Spring MVC - 检查用户是否已通过Spring Security登录？ [英] Spring MVC - Checking if User is already logged in via Spring Security?

问题描述

我有一个Spring MVC应用程序。它使用自己的自定义登录页面。成功登录后，会在HTTPSession中放置一个LOGGED_IN_USER对象。

I have a Spring MVC application.It uses its own custom Login page. Upon successful login, a 'LOGGED_IN_USER' object is placed in the HTTPSession.

我希望只允许经过身份验证的用户访问URL。我知道我可以通过使用网络过滤器实现这一目标。但是，这部分我想使用Spring Security（我的检查将保持不变 - 在HTTPSession中查找'LOGGED_IN_USER'对象，如果存在，您已登录）。

I want to allow only authenticated users to access URLs. I know i can achieve this by using a web filter. But, This part i want to do using Spring Security (my check will remain the same - look for 'LOGGED_IN_USER' object in HTTPSession, if present you are logged in).

我的约束是我目前无法更改登录行为 - 它还不会使用Spring Security。

Spring Security的哪个方面我可以单独使用这个部分 - 检查请求是否经过身份验证（来自登录用户）？

推荐答案

至少有4种不同的方式：

There are at least 4 different ways:

这是最简单的方法

<security:http auto-config="true" use-expressions="true" ...>
   ...
  <security:intercept-url pattern="/forAll/**" access="permitAll" />
  <security:intercept-url pattern="/**" access="isAuthenticated()" />
</security:http>

• @see Spring Security Reference，Chapter 16.1.1通用内置表达式


• @see Spring Security Reference，Chapter 16.2 Web Security Expressions


• @see Spring Security Reference, Chapter 16.1.1 Common Built-In Expressions
• @see Spring Security Reference, Chapter 16.2 Web Security Expressions

需要< global-method-security secured-annotations =enabled/>

@Secured("ROLE_ADMIN")
@RequestMapping(params = "onlyForAdmins")    
public ModelAndView onlyForAdmins() {
    ....
}





每个@PreAuthorize注释





需要< global-method-security pre-post-annotations =enabled/>

 @PreAuthorize("isAuthenticated()")
 @RequestMapping(params = "onlyForAuthenticated")
 public ModelAndView onlyForAuthenticatedUsers() {
     ....
 }





程序化





Programmatic

 SecurityContextHolder.getContext().getAuthentication() != null &&
 SecurityContextHolder.getContext().getAuthentication().isAuthenticated() &&
 //when Anonymous Authentication is enabled
 !(SecurityContextHolder.getContext().getAuthentication() 
          instanceof AnonymousAuthenticationToken) 





---





自定义表达式





如果内置表达式不够，你可以扩展它们。如何扩展方法注释的SpEL表达式，例如：

---

Custom Expression

If the built-in expressions are not enough, you can extend them. How to extend the SpEL Expressions for the method annotations is discussed for example here:



• 如何创建用于spring安全表达式语言注释的自定义方法


• http：/ /bmchild.blogspot.de/2012/02/creating-custom-regex-spring-security.html


• How to create custom methods for use in spring security expression language annotations
• http://bmchild.blogspot.de/2012/02/creating-custom-regex-spring-security.html

但是对于拦截器< security：intercept-url ... access =myCustomAuthenticatedExpression/> 可能会有一个稍微不同的方法，不需要处理私人课程问题。 - 我只为Spring Security 3.0做过，但我希望它也适用于3.1。

But for the interceptor <security:intercept-url ... access="myCustomAuthenticatedExpression" /> there is a slightly different approach possible, that does not need to deal with the private class problem. -- I have only done it for Spring Security 3.0, but I hope it works for 3.1 too.

1。）你需要创建从 WebSecurityExpressionRoot 扩展的新类（前缀Web是重要的部分！）。

1.) you need to create a new class that extends from WebSecurityExpressionRoot (Prefix Web is the important part!).

public class MyCustomWebSecurityExpressionRoot
         extends WebSecurityExpressionRoot {
     public MyCustomWebSecurityExpressionRoot(Authentication a,
                 FilterInvocation f) {
          super(a, f);
     }

     /** That method is the one that does the expression evaluation! */
     public boolean myCustomAuthenticatedExpression() {
        return super.request.getSession().getValue("myFlag") != null;
     }
}

2。）你需要延长 DefaultWebSecurityExpressionRootHandler 有一个提供自定义表达式root的处理程序

2.) you need a extend the DefaultWebSecurityExpressionRootHandler to have a handler that provides your custom expression root

 public class MyCustomWebSecurityExpressionHandler
              extends DefaultWebSecurityExpressionHandler {

      @Override        
      public EvaluationContext createEvaluationContext(Authentication a,
                FilterInvocation f) {
          StandardEvaluationContext ctx =
                   (StandardEvaluationContext) super.createEvaluationContext(a, f);

           WebSecurityExpressionRoot myRoot =
                    new MyCustomWebSecurityExpressionRoot(a, f);

           ctx.setRootObject(myRoot);
           return ctx;
      }
 }

3。）然后你需要注册你的处理程序选民

3.) Then you need to register your handler with the voters

<security:http use-expressions="true"
 access-decision-manager-ref="httpAccessDecisionManager" ...>
      ...
    <security:intercept-url pattern="/restricted/**"
              access="myCustomAuthenticatedExpression" />         
      ...
</security:http>

<bean id="httpAccessDecisionManager"
      class="org.springframework.security.access.vote.AffirmativeBased">
    <constructor-arg name="decisionVoters">
            <list>
                <ref bean="webExpressionVoter" />
            </list>
    </constructor-arg>
</bean>

<bean id="webExpressionVoter"
      class="org.springframework.security.web.access.expression.WebExpressionVoter">
    <property name="expressionHandler"
              ref="myCustomWebSecurityExpressionHandler" />
</bean>

<bean id="myCustomWebSecurityExpressionHandler"
    class="MyCustomWebSecurityExpressionHandler" />

Spring Security 3.1更新

从Spring Security 3.1开始，实现自定义表达式要容易一些。一个人不再需要sublcass WebSecurityExpressionHandler 并覆盖 createEvaluationContext 。而是一个子类 AbstractSecurityExpressionHandler< FilterInvocation> 或其子类 DefaultWebSecurityExpressionHandler 并覆盖 SecurityExpressionOperations createSecurityExpressionRoot（final authentication a，final FilterInvocation f）。

Since Spring Security 3.1 it is a bit easier to implement a custom expression. One does not longer need to sublcass WebSecurityExpressionHandler and override createEvaluationContext. Instead one sublass AbstractSecurityExpressionHandler<FilterInvocation> or its subclass DefaultWebSecurityExpressionHandler and override SecurityExpressionOperations createSecurityExpressionRoot(final Authentication a, final FilterInvocation f).

 public class MyCustomWebSecurityExpressionHandler
              extends DefaultWebSecurityExpressionHandler {

      @Override        
      public SecurityExpressionOperations createSecurityExpressionRoot(
                Authentication a,
                FilterInvocation f) {
           WebSecurityExpressionRoot myRoot =
                    new MyCustomWebSecurityExpressionRoot(a, f);

           myRoot.setPermissionEvaluator(getPermissionEvaluator());
           myRoot.setTrustResolver(this.trustResolver);
           myRoot.setRoleHierarchy(getRoleHierarchy());
           return myRoot;
      }
 }

这篇关于Spring MVC - 检查用户是否已通过Spring Security登录？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！