时可以直接进行下轮的过滤器
- //即跳转到进入这个filter的url(user_login.jsp页面中form的action指向等,此时执行下面的filterChain.doFilter(httpRequest, httpResponse);后就能够跳转到UserMAction的login函数中执行)
- // filterChain.doFilter(httpRequest, httpResponse);
- if (continueChainBeforeSuccessfulAuthentication) {
- filterChain.doFilter(httpRequest, httpResponse);
- }
- // // 可以在此加入验证成功后的功能代码
- successfulAuthentication(httpRequest, httpResponse, authResult);
- // String targetUrl = alwaysUseDefaultTargetUrl ? null
- // : obtainFullRequestUrl(httpRequest);
- //// if (targetUrl == null) {
- //// targetUrl = getDefaultTargetUrl();
- //// }
- //// if (!targetUrl.startsWith("http://")
- //// && !targetUrl.startsWith("https://")) {
- //// targetUrl = httpRequest.getContextPath() + targetUrl;
- //// }
- //
- // targetUrl = request.getParameter("pagefrom");
- //
- // httpResponse.sendRedirect(httpResponse
- // .encodeRedirectURL(targetUrl));
- return ;
- } catch (AuthenticationException failed) {
- // Authentication failed
- unsuccessfulAuthentication(httpRequest, httpResponse, failed);
- // String failureUrl = exceptionMappings.getProperty(failed
- // .getClass().getName(), authenticationFailureUrl);
- // if (!failureUrl.startsWith("http://")
- // && !failureUrl.startsWith("https://")) {
- // failureUrl = httpRequest.getContextPath() + failureUrl;
- // }
- String pagefrom = request.getParameter( "pagefrom" );
- request.setAttribute( "pagefrom" , pagefrom);
- String pageURL = "/WEB-INF/pages/user_login.jsp" ;
- RequestDispatcher rd = request.getRequestDispatcher(pageURL);
- rd.forward(request, response);
- // httpResponse.sendRedirect(httpResponse
- // .encodeRedirectURL(failureUrl));
- return ;
- }
- }
- filterChain.doFilter(request, response);
- }
- public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException,
- IOException {
- String username = obtainUsername(request);
- String password = obtainPassword(request);
- if (username == null ) {
- username = "" ;
- }
- if (password == null ) {
- password = "" ;
- }
- UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
- username, password);
- setDetails(request, authRequest);
- request.getSession().setAttribute(ACEGI_SECURITY_LAST_USERNAME_KEY,
- username);
- return this .getAuthenticationManager().authenticate(authRequest);
- }
- protected void setDetails(HttpServletRequest request,
- UsernamePasswordAuthenticationToken authRequest) {
- authRequest.setDetails( new WebAuthenticationDetails(request));
- }
- protected boolean requiresAuthentication(HttpServletRequest request,
- HttpServletResponse response) {
- String uri = request.getRequestURI();
- int pathParamIndex = uri.indexOf(';');
- if (pathParamIndex > 0 ) {
- uri = uri.substring( 0 , pathParamIndex);
- }
- String method = request.getParameter( "method" );
- boolean islogin = "login" .equals(method)? true : false ;
- return (uri.endsWith(request.getContextPath() + filterProcessesUrl) && islogin);
- }
- public void init(FilterConfig arg0) throws ServletException {
- }
- public void afterPropertiesSet() throws Exception {
- }
- public void setApplicationEventPublisher(ApplicationEventPublisher context) {
- this .eventPublisher = context;
- }
- public void setAuthenticationDetailsSource(
- AuthenticationDetailsSource authenticationDetailsSource) {
- Assert.notNull(authenticationDetailsSource,
- "AuthenticationDetailsSource required" );
- this .authenticationDetailsSource = authenticationDetailsSource;
- }
- public boolean isAlwaysUseDefaultTargetUrl() {
- return alwaysUseDefaultTargetUrl;
- }
- public void setAlwaysUseDefaultTargetUrl( boolean alwaysUseDefaultTargetUrl) {
- this .alwaysUseDefaultTargetUrl = alwaysUseDefaultTargetUrl;
- }
- public String getAuthenticationFailureUrl() {
- return authenticationFailureUrl;
- }
