Hibernate Spring Security的自定义AuthenticationProvider 4.2.1
大家好,这篇文章是关于spring安全性和AuthenticationProvider的自定义实现的 我正在为我的应用程序使用以下配置 JDK1.8 春季4.3.5 休眠5.2.6 弹簧安全4.2.1 问题在于AuthenticationProvider的自定义实现我可以登录,但指定角色的访问管理不起作用 这是我的Spring-security.xml代码Hibernate Spring Security的自定义AuthenticationProvider 4.2.1,hibernate,spring-mvc,spring-security,Hibernate,Spring Mvc,Spring Security,大家好,这篇文章是关于spring安全性和AuthenticationProvider的自定义实现的 我正在为我的应用程序使用以下配置 JDK1.8 春季4.3.5 休眠5.2.6 弹簧安全4.2.1 问题在于AuthenticationProvider的自定义实现我可以登录,但指定角色的访问管理不起作用 这是我的Spring-security.xml代码 <http auto-config="true" use-expressions="true"> <interce
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="isAuthenticated()"/>
<intercept-url pattern="/home.htm" access="permitAll" />
<intercept-url pattern="/login.htm" access="permitAll" />
<intercept-url pattern="/registerUser.htm" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/manageUser.htm" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/manageProject.htm" access="permitAll" />
<!-- Manage user login logout -->
<form-login login-processing-url="/j_spring_security_check" login-page="/login.htm" authentication-failure-handler-ref="customAuthenticationFailureHandler" authentication-success-handler-ref="customAuthenticationSuccessHandler"/>
<logout logout-url="/logout.htm" delete-cookies="true" invalidate-session="true" />
<csrf disabled="true"/>
</http>
<beans:bean id="customAuthenticationSuccessHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/home.htm" />
</beans:bean>
<beans:bean id="customAuthenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.htm?error=true"/>
</beans:bean>
<beans:bean id="myAuthenticationProvider" class="com.rolta.scan.serviceImpl.CustomAuthenticationProviderImpl"/>
<authentication-manager alias="authenticationManager">
<authentication-provider ref="myAuthenticationProvider" />
</authentication-manager>
CustomAuthenticationProviderImpl.java
private Logger LOGGER = Logger.getLogger(CustomAuthenticationProviderImpl.class);
@Autowired
private CustomUserRepository userService;
@Autowired
private UserLoginsRepository userLoginService;
@Autowired
private T_CustomUserBean user;
@Autowired
private T_UserLogins tUserLogins;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
SimpleDateFormat DATE_FORMAT = new SimpleDateFormat("yyyy-MM-dd HH-mm-SS");
String username = authentication.getPrincipal().toString();
String password = authentication.getCredentials().toString();
//String message="Wrong Username or Password";
Collection<? extends GrantedAuthority> authorities=null ;
tUserLogins.setLoginId(authentication.getPrincipal().toString());
ServletRequestAttributes attr =(ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
HttpSession session = attr.getRequest().getSession(true);
HttpServletRequest request = attr.getRequest();
tUserLogins.setSessionId(attr.getRequest().getSession().getId());
tUserLogins.setLoginIpAddress(attr.getRequest().getRemoteAddr());
tUserLogins.setLoginPassword(password);
tUserLogins.setLoginId(username);
tUserLogins.setLoginDtTime(new Date().toString());
tUserLogins.setLoginStatus("");
tUserLogins.setEventName("");
tUserLogins.setForwarded_for(request.getHeader("X-Forwarded-For"));
tUserLogins.setProxy_client_ip(request.getHeader("Proxy-Client-IP"));
tUserLogins.setWl_proxy_client_ip(request.getHeader("WL-Proxy-Client-IP"));
tUserLogins.setHttp_x_forwarded_for(request.getHeader("HTTP_X_FORWARDED_FOR"));
tUserLogins.setHttp_x_forwarded(request.getHeader("HTTP_X_FORWARDED"));
tUserLogins.setHttp_cluster_client_ip(request.getHeader("HTTP_X_CLUSTER_CLIENT_IP"));
tUserLogins.setHttp_client_ip(request.getHeader("HTTP_CLIENT_IP"));
tUserLogins.setHttp_forwarded_for(request.getHeader("HTTP_FORWARDED_FOR"));
tUserLogins.setHttp_forwarded(request.getHeader("HTTP_FORWARDED"));
tUserLogins.setHttp_via(request.getHeader("HTTP_VIA"));
tUserLogins.setRemote_addr(request.getHeader("REMOTE_ADDR"));
user= userService.loadUserByName(username);
if (user.getUsername().equalsIgnoreCase(username) && password.equals(user.getPassword()) && user.isEnabled()){
try{
userLoginService.saveUserLogins(tUserLogins);
LOGGER.info("User logged in successfully with user name :"+username);
authorities= getGrantedAuthorities(user);
}
catch(Exception se){
LOGGER.error("Exception occured Ddue to "+se.getMessage());
LOGGER.error("Exception occured Ddue to "+se.getStackTrace());
}
}
else {
System.out.println("in else");
throw new BadCredentialsException("");
}
return new UsernamePasswordAuthenticationToken(username, password, authorities);
private List<GrantedAuthority> getGrantedAuthorities(T_CustomUserBean user){
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for(T_CustomRole userProfile : user.getAuthorities()){
authorities.add(new SimpleGrantedAuthority(userProfile.getAuthority()));
}
return authorities;
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
private Logger=Logger.getLogger(CustomAuthenticationProviderImpl.class);
@自动连线
私有CustomUserRepository用户服务;
@自动连线
私有用户登录存储用户登录服务;
@自动连线
私有T_CustomUserBean用户;
@自动连线
私人T_用户登录名tUserLogins;
@凌驾
公共身份验证(身份验证)引发AuthenticationException{
SimpleDataFormat日期\格式=新SimpleDataFormat(“yyyy-MM-dd-HH-MM-SS”);
字符串username=authentication.getPrincipal().toString();
字符串密码=authentication.getCredentials().toString();
//String message=“错误的用户名或密码”;
收集<代码>
请更改截取url顺序。更多详细信息请参见。没有更改。问题在于角色,url/registerUser.htm和/manageUser.htm仅可由具有角色的用户访问,该用户具有“管理员”权限,否则应通过403“拒绝访问”错误,但我仍然可以访问这些url。
<intercept-url pattern="/home.htm" access="permitAll" />
<intercept-url pattern="/login.htm" access="permitAll" />
<intercept-url pattern="/registerUser.htm" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/manageUser.htm" access="hasRole('ROLE_ADMIN')" />
<intercept-url pattern="/manageProject.htm" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()"/>