spring security-如何调用控制器方法进行身份验证&登录授权

时间:2015-10-11 06:21:16

标签: spring-mvc spring-security

我需要在现有的Spring MVC项目(Spring 3.2.13 + MyBatis + PostgreSQL)中集成Spring安全性。我是Spring Security的新手。

当凭证被硬编码到spring-security.xml(Spring Security 3.2.5)中时,我能够登录到应用程序。
但是,在现有的实现中(没有弹簧安全性),控制器验证&根据用户状态,重定向到相应的JSP
这是控制器: 

@RequestMapping(value="/login", method=RequestMethod.POST)
public String processLogin(@ModelAttribute(value="loginUser")UserForm user, Model model) {
//Spring Validation here
...
User authenticatedUser = userMgmtService.processUserLogin(loggedInUser);

if(authenticatedUser!= null){               
            if(authenticatedUser.getStatus().equals(UserStatusConstants.USER_ACTIVE)){
                if(authenticatedUser.getAdminFlag()){
                    viewName= "redirect:/admin/adminHome.html";
                }               
                else{
                    viewName= "redirect:/home.html";
                }
            }
            else if(authenticatedUser.getStatus().equals(UserStatusConstants.USER_NEW)){
                viewName="redirect:/changePassword.html";
            }
            else if(authenticatedUser.getStatus().equals(UserStatusConstants.USER_LOCKED)){
                    viewName="redirect:/accountLockedOut.html";
            }
            else if(authenticatedUser.getStatus().equals(UserStatusConstants.USER_INACTIVE)){
                viewName="redirect:/accessDenied.html";
            }

            model.addAttribute("loginUser",authenticatedUser);
        }

 return viewName;

以下是用户类: 

@Component
public class User {

    private String userName;

    private String password;

    private String firstName;

    private String lastName;

    /** Flag whether the user is admin or not */
    private Boolean adminFlag;

    /** Status Num for New, Active, Locked, Inactive */
    private Integer status;

    private Date lastLoginTimestamp;

    //Getters & Setters
    ....
}

角色:我在系统SUPERUSER(当adminFlag = true时)和APPUSER(当adminFlag = false时)只有两个角色。状态0 =新,1 =有效,2 =已锁定,3 =无效
这是我的用户数据库表:
 enter image description here
我的spring-security.xml: 

 <!-- Bypass security for resources - css,images,scripts  -->
   <http pattern="/resources/**" security="none"/>

   <http auto-config="true">
    <intercept-url pattern="/login*" access="ROLE_ANONYMOUS,ROLE_APPUSER,ROLE_SUPERUSER"/>
    <intercept-url pattern="/forgotPassword*" access="ROLE_ANONYMOUS,ROLE_APPUSER,ROLE_SUPERUSER"/>
    <intercept-url pattern="/logout" access="ROLE_ANONYMOUS,ROLE_APPUSER,ROLE_SUPERUSER"/>
    <intercept-url pattern="/admin/" access="ROLE_SUPERUSER"/>
    <intercept-url pattern="/**" access="ROLE_APPUSER"/>

    <form-login login-page="/login.html"                
                login-processing-url="/login"
                authentication-failure-url="/login.html?autherror=true"
                username-parameter="userName"
                password-parameter="password"
                default-target-url="/home.html"
                always-use-default-target="false"/>
    <logout invalidate-session="true" delete-cookies="JSESSIONID,user" logout-success-url="/logout"/>       
    <access-denied-handler error-page="/accessDenied"/>     
    <session-management>
                <!-- Listener HttpSessionEventPublisher (in web.xml) notifies of concurrent sessions -->
                <concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
     </session-management>


       </http>

  <authentication-manager>
        <authentication-provider>
            <user-service>
                <user name="user1" password="123" authorities="ROLE_APPUSER"/>
                <user name="superuser" password="admin" authorities="ROLE_SUPERUSER"/>
            </user-service>
        </authentication-provider>   
  </authentication-manager>

要求:如何使用spring-security执行上面显示的控制器逻辑?在现有实施中我需要做出哪些改变?

1 个答案:

答案 0 :(得分:2)

还有其他几种方法,我认为最简单的方法是创建一个新的身份验证提供程序。所以我们只需要实现AuthenticationProvider接口。

<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:layout_width="match_parent"
android:layout_height="match_parent"
android:id="@+id/incentivebutton">

<Button
    android:layout_width="wrap_content"
    android:layout_height="wrap_content"
    android:text="Incentive"
    android:id="@+id/incentiveButton"
    android:onClick="IncentiveButton"
    android:layout_centerVertical="true"
    android:layout_centerHorizontal="true"
    android:nestedScrollingEnabled="true"
    android:background = "@drawable/roundbutton"
    android:paddingLeft="30dp"
    android:paddingRight="30dp"
    android:paddingTop="55dp"
    android:paddingBottom="55dp"
    android:layout_gravity="center_vertical" />

<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
    android:id="@+id/linearLayout1"
    android:layout_width="match_parent"
    android:layout_height="wrap_content"
    android:padding="6dp"
    android:weightSum="2"
    android:orientation="vertical">
    <LinearLayout
        android:layout_width="fill_parent"
        android:layout_height="wrap_content"
        android:layout_weight="1">
        <Button
            android:id="@+id/buttonCollect"
            android:layout_width="match_parent"
            android:layout_height="match_parent"
            android:paddingLeft="8dp"
            android:paddingRight="8dp"
            android:layout_weight="1"/>

        <Button
            android:id="@+id/buttonCollect1"
            android:layout_width="match_parent"
            android:layout_height="match_parent"
            android:paddingLeft="8dp"
            android:paddingRight="8dp"
            android:layout_weight="1" />
    </LinearLayout>

    <LinearLayout
        android:layout_width="fill_parent"
        android:layout_height="wrap_content"
        android:layout_gravity="bottom"
        android:layout_weight="1">
        <Button
            android:id="@+id/buttonCollect3"
            android:layout_width="match_parent"
            android:layout_height="match_parent"
            android:paddingLeft="8dp"
            android:paddingRight="8dp"
            android:layout_weight="1" />

        <Button
            android:id="@+id/buttonCollect2"
            android:layout_width="match_parent"
            android:layout_height="match_parent"
            android:paddingLeft="8dp"
            android:paddingRight="8dp"
            android:layout_weight="1" />
    </LinearLayout>
</LinearLayout>

然后在spring-security.xml

中的身份验证提供程序中添加以下行 
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String name = authentication.getName();
        String password = authentication.getCredentials().toString();
        if (name.equals("admin") && password.equals("system")) {
            List<GrantedAuthority> grantedAuths = new ArrayList<>();
            grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
            Authentication auth = new UsernamePasswordAuthenticationToken(name, password, grantedAuths);
            return auth;
        } else {
            return null;
        }
    }

    @Override
    public boolean supports(Class<?> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }
}
相关问题
最新问题