Spring MVC + Spring Security-使用JSON进行控制器身份验证
[英]Spring MVC + Spring Security - Controller Authentication using JSON
问题描述
I'd like to use simple Spring controller to authenticate the Users using Spring Security. 
我想使用简单的Spring控制器使用Spring Security对用户进行身份验证。
My Controller 我的控制器
@Controller
@Scope("request")
public class Authenticator {
private String username;
private String password;
@Autowired
private AuthenticationManager authenticationManager;
@RequestMapping(value = "/login", method = {RequestMethod.POST })
public @ResponseBody String authentication(@RequestParam("login") String userName,
@RequestParam("password") String password, HttpServletRequest request) {
this.username = userName;
this.password = password;
Authentication authenticationToken = new UsernamePasswordAuthenticationToken(
userName, password);
try {
Authentication authentication = authenticationManager
.authenticate(authenticationToken);
SecurityContext securityContext = SecurityContextHolder
.getContext();
securityContext.setAuthentication(authentication);
HttpSession session = request.getSession(true);
session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
return "sucess";
} catch (AuthenticationException ex) {
return "fail " + ex.getMessage();
}
}
My spring-security.xml 我的spring-security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http pattern="/resources/**" security="none" />
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<form-login />
<logout logout-success-url="/logout" />
<!-- <session-management invalid-session-url="/loginlimmit">
<concurrency-control error-if-maximum-exceeded="true"
max-sessions="1" />
</session-management> -->
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="a" password="a" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
This works fine 这很好
1 - if I try to access http: //localhost/app is redirect to http: //localhost/app/spring_security_login to login as expected 1-如果我尝试访问http:// localhost / app重定向到http:// localhost / app / spring_security_login以按预期方式登录
2 - if I send POST method to http: //localhost/app/login works, I receive the message sucess or fail as expected using credentials username=a and password=a as defined in Spring-security.xml in authentication provider, so it really authenticate using spring .security. 2-如果我将POST方法发送到http:// localhost / app / login可以正常工作,则使用身份验证提供程序中Spring-security.xml中定义的凭据username = a和password = a收到消息成功或失败,它确实使用spring .security进行身份验证。
The problems 问题所在
After send POST method and get login sucess, if I try to acess http: //localhost/app is redirect to http: //localhost/app/spring_security_login , so I cant undestand beacause the authentication worked fine! 在发送POST方法并获得登录成功之后,如果我尝试访问http:// localhost / app重定向到http:// localhost / app / spring_security_login,那么我无法理解,因为身份验证工作正常!
How can get User authenticated in others controllers? 如何在其他控制器中获得用户身份验证?
My goals is develop an application with Spring MVC but I will not use as standard web application, it will works like Backend application and the frontend will be other application, such as desktop, mobile, vaadin framework and these application will comunicate using JSON, the Spring MVC works fine to this, but I need to implement the authentication, in this case, using Spring Security. 我的目标是使用Spring MVC开发应用程序,但我不会用作标准的Web应用程序,它将像后端应用程序一样工作,前端将是其他应用程序,例如桌面,移动,vaadin框架,并且这些应用程序将使用JSON进行通讯, Spring MVC为此可以很好地工作,但是在这种情况下,我需要使用Spring Security来实现身份验证。
any hep? 有什么好吗?
2 个解决方案
解决方案1
4 2014-04-22 18:00:13
You don't need to setup a controller, Spring Security has a chain of filters it uses to authenticate, you just need to post your username/password to that chain. 您无需设置控制器,Spring Security拥有一串用于进行身份验证的过滤器,您只需将用户名/密码发布到该链中即可。
<form-login
password-parameter="password" --> password field
username-parameter="username" --> username field
login-processing-url="/security/j_spring_security_check" --> set your form's action attribute to this URL, no need to implement anything at that URL
login-page="/login" --> login page
/>
解决方案2
0 2014-01-15 18:36:50
1 - if I try to access http: //localhost/app is redirect to http: //localhost/app/spring_security_login to login as expected
If the normal way of login works and its not redirecting to login page again when you request the http: //localhost/app then your configuration is good. 如果正常的登录方式有效,并且当您请求http: //localhost/app时它不会再次重定向到登录页面,则您的配置很好。
After send POST method and get login sucess, if I try to acess http: //localhost/app is redirect to http: //localhost/app/spring_security_login , so I cant undestand beacause the authentication worked fine!
For each request , the application considers as new session. 对于每个请求,应用程序都将其视为新会话。 if you have configured Spring Security filter already in web.xml ( which makes the point 1 works fine) should create Session for you, So you can just call getSession() instead of getSession(true) in your controller. 如果您已经在web.xml中配置了Spring Security过滤器(这使第1点正常工作)应该为您创建Session,那么您只需在控制器中调用getSession()而不是getSession(true) 。
Just log the session id between the request and see the sessions are different. 只需记录请求之间的会话ID,即可看到会话有所不同。 it may be due to the way you are calling from client. 这可能是由于您从客户端拨打电话的方式引起的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.