手动验证使用弹簧安全性 [英] Manually authenticate use spring security
问题描述
我正在使用spring安全性它工作正常,但现在我想手动启动安全流程,做客户端更改我需要进入我的控制器的用户名和密码(表单)不会直接调用j_spring_security_check)
I am using spring security and it works fine, but now I want to start the security process manually, do to client changes I need to get in my controller the user name and password (the form wont call "j_spring_security_check" directly)
我想到两个选项我都遇到了一些问题:
I thought of 2 options with both I have some problems:
-
获取参数并执行某些操作后,我将向j_spring_security_check发送一个帖子请求。我的代码:
After I get the parameters and do something I will send a post request to j_spring_security_check url. My code:
public void test(loginDTO loginDTO){
public void test(loginDTO loginDTO) {
MultiValueMap<String, String> body = new LinkedMultiValueMap<String, String>();
HttpHeaders headers = new HttpHeaders();
body.add(
"j_username",
loginDTO.getJ_username());
body.add(
"j_password",
loginDTO.getJ_password());
HttpEntity<?> httpEntity = new HttpEntity<Object>(
body, headers);
headers.add(
"Accept",
MediaType.APPLICATION_JSON_VALUE);
restTemplate.exchange(
"http://localhost:8080/XXX/j_spring_security_check",
HttpMethod.POST,
httpEntity,
HttpServletResponse.class);
}
这不是工作,我得到:500内部服务器错误原因?
This doesn't work and I get :500 internal server error why?
-
第二个选项 - 我做了以下事项:
second option- I did the following:
public void test2(loginDTO loginDTO, HttpServletRequest request) {
UsernamePasswordAuthenticationToken token =
new UsernamePasswordAuthenticationToken(
loginDTO.getJ_username(),
loginDTO.getJ_password());
token.setDetails(new WebAuthenticationDetails(request));
Authentication authentication = this.authenticate(token);
SecurityContextHolder.getContext().setAuthentication(authentication);
this.sessionRegistry.registerNewSession(
request.getSession().getId(),
authentication.getPrincipal());
}
问题是未调用onAuthenticationSuccess。并且感觉不对,我错过了使用弹簧安全的重点。
The problem is that onAuthenticationSuccess is not called. and it feels wrong, that I'm missing the point of using spring security.
这是正确的原因?
推荐答案
我通常会执行以下操作:
I typically do the following:
@Controller
public class AuthenticationController
{
@Autowired
AuthenticationManager authenticationManager;
@Autowired
SecurityContextRepository securityContextRepository;
@RequestMapping(method = Array(RequestMethod.POST), value = Array("/authenticate"))
public String authenticate(@RequestParam String username, @RequestParam String password, HttpServletRequest request, HttpServletResponse response)
{
Authentication result = this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));
SecurityContextHolder.getContext.setAuthentication(result);
this.securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
return "successView";
}
}
使用这种方法的原因是:
The reasons for using this approach is:
- 非常简单,只需几行代码就可以忽略异常处理等等。
- 利用现有的Spring安全组件。
- 使用在应用程序配置中配置的Spring Security组件,并允许在需要时更改它们。例如,可以针对RDBMS,LDAP,Web服务,Active Directory等进行身份验证,而无需担心自定义代码。
这篇关于手动验证使用弹簧安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!