使用 UsernamePasswordAuthenticationFilter 放置自定义后身份验证代码的位置

Question

我正在使用 UsernamePasswordAuthenticationFilter 的 Spring 和自定义实现。我想在身份验证成功后执行一些自定义代码（例如：使用刚刚通过身份验证的用户名记录一条消息）。

我应该重写哪种方法或如何注册处理程序以成功验证？

重写successfulAuthentication() 方法，将我的自定义代码放在那里并通过调用原始方法(super.successfulAuthentication();) 来完成它是个好主意吗？还是有其他的最佳做法？

Answer 1

成功后执行自定义任务的方法 身份验证是使用自定义身份验证成功处理程序 Spring 安全性。

您可以通过以下方式实现：

创建您的自定义AuthenticationSuccessHandler，例如TMGAuthenticationSuccessHandler。如果检测到用户使用默认机器生成的密码，我创建了一个示例代码，它将用户重定向到密码更改页面。

@Component("tMGAuthSuccessHandler")
public class TMGAuthSuccessHandler implements AuthenticationSuccessHandler {

    private AuthenticationSuccessHandler target = new SavedRequestAwareAuthenticationSuccessHandler();

    @Autowired
    private UserService userService;

    private static final Logger LOGGER = LoggerFactory.getLogger(TMGAuthSuccessHandler.class);

    @Override
    public void onAuthenticationSuccess(HttpServletRequest servletRequest, HttpServletResponse servletResponse, Authentication authentication)
            throws IOException, ServletException {

        if (hasDefaultPassword(authentication)) {
            LOGGER.debug("Default password detected for username: " + authentication.getName());
            servletResponse.sendRedirect("changePassword");
        } else {
            target.onAuthenticationSuccess(servletRequest, servletResponse, authentication);
        }
    }

    /**
     * Checks whether default password is used in login.
     */
    private boolean hasDefaultPassword(Authentication authentication) {

        String username = authentication.getName();
        User user = userService.findOnUsername(username, true, false, false, false);
        if (user != null && user.getLoginAuditTrail() != null && user.getLoginAuditTrail().isDefaultPasswordUsed() != null) {
            return user.getLoginAuditTrail().isDefaultPasswordUsed();
        }
        return false;
    }

    /**
     * Proceeds to the requested URL.
     */
    public void proceed(HttpServletRequest servletRequest, HttpServletResponse servletResponse, Authentication authentication) throws IOException,
            ServletException {
        target.onAuthenticationSuccess(servletRequest, servletResponse, authentication);
    }
}

修改securityContext.xml或类似的包含spring security相关配置的文件。将此 customHander 添加到 http 配置为 authentication-success-handler-ref="tMGAuthSuccessHandler"。代码sn-p如下所示：

<security:http use-expressions="true" authentication-manager-ref="webAppAuthManager">

    <!-- signin and signout -->
    <security:intercept-url pattern="/signin" access="permitAll" />
    <security:intercept-url pattern="/logout" access="permitAll" />
    <security:intercept-url pattern="/accessDenied" access="permitAll"/>
    <security:intercept-url pattern="/**" access="isAuthenticated()" />

    <!-- sign in Configuration -->
    <security:form-login login-page="/signin"
        username-parameter="username"
        password-parameter="password"
        authentication-failure-url="/signin?authFail=true"
        authentication-success-handler-ref="inoticeAuthSuccessHandler" />

    <security:logout logout-url="/signout" invalidate-session="true" delete-cookies="JSESSIONID" logout-success-url="/signin?logout=true" />
</security:http>

你现在可以走了。

参考来源：How to use custom filter with authentication-success-handler-ref equivalent in spring security

Answer 2

您至少有两个选择：

• AuthenticationSuccessHandler
• ApplicationListener<E extends ApplicationEvent> 与 AbstractAuthenticationEvent