通过令牌进行Spring Security身份验证

通过令牌进行Spring Security身份验证

您需要像这样实现自定义AuthenticationFilter

public class CustomAuthenticationFilter extends AbstractAuthenticationProcessingFilter {  private static final String SECURITY_TOKEN_KEY    = "token";  private static final String SECURITY_TOKEN_HEADER = "X-Token";  private String token = null;  protected CustomAuthenticationFilter() {    super("/");  }  @Override  public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {    HttpServletRequest request = (HttpServletRequest) req;    HttpServletResponse response = (HttpServletResponse) res;    this.token = request.getParameter(SECURITY_TOKEN_KEY);    // or this.token = request.getHeader(SECURITY_TOKEN_HEADER);    if (request.getAttribute(FILTER_APPLIED) != null) {      chain.doFilter(request, response);      return;    }    request.setAttribute(FILTER_APPLIED, Boolean.TRUE);    if(request.getParameter(actionParameter) !=null &&        request.getParameter(actionParameter).equals("logout")) {      SecurityContextHolder.clearContext();      return;    }    if (!requiresAuthentication(request, response)) {      chain.doFilter(request, response);      return;    }    Authentication authResult;    try {      authResult = attemptAuthentication(request, response);      if (authResult == null) {        return;      }    } catch (AuthenticationException failed) {      unsuccessfulAuthentication(request, response, failed);      return;    }    try {      successfulAuthentication(request, response, chain, authResult);    } catch (NestedServletException e) {      if(e.getCause() instanceof AccessDeniedException) {        unsuccessfulAuthentication(request, response, new LockedException("Forbidden"));      }    }  }  @Override  public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {    AbstractAuthenticationToken userAuthenticationToken = authUserByToken(this.token);    if(userAuthenticationToken == null)      throw new AuthenticationServiceException(MessageFormat.format("Error | {0}", "Bad Token"));    return userAuthenticationToken;  }  private AbstractAuthenticationToken authUserByToken(String tokenRaw) {    AbstractAuthenticationToken authToken = null;    try {      // check your input token, identify the user      // if success create AbstractAuthenticationToken for user to return      // eg:      authToken = new UsernamePasswordAuthenticationToken(username, userHash, userAuthorities);    } catch (Exception e) {      logger.error("Error during authUserByToken", e);    }    return authToken;  }  @Override  protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,         Authentication authResult) throws IOException, ServletException {    SecurityContextHolder.getContext().setAuthentication(authResult);    getSuccessHandler().onAuthenticationSuccess(request, response, authResult);  }}

和这样的自定义SuccessHandler

public class CustomAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {  @Override  protected String determineTargetUrl(HttpServletRequest request, HttpServletResponse response) {    return request.getServletPath();  }  @Override  public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws ServletException, IOException {    request.getRequestDispatcher(request.getServletPath()).forward(request, response);  }}

并在spring配置中连接它

<?xml version="1.0" encoding="UTF-8"?><b:beans    xmlns="http://www.springframework.org/schema/security"    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"    xmlns:b="http://www.springframework.org/schema/beans"    xmlns:p="http://www.springframework.org/schema/p"    xmlns:sec="http://www.springframework.org/schema/security"    xmlns:context="http://www.springframework.org/schema/context"    xmlns:aop="http://www.springframework.org/schema/aop"    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd    http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">  <context:annotation-config/>  <context:component-scan base-package="com.your.path" />  <aop:aspectj-autoproxy/>  <global-method-security pre-post-annotations="enabled" secured-annotations="enabled" proxy-target-    access-decision-manager-ref="accessDecisionManager"/>  <http entry-point-ref="restAuthenticationEntryPoint" use-expressions="true"        auto-config="true" access-decision-manager-ref="accessDecisionManager">    <custom-filter ref="restFilter" position="PRE_AUTH_FILTER"/>    <logout/>  </http>  <b:bean id="restAuthenticationEntryPoint" />  <b:bean id="restFilter" >    <b:property name="authenticationSuccessHandler" ref="mySuccessHandler"/>  </b:bean>  <b:bean id="mySuccessHandler" />  <b:bean id="accessDecisionManager" >    <b:property name="allowIfAllAbstainDecisions" value="true"/>    <b:property name="decisionVoters">      <b:list>        <b:bean >          <b:property name="rolePrefix" value=""/>        </b:bean>        <b:bean  />      </b:list>    </b:property>  </b:bean></b:beans>

这应该有所帮助。