使用自定义AbstractAuthenticationProcessingFilter和自定义CustomAuthenticationProvider的身份验证无法正常工作_Authentication_Spring Security_Authorization_Saml 2.0

使用自定义AbstractAuthenticationProcessingFilter和自定义CustomAuthenticationProvider的身份验证无法正常工作

authentication spring-security

使用自定义AbstractAuthenticationProcessingFilter和自定义CustomAuthenticationProvider的身份验证无法正常工作,authentication,spring-security,authorization,saml-2.0,Authentication,Spring Security,Authorization,Saml 2.0,我们使用SpringSecurity根据来自外部应用程序的一些用户详细信息（如userid）对用户进行身份验证，并使用安全上下文持有者执行授权。我们正在使用AbstractAuthenticationProcessingFilter的自定义实现和CustomAuthenticationProvider的自定义实现，将我们自己的UserDetailsServiceImpl注入到提供程序中，用于从数据库获取用户详细信息当单个用户尝试登录时，它工作正常，将创建身份验证对象，并将其正确设置为Secur

我们使用SpringSecurity根据来自外部应用程序的一些用户详细信息（如userid）对用户进行身份验证，并使用安全上下文持有者执行授权。我们正在使用AbstractAuthenticationProcessingFilter的自定义实现和CustomAuthenticationProvider的自定义实现，将我们自己的UserDetailsServiceImpl注入到提供程序中，用于从数据库获取用户详细信息

当单个用户尝试登录时，它工作正常，将创建身份验证对象，并将其正确设置为SecurityCOntextHolder。但是当另一个用户尝试登录时，旧的身份验证对象会被新的身份验证对象覆盖。似乎没有在每个用户登录时创建新会话

过滤器和提供程序的实现如下所示--

自定义提供程序的实现如下所示：

    public class CustomAuthenticationProvider implements AuthenticationProvider, InitializingBean {

private final static Logger logger = LoggerFactory.getLogger(CustomAuthenticationProvider.class);

private AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> preAuthenticatedUserDetailsService = null;
/**
* 
*/
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

    if (!supports(authentication.getClass())) {
        return null;
    }

    if (logger.isDebugEnabled()) {
        logger.debug("PreAuthenticated authentication request: " + authentication);
    }

    if (authentication.getPrincipal() == null) {
        logger.debug("No pre-authenticated principal found in request.");
        return null;
    }

    UserDetails ud = preAuthenticatedUserDetailsService.loadUserDetails((PreAuthenticatedAuthenticationToken)authentication);

    PreAuthenticatedAuthenticationToken result =
            new PreAuthenticatedAuthenticationToken(ud, authentication.getCredentials(), ud.getAuthorities());
    result.setDetails(authentication.getDetails());

    return result;

}

@Override
public void afterPropertiesSet() throws Exception {
    // TODO Auto-generated method stub
}

@Override
public boolean supports(Class<?> authentication) {
    return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication);
}

/**
 * @return the preAuthenticatedUserDetailsService
 */
public AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> getPreAuthenticatedUserDetailsService() {
    return preAuthenticatedUserDetailsService;
}

/**
 * @param preAuthenticatedUserDetailsService the preAuthenticatedUserDetailsService to set
 */
public void setPreAuthenticatedUserDetailsService(
        AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> preAuthenticatedUserDetailsService) {
    this.preAuthenticatedUserDetailsService = preAuthenticatedUserDetailsService;
}
}

<security:http>
 <security:custom-filter before="SECURITY_CONTEXT_FILTER" ref="securityContextPersistenceFilter"/>

公共类CustomAuthenticationProvider实现AuthenticationProvider，InitializingBean{ 私有最终静态记录器Logger=LoggerFactory.getLogger（CustomAuthenticationProvider.class）；私有身份验证UserDetailsService预身份验证DuserDetailsService=null； /** * */ 公共身份验证（身份验证）引发AuthenticationException{ 如果（！支持（authentication.getClass（）））{ 返回null； } if（logger.isDebugEnabled（））{ 调试（“预验证的身份验证请求：“+身份验证”）； } if（authentication.getPrincipal（）==null）{ debug（“在请求中找不到预验证的主体”）；返回null； } UserDetails ud=PreAuthenticatedUserDetails.loadUserDetails（（PreAuthenticatedAuthenticationToken）身份验证）；预验证身份验证令牌结果= 新的预验证身份验证令牌（ud，authentication.getCredentials（），ud.getAuthories（））； result.setDetails（authentication.getDetails（））；返回结果； } @凌驾 public void afterPropertieSet（）引发异常{ //TODO自动生成的方法存根 } @凌驾公共布尔支持（类身份验证）{ 返回PreAuthenticatedAuthenticationToken.class.isAssignableFrom（身份验证）； } /** *@返回预验证的DuserDetails服务 */ 公共身份验证UserDetailsService getPreAuthenticatedUserDetailsService（）{ 返回预验证的DuserDetailsService； } /** *@param preauthenticateduserdetails服务要设置的preauthenticateduserdetails服务 */ 公共无效setPreAuthenticatedUserDetailsService( AuthenticationUserDetails服务预验证数据详细信息服务）{ this.preAuthenticatedUserDetailsService=preAuthenticatedUserDetailsService； } } 我们还配置了自定义身份验证成功处理程序，以便在身份验证时将用户重定向到适当的URL-

    public class CustomAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {

/**
 * redirect user to appropriate home page based on user role
 */
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {

