java Spring Security 3.0.3 和自定义认证处理过滤器
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4146449/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring Security 3.0.3 and custom authentication processing filter
提问by Worker
I use Spring Security 3.0.3.RELEASE. I would like to create a custom authentication processing filter.
我使用 Spring Security 3.0.3.RELEASE。我想创建一个自定义身份验证处理过滤器。
I have created a filter like this:
我创建了一个这样的过滤器:
// imports ommited
public class myFilter extends AbstractAuthenticationProcessingFilter {
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
// some code here
}
}
I configures my security.xmlin the following way:
我security.xml按以下方式配置我的:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http auto-config="true">
<!--<session-management session-fixation-protection="none"/>-->
<custom-filter ref="ipFilter" before="FORM_LOGIN_FILTER"/>
<intercept-url pattern="/login.jsp*" filters="none"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
<form-login login-page="/login.jsp" always-use-default-target="true"/>
<logout logout-url="/logout" logout-success-url="/login.jsp" invalidate-session="true"/>
</http>
<beans:bean id="ipFilter" class="myFilter">
<beans:property name="authenticationManager" ref="authenticationManager"/>
</beans:bean>
<authentication-manager alias="authenticationManager" />
</beans:beans>
Everything seems to be right, but when I try to access to protected pages insted of myFilter.attemptAuthenticationcalled myFilter.doFilter.
一切似乎都是正确的,但是当我尝试访问myFilter.attemptAuthentication调用的受保护页面时myFilter.doFilter。
Any ideas why?
任何想法为什么?
回答by Neeme Praks
Of course servlet container calls MyFilter.doFilter- after all, this is the entry pointinto the filter.
当然 servlet 容器调用MyFilter.doFilter- 毕竟,这是过滤器的入口点。
In your specific case, the servlet container is supposed to call doFilter()on AbstractAuthenticationProcessingFilter, not on MyFilter.
在特定情况下,servlet容器应该调用doFilter()上AbstractAuthenticationProcessingFilter,不是MyFilter。
AbstractAuthenticationProcessingFilter.doFilter()in turn is responsible for calling MyFilter.attemptAuthentication().
AbstractAuthenticationProcessingFilter.doFilter()依次负责调用MyFilter.attemptAuthentication()。
If that is not the case, maybe you overrodedoFilter()in MyFilter? If yes, better remove that(or at least call super.doFilter()). See JavaDocs of AbstractAuthenticationProcessingFilterfor more details.
如果情况并非如此,也许您doFilter()在MyFilter?如果是,最好将其删除(或至少调用super.doFilter())。有关更多详细信息,请参阅AbstractAuthenticationProcessingFilter 的JavaDocs 。
EDIT: MinimeDJ clarified that everything is as I am suggesting above. In that case, I suggest to check the value of filterProcessesUrlproperty. From the JavaDocs:
编辑:MinimeDJ 澄清一切都如我上面建议的那样。在这种情况下,我建议检查filterProcessesUrl财产的价值。从JavaDocs:
This filter will intercept a request and attempt to perform authentication from that request if the request URL matches the value of the filterProcessesUrl property. This behaviour can modified by overriding the method requiresAuthentication.
如果请求 URL 与 filterProcessesUrl 属性的值匹配,则此过滤器将拦截请求并尝试从该请求执行身份验证。可以通过覆盖方法 requiresAuthentication 来修改此行为。
So you can:
所以你可以:
- either set the appropriate
filterProcessesUrlvalue (usually something like/j_spring_security_check) - or you can override
requiresAuthenticationmethod to always returntrue.
- 要么设置适当的
filterProcessesUrl值(通常类似于/j_spring_security_check) - 或者您可以覆盖
requiresAuthentication方法以始终返回true.
If you are still having problems then I suggest you take a debugger and step through spring-security (and your) code to see where exactly the issue occurs.
如果您仍然遇到问题,那么我建议您使用调试器并逐步执行 spring-security(和您的)代码以查看问题究竟发生在哪里。
