SpringSecurity实现多登录成功页面和登录成功返回被拦截界面
使用SrpingSceurity作为认证和授权的安全框架可以省下很多基础工作.
具体可以参考SpringSecurity,这里不多说了.主要是记录一下使用中碰到的问题.
问题1
项目有不同客户端需要不同的返回界面,比如Android的登录返回json格式数据.网页登录跳转到登录成功页面.
SpringSecurity的默认配置是做不到这点的.以下是配置登录成功页面的地方.
<s:form-login login-page="/login.action" default-target-url="/loginsuccess.jsp" authentication-failure-url="/login.action?error=true" />
这里如果loginsuccess.jsp页面是登录成功页,那么Android的登录就不好返回json格式了.
解决方法
使用AuthenticationSuccessHandler
----------------示例见下----------------
1.定制自己的AuthenticationSuccessHandler类,实现AuthenticationSuccessHandler接口
package com.gt.util; import java.io.IOException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler; public class MyAuthenticationSuccessHandler implements
AuthenticationSuccessHandler { @Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication auth)
throws IOException, ServletException {
String f = request.getParameter("f");
if (StringUtils.isNotEmpty(f)) {
if(f.equals("android")){
response.setCharacterEncoding("UTF-8");
response.getWriter().write("登录成功"+LoginUserUtil.getUser());
} }else{ request.getRequestDispatcher("/account/user.exp").forward(request, response); } } }
2.登录页面中指定f参数.只是示例,可以自己根据业务定制.
3.修改配置文件
增加authentication-success-handler-ref="expaiSuccessHandler"
去掉default-target-url="/loginsuccess.jsp"
<s:form-login login-page="/login.exp" authentication-success-handler-ref="expaiSuccessHandler" authentication-failure-url="/login.exp?error=true" />
官方文档介绍
Attribute : authentication-success-handler-ref
Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful
authentication request. Should not be used in combination with default-target-url (or always-use-
default-target-url) as the implementation should always deal with navigation to the subsequent
destination
4.修改配置文件,增加bean定义
<bean id="expaiSuccessHandler" class="com.gt.util.MyAuthenticationSuccessHandler"></bean>
---------------------------问题1end---------------------
问题2
登录后返回拦截前的界面
思路
在拦截后,进入登录页面前,把被拦截地址放入session中.登录成功从session取出被拦截地址并且跳转.
-------------代码示例-----------
1.增加MyLoginUrlAuthenticationEntryPoint 继承 LoginUrlAuthenticationEntryPoint
package com.gt.util; import java.io.IOException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.util.RedirectUrlBuilder; public class MyLoginUrlAuthenticationEntryPoint extends LoginUrlAuthenticationEntryPoint { public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
String returnUrl = buildHttpReturnUrlForRequest(request);
request.getSession().setAttribute("ru", returnUrl);
super.commence(request, response, authException);
} protected String buildHttpReturnUrlForRequest(HttpServletRequest request)
throws IOException, ServletException { RedirectUrlBuilder urlBuilder = new RedirectUrlBuilder();
urlBuilder.setScheme("http");
urlBuilder.setServerName(request.getServerName());
urlBuilder.setPort(request.getServerPort());
urlBuilder.setContextPath(request.getContextPath());
urlBuilder.setServletPath(request.getServletPath());
urlBuilder.setPathInfo(request.getPathInfo());
urlBuilder.setQuery(request.getQueryString()); return urlBuilder.getUrl();
} }
2.修改配置文件,增加引用
<s:http auto-config="true" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
<bean id="loginUrlAuthenticationEntryPoint" class="com.gt.util.MyLoginUrlAuthenticationEntryPoint">
<property name="useForward" value="true" />
<property name="loginFormUrl" value="/login.exp" />
</bean>
3.修改MyAuthenticationSuccessHandler,增加获取被拦截地址并且跳转代码
package com.gt.util; import java.io.IOException; import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang.StringUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler; public class MyAuthenticationSuccessHandler implements AuthenticationSuccessHandler {
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication auth)
throws IOException, ServletException {
String f = request.getParameter("f");
if (StringUtils.isNotEmpty(f)) {
if(f.equals("android")){
response.setCharacterEncoding("UTF-8");
response.getWriter().write("登录成功"+LoginUserUtil.getUser());
} }else{
String ru = (String)request.getSession().getAttribute("ru");
request.getSession().removeAttribute("ru");
if(StringUtils.isNotEmpty(ru)){
response.sendRedirect(ru);
//request.getRequestDispatcher(ru).forward(request, response);
}else{
request.getRequestDispatcher("/account/user.exp").forward(request, response);
} } } }