手记

Spring security4.1.4 如何实现api接口和页面的双重拦截

慕码人3916992
2016-01-29 22:12:52浏览 10384

貌似市面上关于双重拦截的比较少,而且版本都比较旧 ,我今天就给大家讲讲spring secutiry的双重拦截,下回我再讲讲shiro的双重拦截。最近做东西比较杂乱~~哈哈

首先讲一下spring Security入和对接口和页面同时拦截

首先是配置文件

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true" entry-point-ref="MyAuthenticationEntryPoint">

不拦截的接口
<intercept-url pattern="/customer" access="permitAll"></intercept-url>

拦截的api
<intercept-url pattern="api/cv1/**" access="hasRole('ROLE_USER')" />

拦截的网页
<intercept-url pattern="/customer/**" access="hasRole('ROLE_USER')" />

页面登录
<custom-filter ref="loginFilter" after="FORM_LOGIN_FILTER"/>
ajax登录
<custom-filter ref="ajaxLoginFilter" before="FORM_LOGIN_FILTER"/>
开启csrf,之前的博客我也有说个csrf 你们自己看看就好
<!-- enable csrf protection -->
<!--<csrf/>-->
</http>

<beans:bean id="MyAuthenticationEntryPoint" class="com.cs.jucaibang.back_end.utils.springsecurity.MyAuthenticationEntryPoint">
    <beans:property name="loginFormUrl" value="/customer/login" />
</beans:bean>

<!-- 验证ajax请求,配置 开始-->
<beans:bean id="ajaxLoginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="authenticationFailureHandler" ref="ajaxFailureHandler"/>
    <beans:property name="authenticationSuccessHandler" ref="ajaxSuccessHandler"/>
    <beans:property name="filterProcessesUrl" value="/api/login"/>
    <beans:property name="passwordParameter" value="passWord"/>
    <beans:property name="usernameParameter" value="userName"/>
</beans:bean>

<beans:bean id="ajaxFailureHandler" class="com.utils.springsecurity.AjaxAuthenticationFailureHandler">
</beans:bean>

<beans:bean id="ajaxSuccessHandler" class="com.utils.springsecurity.AjaxAuthenticationSuccessHandler">
</beans:bean>
<!-- 验证ajax请求,配置 结束-->

<!--普通请求,配置开始 -->
<beans:bean id="loginFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="authenticationFailureHandler" ref="failureHandler"/>
    <beans:property name="authenticationSuccessHandler" ref="successHandler"/>
    <beans:property name="filterProcessesUrl" value="/customer/login"/>
    <beans:property name="passwordParameter" value="passWord"/>
    <beans:property name="usernameParameter" value="userName"/>
</beans:bean>

<beans:bean id="failureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/err/403" />
</beans:bean>

<beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="alwaysUseDefaultTargetUrl" value="false"/>
    <beans:property name="defaultTargetUrl" value="/"/>
</beans:bean>
<!--普通请求,配置结束 -->

<!-- Select users and user_roles from database -->
<authentication-manager  alias="authenticationManager">
    <authentication-provider ref='commonAuthenticationProvider'/>
    <!--        <authentication-provider>
        <jdbc-user-service 
            data-source-ref="dataSource"
            users-by-username-query=
            "select username,password, enabled from users where username=?"
            authorities-by-username-query=
            "select username, role from user_roles where username =?  " />
    </authentication-provider>-->
</authentication-manager>

<global-method-security secured-annotations="enabled" />

</beans:beans>

实现

AuthenticationFailureHandler
/**

  • Created by yy on 2016/1/12.
    */
    public class AjaxAuthenticationFailureHandler implements AuthenticationFailureHandler {

    public AjaxAuthenticationFailureHandler() {
    }

    @Override
    public void onAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException e) throws IOException, ServletException {
    httpServletResponse.setContentType("application/json");
    httpServletResponse.setCharacterEncoding("UTF-8");
    PrintWriter out = httpServletResponse.getWriter();
    DataWrapper dataWrapper = new DataWrapper();
    dataWrapper.setStatus(-1);
    dataWrapper.setMsg("登录失败");
    out.println(StringHelper.JsonHelper.toJson(dataWrapper));
    out.flush();
    out.close();
    }
    }

同上

/**

  • Created by yy on 2016/1/12.
    */
    public class AjaxAuthenticationSuccessHandler implements AuthenticationSuccessHandler {

    public AjaxAuthenticationSuccessHandler() {
    }

    @Autowired
    UserService service;