- public void setAuthenticationFailureUrl(String authenticationFailureUrl) {
- this .authenticationFailureUrl = authenticationFailureUrl;
- }
- public String getDefaultTargetUrl() {
- return defaultTargetUrl;
- }
- public void setDefaultTargetUrl(String defaultTargetUrl) {
- this .defaultTargetUrl = defaultTargetUrl;
- }
- public String getFilterProcessesUrl() {
- return filterProcessesUrl;
- }
- public void setFilterProcessesUrl(String filterProcessesUrl) {
- this .filterProcessesUrl = filterProcessesUrl;
- }
- protected String obtainPassword(HttpServletRequest request) {
- String password = request.getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY);
- // if (password != null) {
- // return MD5.toMD5(request
- // .getParameter(ACEGI_SECURITY_FORM_PASSWORD_KEY));
- // }
- return password;
- }
- protected String obtainUsername(HttpServletRequest request) {
- return request.getParameter(ACEGI_SECURITY_FORM_USERNAME_KEY);
- }
- // 加入验证码
- protected void onPreAuthentication(HttpServletRequest request,
- HttpServletResponse response) throws AuthenticationException,
- IOException {
- String randNum = request.getParameter( "randNum" );
- String rand = (String) request.getSession().getAttribute( "RandNo" );
- if (rand == null || !rand.equals(randNum)) {
- throw new AuthenticationCodeException( "请输入正确的验证码!" );
- }
- }
- // 可以在此加入验证成功后的功能代码
- protected void onSuccessfulAuthentication(HttpServletRequest request,
- HttpServletResponse response, Authentication authResult)
- throws IOException {
- }
- protected void onUnsuccessfulAuthentication(HttpServletRequest request,
- HttpServletResponse response, AuthenticationException failed)
- throws IOException {
- ActionMessages errors = new ActionMessages();
- String username = request.getParameter( "username" );
- String password = request.getParameter( "password" );
- if (failed instanceof AuthenticationCodeException)
- {
- //验证码为空或出错
- errors.add( "userwrong" , new ActionMessage( "user.randno.wrong" ));
- } else if ( null ==username || "" .equals(username))
- {
- //用户名为空
- errors.add( "userwrong" , new ActionMessage( "user.username" ));
- } else if ( null ==password || "" .equals(password))
- {
- //密码为空
- errors.add( "userwrong" , new ActionMessage( "user.password" ));
- } else
- {
- //用户名或密码出错
- errors.add( "userwrong" , new ActionMessage( "user.wrong" ));
- }
相关推荐
Acegi安全系统,是一个用于Spring Framework的安全框架,能够和目前流行的Web容器无缝集成。它使用了Spring的方式提供了安全和认证安全服务,包括使用Bean Context,拦截器和面向接口的编程方式。因此,Acegi安全...
acegi-security 1.0.2.jar
Acegi安全系统,是一个用于Spring Framework的安全框架,能够和目前流行的Web容器无缝集成。它使用了Spring的方式提供了安全和认证安全服务,包括使用Bean Context,拦截器和面向接口的编程方式。因此,Acegi安全...
包含acegi-security-1.0.7.jar,acegi-security-1.0.7-sources.jar,acegi-security-cas-1.0.7.jar,acegi-security-cas-1.0.7-sources.jar,acegi-security-catalina-1.0.7.jar,acegi-security-catalina-1.0.7-...
spring_acegi精彩实例,带MYSQL数据库脚本,保证能运行 spring_acegi精彩实例,带MYSQL数据库脚本,保证能运行 spring_acegi精彩实例,带MYSQL数据库脚本,保证能运行 spring_acegi精彩实例,带MYSQL数据库脚本,...
不错的ACEGI 教程
acegi与cas集成 <!-- ========= Acegi as a CAS Client的配置============= --> class="org.acegisecurity.ui.cas.CasProcessingFilter"> ref="authenticationManager" /> value="/login.do?...
Acegi是一个专门为SpringFramework提供安全机制的项目,全称为Acegi Security System for Spring.
Acegi Security为基于J2EE的企业应用软件提供全面的安全解决方案。正如你在本手册中看到的那样,我们尝试为您提供有用的,高可配置的安全系统。 Acegi Security专注于在企业应用安全层为您提供帮助,你将会发现和...
Acegi文档 spring acegi 详细文档
acegi安全系统,是一个用于spring framework的安全框架,能够和目前流行的web容器无缝集成。它使用了spring的方式提供了安全和认证安全服务,包括使用bean context,拦截器和面向接口的编程方式。因此,acegi安全...
acegi 框架 介绍 spring 安全
Acegi能做什么 Acegi的体系结构 Acegi核心组件 典型的web认证过程 Acegi的登陆认证 Acegi对安全对象的访问控制 Filter 组件 Acegi的不足之处
敏捷Acegi、CAS++构建安全的Java系统pdf——part5
1、一个Acegi的例子,可以运行 2、一个很好的学Acegi的网址,0基础学习Acegi,强烈推荐 3、有什么问题可以发邮件heroshen@126.com讨论
JAVA开发专家:敏捷Acegi、CAS:构建安全的Java系统 pdf
acegi,spring的安全验证框架
关于Acegi的安全框架,里面有Acegi的实例,讲述得挺清楚的,