我需要在现有的Spring MVC项目(Spring 3.2.13 + MyBatis + PostgreSQL)中集成Spring安全性。我是Spring Security的新手。
当凭证被硬编码到spring-security.xml(Spring Security 3.2.5)中时,我能够登录到应用程序。
但是,在现有的实现中(没有弹簧安全性),控制器验证&根据用户状态,重定向到相应的JSP
这是控制器:
@RequestMapping(value="/login", method=RequestMethod.POST)
public String processLogin(@ModelAttribute(value="loginUser")UserForm user, Model model) {
//Spring Validation here
...
User authenticatedUser = userMgmtService.processUserLogin(loggedInUser);
if(authenticatedUser!= null){
if(authenticatedUser.getStatus().equals(UserStatusConstants.USER_ACTIVE)){
if(authenticatedUser.getAdminFlag()){
viewName= "redirect:/admin/adminHome.html";
}
else{
viewName= "redirect:/home.html";
}
}
else if(authenticatedUser.getStatus().equals(UserStatusConstants.USER_NEW)){
viewName="redirect:/changePassword.html";
}
else if(authenticatedUser.getStatus().equals(UserStatusConstants.USER_LOCKED)){
viewName="redirect:/accountLockedOut.html";
}
else if(authenticatedUser.getStatus().equals(UserStatusConstants.USER_INACTIVE)){
viewName="redirect:/accessDenied.html";
}
model.addAttribute("loginUser",authenticatedUser);
}
return viewName;
以下是用户类:
@Component
public class User {
private String userName;
private String password;
private String firstName;
private String lastName;
/** Flag whether the user is admin or not */
private Boolean adminFlag;
/** Status Num for New, Active, Locked, Inactive */
private Integer status;
private Date lastLoginTimestamp;
//Getters & Setters
....
}
角色:我在系统SUPERUSER(当adminFlag = true时)和APPUSER(当adminFlag = false时)只有两个角色。状态0 =新,1 =有效,2 =已锁定,3 =无效
这是我的用户数据库表:
我的spring-security.xml:
<!-- Bypass security for resources - css,images,scripts -->
<http pattern="/resources/**" security="none"/>
<http auto-config="true">
<intercept-url pattern="/login*" access="ROLE_ANONYMOUS,ROLE_APPUSER,ROLE_SUPERUSER"/>
<intercept-url pattern="/forgotPassword*" access="ROLE_ANONYMOUS,ROLE_APPUSER,ROLE_SUPERUSER"/>
<intercept-url pattern="/logout" access="ROLE_ANONYMOUS,ROLE_APPUSER,ROLE_SUPERUSER"/>
<intercept-url pattern="/admin/" access="ROLE_SUPERUSER"/>
<intercept-url pattern="/**" access="ROLE_APPUSER"/>
<form-login login-page="/login.html"
login-processing-url="/login"
authentication-failure-url="/login.html?autherror=true"
username-parameter="userName"
password-parameter="password"
default-target-url="/home.html"
always-use-default-target="false"/>
<logout invalidate-session="true" delete-cookies="JSESSIONID,user" logout-success-url="/logout"/>
<access-denied-handler error-page="/accessDenied"/>
<session-management>
<!-- Listener HttpSessionEventPublisher (in web.xml) notifies of concurrent sessions -->
<concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
</session-management>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="user1" password="123" authorities="ROLE_APPUSER"/>
<user name="superuser" password="admin" authorities="ROLE_SUPERUSER"/>
</user-service>
</authentication-provider>
</authentication-manager>
要求:如何使用spring-security执行上面显示的控制器逻辑?在现有实施中我需要做出哪些改变?
答案 0 :(得分:2)
还有其他几种方法,我认为最简单的方法是创建一个新的身份验证提供程序。所以我们只需要实现AuthenticationProvider接口。
<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:id="@+id/incentivebutton">
<Button
android:layout_width="wrap_content"
android:layout_height="wrap_content"
android:text="Incentive"
android:id="@+id/incentiveButton"
android:onClick="IncentiveButton"
android:layout_centerVertical="true"
android:layout_centerHorizontal="true"
android:nestedScrollingEnabled="true"
android:background = "@drawable/roundbutton"
android:paddingLeft="30dp"
android:paddingRight="30dp"
android:paddingTop="55dp"
android:paddingBottom="55dp"
android:layout_gravity="center_vertical" />
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:id="@+id/linearLayout1"
android:layout_width="match_parent"
android:layout_height="wrap_content"
android:padding="6dp"
android:weightSum="2"
android:orientation="vertical">
<LinearLayout
android:layout_width="fill_parent"
android:layout_height="wrap_content"
android:layout_weight="1">
<Button
android:id="@+id/buttonCollect"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingLeft="8dp"
android:paddingRight="8dp"
android:layout_weight="1"/>
<Button
android:id="@+id/buttonCollect1"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingLeft="8dp"
android:paddingRight="8dp"
android:layout_weight="1" />
</LinearLayout>
<LinearLayout
android:layout_width="fill_parent"
android:layout_height="wrap_content"
android:layout_gravity="bottom"
android:layout_weight="1">
<Button
android:id="@+id/buttonCollect3"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingLeft="8dp"
android:paddingRight="8dp"
android:layout_weight="1" />
<Button
android:id="@+id/buttonCollect2"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:paddingLeft="8dp"
android:paddingRight="8dp"
android:layout_weight="1" />
</LinearLayout>
</LinearLayout>
然后在spring-security.xml
中的身份验证提供程序中添加以下行@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String name = authentication.getName();
String password = authentication.getCredentials().toString();
if (name.equals("admin") && password.equals("system")) {
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
Authentication auth = new UsernamePasswordAuthenticationToken(name, password, grantedAuths);
return auth;
} else {
return null;
}
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}