Spring-Security的功能主要是由一堆Filter構成過濾器鏈來實現,每個Filter都會完成自己的一部分工作。我今天要做的是對UsernamePasswordAuthenticationFilter進行擴展,新增一個Filter,完成對登錄頁面的校驗碼的驗證。下面先給一張過濾器的說明,接下來講自定義的登錄驗證Filter。
? ??https://docs.spring.io/spring-security/site/docs/3.2.8.RELEASE/reference/htmlsingle/#ns-web-advanced
? ?
? ?一、擴展AbstractAuthenticationProcessingFilter,實現MyUsernamePasswordAuthenticationFilter。
package simm.spring.web.config;import java.io.IOException;import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.springframework.security.authentication.InsufficientAuthenticationException; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.util.StringUtils;public class MyUsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {// 是否開啟驗證碼功能private boolean isOpenValidateCode = true;public static final String VALIDATE_CODE = "validateCode";public MyUsernamePasswordAuthenticationFilter() {super(new AntPathRequestMatcher("/user/login.do", "POST"));SimpleUrlAuthenticationFailureHandler failedHandler = (SimpleUrlAuthenticationFailureHandler)getFailureHandler();failedHandler.setDefaultFailureUrl("/user/login.do?validerror");}@Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse res=(HttpServletResponse)response;if (!requiresAuthentication(req, res)) {chain.doFilter(request, response);return;}if (isOpenValidateCode) {if(!checkValidateCode(req, res))return;}//保存一些session信息HttpSession session = req.getSession();session.setAttribute(VALIDATE_CODE, "mytest");chain.doFilter(request,response); } /*** 覆蓋授權驗證方法,這里可以做一些自己需要的session設置操作*/public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {return null;}protected boolean checkValidateCode(HttpServletRequest request,HttpServletResponse response) throws IOException, ServletException {HttpSession session = request.getSession();String sessionValidateCode = obtainSessionValidateCode(session);sessionValidateCode = "1234";// 做個假的驗證碼;// 讓上一次的驗證碼失效session.setAttribute(VALIDATE_CODE, null);String validateCodeParameter = obtainValidateCodeParameter(request);if (StringUtils.isEmpty(validateCodeParameter) || !sessionValidateCode.equalsIgnoreCase(validateCodeParameter)) {unsuccessfulAuthentication(request, response, new InsufficientAuthenticationException("輸入的驗證碼不正確")); return false;}return true;}private String obtainValidateCodeParameter(HttpServletRequest request) {Object obj = request.getParameter(VALIDATE_CODE);return null == obj ? "" : obj.toString();}protected String obtainSessionValidateCode(HttpSession session) {Object obj = session.getAttribute(VALIDATE_CODE);return null == obj ? "" : obj.toString();} }
代碼解讀
1、為Filter指定請求地址過濾器,用于攔截登錄請求。調用AbstractAuthenticationProcessingFilter.requiresAuthentication方法。
? ? ? ? ? ? ?
2、指定驗證失敗的跳轉頁面
3、驗證碼的測試代碼。假的驗證碼1234,與頁面參數比對后,如果不相等則拋出"輸入的驗證碼不正確"的異常。
4、驗證通過,繼續執行后續的Filter鏈。否則退出請求處理邏輯。這個Filter只處理驗證碼的校驗邏輯,用戶名密碼的驗證交給后面的UsernamePasswordAuthenticationFilter來處理。
? ?二、向HttpSecurity的Filter鏈上插入自定義的Filter,插入到UsernamePasswordAuthenticationFilter的位置上。插入方法有addFilterBefore,addFilterAt,addFilterAfter。這個地方需要注意使用addFilterAt并不是說能替換掉原有的Filter,事實上框架原有的Filter在啟動HttpSecurity配置的過程中,都由框架完成了其一定程度上固定的配置,是不允許更改替換的。根據測試結果來看,調用addFilterAt方法插入的Filter,會在這個位置上的原有Filter之前執行。
@Overrideprotected void configure(HttpSecurity http) throws Exception {String doUrl = "/**/*.do";http.addFilterAt(new MyUsernamePasswordAuthenticationFilter(),UsernamePasswordAuthenticationFilter.class)
三、登錄方法添加對驗證碼錯誤回調的攔截
@Controller @RequestMapping("/user") public class UserController {@RequestMapping(value = "/login", method = RequestMethod.GET)public String login(@RequestParam(value = "error", required = false) String error,@RequestParam(value = "validerror", required = false) String validerror,@RequestParam(value = "logout", required = false) String logout,Model model) {if (error != null) {model.addAttribute("msg", "用戶名或密碼錯誤!");}if(validerror!=null){model.addAttribute("msg", "驗證碼錯誤!");}if (logout != null) {model.addAttribute("msg", "成功退出!");}return "user/login";}
? ? ?四、測試結果展示
以上就是我對登錄功能的自定義Filter實現。其他Filter都是同理,如果需要都可以自行擴展。東西不多,希望對你有所幫助,歡迎留言交流。
_封裝思想——this關鍵字)
通過示例進行解釋)
...)
