Fatal编程技术网
  • hibernate/
  • Hibernate Spring Security的自定义AuthenticationProvider 4.2.1

Hibernate Spring Security的自定义AuthenticationProvider 4.2.1

hibernate spring-mvc spring-security

Hibernate Spring Security的自定义AuthenticationProvider 4.2.1,hibernate,spring-mvc,spring-security,Hibernate,Spring Mvc,Spring Security,大家好,这篇文章是关于spring安全性和AuthenticationProvider的自定义实现的 我正在为我的应用程序使用以下配置 JDK1.8 春季4.3.5 休眠5.2.6 弹簧安全4.2.1 问题在于AuthenticationProvider的自定义实现我可以登录,但指定角色的访问管理不起作用 这是我的Spring-security.xml代码 <http auto-config="true" use-expressions="true"> <interce

大家好,这篇文章是关于spring安全性和AuthenticationProvider的自定义实现的 我正在为我的应用程序使用以下配置 JDK1.8 春季4.3.5 休眠5.2.6 弹簧安全4.2.1

问题在于AuthenticationProvider的自定义实现我可以登录,但指定角色的访问管理不起作用

这是我的Spring-security.xml代码

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/**" access="isAuthenticated()"/>
    <intercept-url pattern="/home.htm" access="permitAll" />
    <intercept-url pattern="/login.htm" access="permitAll" />
    <intercept-url pattern="/registerUser.htm" access="hasRole('ROLE_ADMIN')" />
    <intercept-url pattern="/manageUser.htm" access="hasRole('ROLE_ADMIN')" />
    <intercept-url pattern="/manageProject.htm" access="permitAll" />


    <!-- Manage user login logout -->
    <form-login login-processing-url="/j_spring_security_check" login-page="/login.htm" authentication-failure-handler-ref="customAuthenticationFailureHandler" authentication-success-handler-ref="customAuthenticationSuccessHandler"/>
    <logout logout-url="/logout.htm" delete-cookies="true" invalidate-session="true" />
    <csrf disabled="true"/>
</http>

<beans:bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/home.htm" />
</beans:bean>   

<beans:bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl"  value="/login.htm?error=true"/>
</beans:bean>   
<beans:bean id="myAuthenticationProvider" class="com.rolta.scan.serviceImpl.CustomAuthenticationProviderImpl"/>

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="myAuthenticationProvider" />
</authentication-manager>
CustomAuthenticationProviderImpl.java

private Logger LOGGER = Logger.getLogger(CustomAuthenticationProviderImpl.class);

@Autowired
private CustomUserRepository userService;

@Autowired
private UserLoginsRepository userLoginService;

@Autowired
private T_CustomUserBean user;

@Autowired
private T_UserLogins tUserLogins;

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
          SimpleDateFormat DATE_FORMAT = new SimpleDateFormat("yyyy-MM-dd HH-mm-SS");   
          String username = authentication.getPrincipal().toString();
          String password = authentication.getCredentials().toString();
          //String message="Wrong Username or Password";
          Collection<? extends GrantedAuthority> authorities=null ;
          tUserLogins.setLoginId(authentication.getPrincipal().toString());
          ServletRequestAttributes attr =(ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
          HttpSession session = attr.getRequest().getSession(true);
          HttpServletRequest request = attr.getRequest();
          tUserLogins.setSessionId(attr.getRequest().getSession().getId());
          tUserLogins.setLoginIpAddress(attr.getRequest().getRemoteAddr());
          tUserLogins.setLoginPassword(password);
          tUserLogins.setLoginId(username);
          tUserLogins.setLoginDtTime(new Date().toString());
          tUserLogins.setLoginStatus("");
          tUserLogins.setEventName("");
          tUserLogins.setForwarded_for(request.getHeader("X-Forwarded-For"));  
          tUserLogins.setProxy_client_ip(request.getHeader("Proxy-Client-IP"));  
          tUserLogins.setWl_proxy_client_ip(request.getHeader("WL-Proxy-Client-IP"));  
          tUserLogins.setHttp_x_forwarded_for(request.getHeader("HTTP_X_FORWARDED_FOR"));  
          tUserLogins.setHttp_x_forwarded(request.getHeader("HTTP_X_FORWARDED"));  
          tUserLogins.setHttp_cluster_client_ip(request.getHeader("HTTP_X_CLUSTER_CLIENT_IP"));  
          tUserLogins.setHttp_client_ip(request.getHeader("HTTP_CLIENT_IP"));  
          tUserLogins.setHttp_forwarded_for(request.getHeader("HTTP_FORWARDED_FOR"));  
          tUserLogins.setHttp_forwarded(request.getHeader("HTTP_FORWARDED"));  
          tUserLogins.setHttp_via(request.getHeader("HTTP_VIA"));  
          tUserLogins.setRemote_addr(request.getHeader("REMOTE_ADDR"));  


          user= userService.loadUserByName(username);

      if (user.getUsername().equalsIgnoreCase(username) && password.equals(user.getPassword()) && user.isEnabled()){
      try{

            userLoginService.saveUserLogins(tUserLogins);
            LOGGER.info("User logged in successfully with user name :"+username);
            authorities= getGrantedAuthorities(user);

        }
          catch(Exception se){
              LOGGER.error("Exception occured Ddue to "+se.getMessage());
              LOGGER.error("Exception occured Ddue to "+se.getStackTrace());
          }
      }
      else {
          System.out.println("in else");
            throw new BadCredentialsException("");
        }
      return new UsernamePasswordAuthenticationToken(username, password, authorities);


private List<GrantedAuthority> getGrantedAuthorities(T_CustomUserBean user){
    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
    for(T_CustomRole userProfile : user.getAuthorities()){
        authorities.add(new SimpleGrantedAuthority(userProfile.getAuthority()));
    }
    return authorities;
}

@Override
public boolean supports(Class<?> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

private Logger=Logger.getLogger(CustomAuthenticationProviderImpl.class);
@自动连线
私有CustomUserRepository用户服务;
@自动连线
私有用户登录存储用户登录服务;
@自动连线
私有T_CustomUserBean用户;
@自动连线
私人T_用户登录名tUserLogins;
@凌驾
公共身份验证(身份验证)引发AuthenticationException{
SimpleDataFormat日期\格式=新SimpleDataFormat(“yyyy-MM-dd-HH-MM-SS”);
字符串username=authentication.getPrincipal().toString();
字符串密码=authentication.getCredentials().toString();
//String message=“错误的用户名或密码”;
收集<代码>
请更改截取url顺序。更多详细信息请参见。

没有更改。问题在于角色,url/registerUser.htm和/manageUser.htm仅可由具有角色的用户访问,该用户具有“管理员”权限,否则应通过403“拒绝访问”错误,但我仍然可以访问这些url。 
<intercept-url pattern="/home.htm" access="permitAll" />
<intercept-url pattern="/login.htm" access="permitAll" />
<intercept-url pattern="/registerUser.htm" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/manageUser.htm" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/manageProject.htm" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()"/>