    @Override
    public void onAuthenticationSuccess(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException {
    httpServletResponse.setContentType("application/json");
    httpServletResponse.setCharacterEncoding("UTF-8");
    PrintWriter out = httpServletResponse.getWriter();
    ModelUserAuth user = (ModelUserAuth) authentication.getPrincipal();
    WrapperJcbLogin result=service.spring_login(user.getUserName(), httpServletRequest);
    out.println(StringHelper.JsonHelper.toJson(result));
    out.flush();
    out.close();
    }
    }

同上

/**

  • Created by yy on 2016/1/12.
    */
    public class MyAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint {

    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
    static Pattern apiPattern= Pattern.compile("^/[a-z]v[0-1]/(w|r)/");

    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
    throws IOException, ServletException {

    String redirectUrl = null;

String url = request.getRequestURI();

Matcher m=apiPattern.matcher(url);
if( m.find()){
    response.setContentType("application/json");
    response.setCharacterEncoding("UTF-8");
    PrintWriter out = response.getWriter();
    DataWrapper dataWrapper = new DataWrapper();
    dataWrapper.setStatus(-1);
    dataWrapper.setMsg("您还未登录");
    out.println(StringHelper.JsonHelper.toJson(dataWrapper));
    out.flush();
    out.close();
}else{
    if (this.isUseForward()) {

        if (this.isForceHttps() && "http".equals(request.getScheme())) {
            // First redirect the current request to HTTPS.
            // When that request is received, the forward to the login page will be used.
            redirectUrl = buildHttpsRedirectUrlForRequest(request);
        }

        if (redirectUrl == null) {
            String loginForm = determineUrlToUseForThisRequest(request, response, authException);

            RequestDispatcher dispatcher = request.getRequestDispatcher(loginForm);

            dispatcher.forward(request, response);

            return;
        }
    } else {
        // redirect to login page. Use https if forceHttps true

        redirectUrl = buildRedirectUrlToLoginPage(request, response, authException);

    }

    redirectStrategy.sendRedirect(request, response, redirectUrl);
}

    }

}

/**

  • Created by yy on 2016/1/11.
  • 对spring security 拦截的重写

  • */
    public class MySpringAccessDeniedHandler implements AccessDeniedHandler {

    @Override
    public void handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AccessDeniedException accessDeniedException) throws IOException, ServletException {
    boolean isAjax = "XMLHttpRequest".equals(httpServletRequest.getHeader("X-Requested-With"));
    //如果是ajax请求
    if (isAjax) {
    httpServletResponse.setContentType("application/json");
    httpServletResponse.setCharacterEncoding("UTF-8");
    PrintWriter out = httpServletResponse.getWriter();
    DataWrapper dataWrapper = new DataWrapper();
    dataWrapper.setStatus(-1);
    dataWrapper.setMsg("403");
    out.println(StringHelper.JsonHelper.toJson(dataWrapper));
    out.flush();
    out.close();
    return;
    }
    else if (!httpServletResponse.isCommitted()) {
    if (clientErrorPage != null) {
    // Put exception into request scope (perhaps of use to a view)
    httpServletRequest.setAttribute(WebAttributes.ACCESS_DENIED_403, accessDeniedException);

            // Set the 403 status code.
        httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);

        // forward to error page.
        RequestDispatcher dispatcher = httpServletRequest.getRequestDispatcher(clientErrorPage);
        dispatcher.forward(httpServletRequest, httpServletResponse);
    } else {
        httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, accessDeniedException.getMessage());
    }
}

    }

    private String clientErrorPage;

    public void setClientErrorPage(String clientErrorPage) {

    if((clientErrorPage != null)&&!clientErrorPage.startsWith("/")){
    throw new IllegalArgumentException("errorPage must begin with '/'");
}
this.clientErrorPage = clientErrorPage;

    }

}
如上几步就可以成功配置双重拦截了

相关标签
Java
16人推荐
随时随地看视频
慕课网APP

热门评论

这方面的教程太少了,希望大牛继续分享啊!! 菜鸟

有系列教程吗?

查看全部评论

相关阅读

jee之servlet基础学习笔记
HttpSession实现购物车功能
SpringMVC 源码分析之 FrameworkServlet
Spring Security(4)
推荐一款漂亮的 Java 图形验证码