1. 首页
  2. 问答
  3. 如何使用自定义过滤器映射将自定义过滤器添加到弹簧安全过滤器链中?

如何使用自定义过滤器映射将自定义过滤器添加到弹簧安全过滤器链中?

2016-03-10 55 views
0

我想检查验证码,如果用户想登录,如果验证码是正确的,请致电filterChain.doFilter()恢复验证,如果验证码不正确,请将用户重新输入用户名,密码和验证码。 所以,我想把我的CaptchaFilter/登录filterMapping在春季安全装配链的第一个。如何使用自定义过滤器映射将自定义过滤器添加到弹簧安全过滤器链中?

的login.jsp

<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %> 
<%@ page contentType="text/html; charset=UTF-8" language="java" pageEncoding="UTF-8" session="true" %> 
<html> 
<head> 
    <title>Login Page</title> 
</head> 
<body onload='document.loginForm.username.focus();'> 
<div id="login-box"> 

    <form name='loginForm' action="<c:url value='/login' />" method='POST'> 
     <table> 
      <tr> 
       <td>User:</td> 
       <td><input type='text' name='username'></td> 
      </tr> 
      <tr> 
       <td>Password:</td> 
       <td><input type='password' name='password'/> 
       </td> 
      </tr> 
      <tr> 
       <td colspan="2"> 
        <img id="imgCaptcha" src="<c:url value = '/j-captcha.jpg' />" onclick='this.src="<c:url value='/j-captcha.jpg'/>";' style="cursor: pointer"/> 
       </td> 
      </tr> 
      <tr> 
       <td colspan="2"> 
        <input name="jcaptcha" type="text" placeholder="captcha"/> 
       </td> 
      <tr> 
       <td colspan='2'><input name="submit" type="submit" value="submit"/></td> 
      </tr> 
     </table> 
    </form> 
</div> 
</body> 
</html>

CaptchaFilter

public class CaptchaFilter implements Filter { 

    @Override 
    public void init(FilterConfig filterConfig) throws ServletException { 

    } 

    @Override 
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException { 
     HttpServletRequest request = (HttpServletRequest) servletRequest; 
     HttpServletResponse response = (HttpServletResponse) servletResponse; 

     if (request.getParameter("jcaptcha") != null) { 
      checkCaptcha(request, response, filterChain); 
     } else { 
      filterChain.doFilter(request, response); 
     } 
    } 

    private void checkCaptcha(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException, ServletException { 
     try { 
      String userCaptchaResponse = request.getParameter("jcaptcha"); 
      boolean isResponseCorrect = CaptchaService.getInstance().validateResponseForID(request.getRequestedSessionId(), userCaptchaResponse); 
      if (isResponseCorrect) { 
       filterChain.doFilter(request, response); 
      } else { 
       String url = request.getHeader("referer").replaceAll("[&?]error.*?(?=&|\\?|$)", ""); 
       url += "?error=" + SecurityUtility.CAPTCHA_IS_WRONG; 

       redirect(request, response, url); 
      } 
     } catch (Exception e) { 
      e.printStackTrace(); 
      filterChain.doFilter(request, response); 
     } 
    } 

    private void redirect(HttpServletRequest request, HttpServletResponse response, String url) { 
     try { 
      response.sendRedirect(request.getContextPath() + url); 
     } catch (Exception ex) { 
      ex.printStackTrace(); 
     } 
    } 

    @Override 
    public void destroy() { 

    } 
}

SpringSecurityConfig:

@Configuration 
@EnableWebSecurity 
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter { 
    @Autowired 
    @Qualifier("userDetailsService") 
    UserDetailsService userDetailsService; 

    @Autowired 
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { 
     auth.userDetailsService(userDetailsService); 
    } 

    @Override 
    protected void configure(HttpSecurity http) throws Exception { 

     http.authorizeRequests().antMatchers("/admin/**") 
       .access("hasRole('ROLE_USER')").and().formLogin() 
       .loginPage("/login").failureUrl("/login?error") 
       .usernameParameter("username") 
       .passwordParameter("password") 
       .and().logout().logoutSuccessUrl("/login?logout") 
       .and().exceptionHandling().accessDeniedPage("/403"); 
    } 
}

SpringWebConfig

@EnableWebMvc 
@Configuration 
@ComponentScan({"com.rgh.*"}) 
@EnableTransactionManagement 
@Import({SpringSecurityConfig.class}) 
public class SpringWebConfig { 
    @Bean 
    public SessionFactory sessionFactory() { 
     LocalSessionFactoryBuilder builder = new LocalSessionFactoryBuilder(dataSource()); 
     builder.scanPackages("com.rgh.*.model").addProperties(getHibernateProperties()); 
     return builder.buildSessionFactory(); 
    } 

    private Properties getHibernateProperties() { 
     // set and return properties 
    } 

    @Bean(name = "dataSource") 
    public BasicDataSource dataSource() { 
     // set and return datasource 
    } 

    @Bean 
    public HibernateTransactionManager txManager() { 
     return new HibernateTransactionManager(sessionFactory()); 
    } 
}

SpringWebInitializer

public class SpringWebInitializer extends AbstractAnnotationConfigDispatcherServletInitializer { 
    @Override 
    protected Class<?>[] getRootConfigClasses() { 
     return new Class[]{SpringWebConfig.class}; 
    } 

    @Override 
    protected String[] getServletMappings() { 
     return new String[]{"/", "/rest/*"}; 
    } 
}

SpringSecurityInitializer

public class SpringSecurityInitializer extends AbstractSecurityWebApplicationInitializer { 

}

我是新来的弹簧4和的Spring Java配置。

来源

2016-03-10 Rasool Ghafari

回答

1

您可以添加您的过滤器是这样的:

public class WebSecurityConfig extends WebSecurityConfigurerAdapter { 
@Override 
protected void configure(HttpSecurity http) throws Exception { 
... 
http.addFilterAfter(yourFilter, CsrfFilter.class); 
... 
}

还有其他方法addFilterBefore(..)和addFilter(..)添加过滤器。 addFilterBefore和addFilterAfter期望作为第二个参数的过滤器类是SecurityFilterChain的一部分,并且它们将相对于它添加。 addFilter需要一些我从未尝试过的comperator。

要查找实际在SecurityFilterChain中的过滤器类,请在控制器方法中设置断点并在堆栈中搜索SecurityFilterChain(或DefaultSecurityFilterChain)。在那里你可以看到哪些过滤器类被配置,例如在DefaultSecurityFilterChain.fiters中 查找第一个过滤器类,而不是使用addFilterBefore添加您的验证码过滤器。

来源

2016-03-10 19:54:48

相关问题

 相关问题