手动验证使用弹簧安全性 [英] Manually authenticate use spring security

问题描述

我正在使用spring安全性它工作正常，但现在我想手动启动安全流程，做客户端更改我需要进入我的控制器的用户名和密码（表单）不会直接调用j_spring_security_check）

I am using spring security and it works fine, but now I want to start the security process manually, do to client changes I need to get in my controller the user name and password (the form wont call "j_spring_security_check" directly)

我想到两个选项我都遇到了一些问题：

I thought of 2 options with both I have some problems:

1. 获取参数并执行某些操作后，我将向j_spring_security_check发送一个帖子请求。我的代码：

1. After I get the parameters and do something I will send a post request to j_spring_security_check url. My code:

public void test（loginDTO loginDTO）{

public void test(loginDTO loginDTO) {

MultiValueMap<String, String> body = new LinkedMultiValueMap<String, String>();
HttpHeaders headers = new HttpHeaders();

body.add(
     "j_username",
     loginDTO.getJ_username());

body.add(
     "j_password",
     loginDTO.getJ_password());

HttpEntity<?> httpEntity = new HttpEntity<Object>(
                          body, headers);
headers.add(
        "Accept",
        MediaType.APPLICATION_JSON_VALUE);
restTemplate.exchange(
              "http://localhost:8080/XXX/j_spring_security_check",
              HttpMethod.POST,
              httpEntity,
              HttpServletResponse.class);
} 

这不是工作，我得到：500内部服务器错误原因？

This doesn't work and I get :500 internal server error why?

1. 第二个选项 - 我做了以下事项：

1. second option- I did the following:

public void test2(loginDTO loginDTO, HttpServletRequest request) {

  UsernamePasswordAuthenticationToken token =
                new UsernamePasswordAuthenticationToken(
                          loginDTO.getJ_username(),
                          loginDTO.getJ_password());

  token.setDetails(new WebAuthenticationDetails(request));
  Authentication authentication = this.authenticate(token);

  SecurityContextHolder.getContext().setAuthentication(authentication);

  this.sessionRegistry.registerNewSession(
                    request.getSession().getId(),
                    authentication.getPrincipal());
}

问题是未调用onAuthenticationSuccess。并且感觉不对，我错过了使用弹簧安全的重点。

The problem is that onAuthenticationSuccess is not called. and it feels wrong, that I'm missing the point of using spring security.

这是正确的原因？

推荐答案

我通常会执行以下操作：

I typically do the following:

@Controller
public class AuthenticationController
{
  @Autowired
  AuthenticationManager authenticationManager;

  @Autowired
  SecurityContextRepository securityContextRepository;

  @RequestMapping(method = Array(RequestMethod.POST), value = Array("/authenticate"))
  public String authenticate(@RequestParam String username, @RequestParam String password, HttpServletRequest request, HttpServletResponse response)
  {
    Authentication result = this.authenticationManager.authenticate(new UsernamePasswordAuthenticationToken(username, password));

    SecurityContextHolder.getContext.setAuthentication(result);

    this.securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);

    return "successView";
  }
}

使用这种方法的原因是：

The reasons for using this approach is:

1. 非常简单，只需几行代码就可以忽略异常处理等等。


2. 利用现有的Spring安全组件。


3. 使用在应用程序配置中配置的Spring Security组件，并允许在需要时更改它们。例如，可以针对RDBMS，LDAP，Web服务，Active Directory等进行身份验证，而无需担心自定义代码。

这篇关于手动验证使用弹簧安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！