【发布时间】:2011-02-04 05:43:59
【问题描述】:
我正在使用 Spring Security 3,并且我想在用户访问该站点并且他被记住时执行一些逻辑(在会话中保存一些数据)。我扩展了GenericFilterBean类,执行doFilter方法中的逻辑,然后调用chain.doFilter方法完成过滤器链。我在 security.xml 文件中的“记住我”过滤器之后插入了该过滤器。
但问题是过滤器在每个页面上执行,而不管用户是否被记住。过滤器的实现或者过滤器的位置有问题吗?
过滤器链是否默认在每个页面上执行? 在制作自定义过滤器时,我是否也应该将其添加到 web.xml 中?
过滤器类:
package projects.internal;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.GenericFilterBean;
import projects.ProjectManager;
public class rememberMeFilter extends GenericFilterBean {
private ProjectManager projectManager;
@Autowired
public rememberMeFilter(ProjectManager projectManager) {
this.projectManager = projectManager;
}
@Override
public void doFilter(ServletRequest req, ServletResponse res,
FilterChain chain) throws IOException, ServletException {
System.out.println("In The Filter");
Authentication auth = (Authentication) SecurityContextHolder
.getContext().getAuthentication();
HttpServletResponse response = ((HttpServletResponse) res);
HttpServletRequest request = ((HttpServletRequest) req);
// if the user is not remembered,do nothing
if (auth == null) {
chain.doFilter(request, response);
}
else {
// the user is remembered save some data in the session
System.out.println("User Is Remembered");
chain.doFilter(request, response);
}
}
}
security.xml 文件:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<global-method-security pre-post-annotations="enabled">
</global-method-security>
<http use-expressions="true" >
<remember-me data-source-ref="dataSource"/>
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/images/**" filters="none" />
<intercept-url pattern="/scripts/**" filters="none" />
<intercept-url pattern="/styles/**" filters="none" />
<intercept-url pattern="/p/login" filters="none" />
<intercept-url pattern="/p/register" filters="none" />
<intercept-url pattern="/p/forgot_password" filters="none" />
<intercept-url pattern="/p/**" access="isAuthenticated()" />
<custom-filter after="REMEMBER_ME_FILTER" ref="rememberMeFilter" />
<form-login login-processing-url="/j_spring_security_check"
login-page="/p/login" authentication-failure-url="/p/login?login_error=1"
default-target-url="/p/dashboard" authentication-success-handler-ref="myAuthenticationHandler"
always-use-default-target="false" />
<logout/>
</http>
<beans:bean id="myAuthenticationHandler" class="projects.internal.myAuthenticationHandler" />
<beans:bean id="rememberMeFilter" class="projects.internal.rememberMeFilter" >
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider>
<password-encoder hash="md5" />
<jdbc-user-service data-source-ref="dataSource" />
</authentication-provider>
</authentication-manager>
</beans:beans>
有什么帮助吗?
【问题讨论】:
标签: spring spring-security servlet-filters