    Set<GrantedAuthority> authorities = ((UserDetails)authentication.getPrincipal()).getAuthorities();
    if(CollectionUtils.isNotEmpty(authorities)){
        GrantedAuthority role = getHighestRole(authorities);
        String targetURL = getTargetURL(role);
        if (targetURL != null) {
            log.debug("Redirecting to target Url: " + targetURL);
            getRedirectStrategy().sendRedirect(request, response, targetURL);
            return;
        }
    }

    super.onAuthenticationSuccess(request, response, authentication);

}
  }

公共类CustomAuthenticationSuccessHandler扩展了SavedRequestAwareAuthenticationSuccessHandler{
/**
*根据用户角色将用户重定向到相应的主页
*/
@凌驾
AuthenticationSuccess（HttpServletRequest请求、HttpServletResponse响应、身份验证）上的公共void引发ServletException、IOException{
设置权限=（（UserDetails）authentication.getPrincipal（））.getAuthories（）；
if（收款项不为空（主管部门））{
GrantedAuthority角色=getHighestRole（权限）；
字符串targetURL=getTargetURL（角色）；
if（targetURL！=null）{
调试（“重定向到目标Url:+targetURL”）；
getRedirectStrategy（）.sendRedirect（请求、响应、目标URL）；
返回；
}
}
super.onAuthenticationSuccess（请求、响应、身份验证）；
}
}

spring安全配置文件如下所示-

    public class DefaultAuthenticationProcessingFilter extends
    AbstractAuthenticationProcessingFilter {

private final static Logger logger = LoggerFactory.getLogger(DefaultAuthenticationProcessingFilter.class);

private static final String INTERCEPTOR_PROCESS_URL = "/sso/landingpage.action";

public DefaultAuthenticationProcessingFilter() {
    super(INTERCEPTOR_PROCESS_URL);
}

public DefaultAuthenticationProcessingFilter(
        String defaultFilterProcessesUrl) {
    super(defaultFilterProcessesUrl);
    Assert.notNull(defaultFilterProcessesUrl, "Configuration error :: DefaultFilterProcessesUrl must be specified");
}


/**
 * Method to do authentication of user
 */
@Override
public Authentication attemptAuthentication(HttpServletRequest request,
        HttpServletResponse response) throws AuthenticationException,
        IOException, ServletException {

    logger.info("Authenticating the user .....");

    Authentication authResult = null;
    try {

        String eid = request.getParameter("EID");

        if( StringUtils.isEmpty(eid)) {
             throw new PreAuthenticatedCredentialsNotFoundException("EID param not found in request.");
        }

        String credentials = "NA";
        PreAuthenticatedAuthenticationToken authRequest = new PreAuthenticatedAuthenticationToken(eid, credentials);
        authRequest.setDetails(authenticationDetailsSource.buildDetails(request));
        authResult = getAuthenticationManager().authenticate(authRequest);
    } catch (AuthenticationException e) {
        unsuccessfulAuthentication(request, response, e);
    } 
    return authResult;
}
    }


    protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
            Authentication authResult) throws IOException, ServletException {

        if (logger.isDebugEnabled()) {
            logger.debug("Authentication success. Updating SecurityContextHolder to contain: " + authResult);
        }

        SecurityContextHolder.getContext().setAuthentication(authResult);

        getRememberMeServices().loginSuccess(request, response, authResult);

        // Fire event
        if (this.eventPublisher != null) {
            eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
        }

        getSuccessHandler().onAuthenticationSuccess(request, response, authResult);
 }
    }

    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
                       http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                       http://www.springframework.org/schema/security
                       http://www.springframework.org/schema/security/spring-security-3.1.xsd">

 <security:http use-expressions="true" auto-config="false" pattern="/sso/*" entry-point-ref="http403ForbiddenEntryPoint" access-denied-page="/accessdenied.action" >
    <security:anonymous enabled="false"/>
    <security:custom-filter position="BASIC_AUTH_FILTER" ref="defaultBasicAuthFilter" />
    <security:expression-handler ref="expressionHandler"/>
</security:http>

<security:http use-expressions="true" auto-config="false" pattern="/rcd/associate/*" entry-point-ref="http403ForbiddenEntryPoint"  access-denied-page="/accessdenied.action">
    <security:intercept-url pattern="/saml/sso/*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <security:custom-filter position="BASIC_AUTH_FILTER" ref="defaultBasicAuthFilter" />
    <security:expression-handler ref="expressionHandler"/>
</security:http>

<bean id="http403ForbiddenEntryPoint"
    class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />


<bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
     <property name="permissionEvaluator" ref="customPermissionEvaluator" /> 
</bean>

<bean id="defaultBasicAuthFilter"
    class="com.example.security.authentication.DefaultAuthenticationProcessingFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationSuccessHandler" ref="successRedirectHandler"/>
    <property name="AuthenticationFailureHandler" ref="failureHandler"></property>
</bean>

<bean id="authProvider"
class="com.example.security.authentication.CustomAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
        <bean id="userDetailsServiceWrapper"
            class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <property name="userDetailsService" ref="userDetailsService" />
        </bean>
    </property>
</bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider
        ref="authProvider" />
</security:authentication-manager>

<bean id="userDetailsService" class="com.example.security.authorization.UserDetailsServiceImpl" />

 <bean id="successRedirectHandler"
      class="com.example.security.authentication.CustomAuthenticationSuccessHandler">
        <property name="defaultTargetUrl" value="/user1/user1LandingPage.action"/>
     </bean>

<bean id="failureHandler"
      class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/accessdenied.action"/>
</bean>

我们还配置了web.xml

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/spring/spring-app-context.xml <!-- ,/WEB-INF/spring/security.xml -->
    </param-value>
</context-param>

<servlet>
    <servlet-name>example-dispatcher-servlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/mvc.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<!-- Map all /example*.action requests to the example-dispatcher-servlet for handling -->
<servlet-mapping>
    <servlet-name>example-dispatcher-servlet</servlet-name>
    <url-pattern>*.action</url-pattern>
</servlet-mapping>

<welcome-file-list>
    <welcome-file>/rcd/pages/index.jsp</welcome-file>
</welcome-file-list>

<listener>
    <listener-class>com.example.HttpSessionListenerImpl</listener-class>
</listener>


<!-- Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
  <filter-name>springSecurityFilterChain</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>


org.springframework.web.context.ContextLoaderListener
上下文配置位置
/WEB-INF/spring/spring-app-context.xml
示例调度器servlet
org.springframework.web.servlet.DispatcherServlet
上下文配置位置
/WEB-INF/spring/mvc.xml
1.
示例调度器servlet
*.行动
/rcd/pages/index.jsp
com.example.HttpSessionListenerImpl
springSecurityFilterChain
org.springframework.web.filter.DelegatingFilterProxy
springSecurityFilterChain
/*

我们正在使用spring 3.1.3和spring security 3.1.3 应在每个用户登录时创建新会话，并相应地设置安全上下文。但我的情况就是这样。我在我的应用程序中检查了debuggin，发现在用户登录时没有创建新会话。也许我在什么地方错过了它。我找不到任何相关的解决方案

在这方面的任何帮助都将不胜感激

谢谢。

对不起，伙计们，虽然我当时已经解决了这个问题，但很长一段时间我都没有看这个问题-

我在元素中使用了securityContextPersistenceFilter，配置如下-

    public class CustomAuthenticationProvider implements AuthenticationProvider, InitializingBean {

private final static Logger logger = LoggerFactory.getLogger(CustomAuthenticationProvider.class);

private AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> preAuthenticatedUserDetailsService = null;
/**
* 
*/
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

    if (!supports(authentication.getClass())) {
        return null;
    }

    if (logger.isDebugEnabled()) {
        logger.debug("PreAuthenticated authentication request: " + authentication);
    }

    if (authentication.getPrincipal() == null) {
        logger.debug("No pre-authenticated principal found in request.");
        return null;
    }

    UserDetails ud = preAuthenticatedUserDetailsService.loadUserDetails((PreAuthenticatedAuthenticationToken)authentication);

    PreAuthenticatedAuthenticationToken result =
            new PreAuthenticatedAuthenticationToken(ud, authentication.getCredentials(), ud.getAuthorities());
    result.setDetails(authentication.getDetails());

    return result;

}

@Override
public void afterPropertiesSet() throws Exception {
    // TODO Auto-generated method stub
}

@Override
public boolean supports(Class<?> authentication) {
    return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication);
}

/**
 * @return the preAuthenticatedUserDetailsService
 */
public AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> getPreAuthenticatedUserDetailsService() {
    return preAuthenticatedUserDetailsService;
}

/**
 * @param preAuthenticatedUserDetailsService the preAuthenticatedUserDetailsService to set
 */
public void setPreAuthenticatedUserDetailsService(
        AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> preAuthenticatedUserDetailsService) {
    this.preAuthenticatedUserDetailsService = preAuthenticatedUserDetailsService;
}
}

<security:http>
 <security:custom-filter before="SECURITY_CONTEXT_FILTER" ref="securityContextPersistenceFilter"/>

如何解决此问题？请添加您的答案。@Ebanath，您希望其他人帮助您，但没有共享解决方案，为什么？我有类似的要求。您能看看我的问题吗