JSF / Spring Security - 添加其他登录字段不会调用自定义过滤器

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了JSF / Spring Security - 添加其他登录字段不会调用自定义过滤器相关的知识,希望对你有一定的参考价值。

我有一个Web应用程序,我需要使用三个字段登录:用户,密码和部门。

当我尝试运行它时,登录工作但不调用自定义过滤器,因此没有部门。

我一直在尝试添加自定义用户名和密码过滤器,传递我稍后可以解析的字符串。我没有取得任何成功,这让我疯狂。

SecurityConfig扩展了WebSecurityConfigurerAdapter

@Override
protected void configure(HttpSecurity http) throws Exception {

    http
        .addFilterBefore(authenticationFilter(), 
                UsernamePasswordAuthenticationFilter.class);

    // Authentication control
    http
        .authorizeRequests()
        .antMatchers("/login.xhtml").permitAll() // All everyone to see login page
        .antMatchers("/javax.faces.resource/**").permitAll() // All everyone to see resources
        .antMatchers("/resources/**").permitAll() // All everyone to see resources
        .anyRequest().authenticated(); // Ensure any request to application is authenticated

    // Login control
    http
        .formLogin()
            .loginPage("/login.xhtml")
            .usernameParameter("userInput")
            .passwordParameter("passwordInput")
            .defaultSuccessUrl("/home.xhtml", true)
            .failureUrl("/login.xhtml?error=true");

    // logout
    http
        .logout()
            .logoutUrl("/logout")
            .invalidateHttpSession(true)
            .logoutSuccessUrl("/login.xhtml");

    // not needed as JSF 2.2 is implicitly protected against CSRF
    http
        .csrf().disable();
} 

public CustomAuthenticationFilter authenticationFilter() throws Exception {
    CustomAuthenticationFilter filter = new CustomAuthenticationFilter();
    filter.setAuthenticationManager(authenticationManagerBean());
    filter.setAuthenticationFailureHandler(failureHandler());
    return filter;
}

public SimpleUrlAuthenticationFailureHandler failureHandler() {
    return new SimpleUrlAuthenticationFailureHandler("/login?error=true");
}

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(authProvider());
}   

@Bean
public DaoAuthenticationProvider authProvider() {
    DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
    authProvider.setUserDetailsService(userDetailsService);
    authProvider.setPasswordEncoder(new EncryptionConfig());
    return authProvider;
}

}

登录视图

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
    xmlns:h="http://java.sun.com/jsf/html"
    xmlns:f="http://xmlns.jcp.org/jsf/core"
    xmlns:p="http://primefaces.org/ui"
    xmlns:ui="http://java.sun.com/jsf/facelets">

    <h:head>
        <f:facet name="first">
            <meta http-equiv="X-UA-Compatible" content="IE=edge" />
            <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
            <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=0"/>
            <meta name="apple-mobile-web-app-capable" content="yes" />
        </f:facet>

        <title>Login</title>

        <h:outputScript name="js/ripple.js" library="ultima-layout" />
        <h:outputScript name="js/layout.js" library="ultima-layout" />
    </h:head>

    <h:body styleClass="login-body">
        <h:form prependId="false" >
            <div class="card login-panel ui-fluid">
                <div class="ui-g">
                    <div class="ui-g-12">
                        <p:graphicImage name="images/logo.png" />
                    </div>
                    <div class="ui-g-12">
                        <h:panelGroup styleClass="md-inputfield">
                            <p:inputText id="userInput" />
                            <label>Username</label>
                        </h:panelGroup>
                    </div>
                    <div class="ui-g-12">
                        <h:panelGroup styleClass="md-inputfield">
                            <p:password id="passwordInput" />
                            <label>Password</label>
                        </h:panelGroup>
                    </div>
                    <div class="ui-g-12">
                        <h:panelGroup styleClass="md-inputfield">
                            <p:selectOneMenu id="departmentInput" value="#{loginController.selectedDepartmentId}">
                                <f:selectItem itemLabel="---" itemValue="" />
                                <f:selectItems 
                                    value="#{loginController.allDepartments}" 
                                    var="dept"
                                    itemLabel="#{dept.departmentName}"
                                    itemValue="#{dept.departmentId}" />
                            </p:selectOneMenu>
                        </h:panelGroup>
                    </div>
                    <div class="ui-g-12">
                        <p:commandButton value="Sign In" icon="ui-icon-person" ajax="false" />
                    </div>
                </div>
            </div>

            <div class="login-footer"></div>
        </h:form>

        <h:outputStylesheet name="css/ripple.css" library="ultima-layout" />
        <h:outputStylesheet name="css/layout-blue-grey.css" library="ultima-layout" />
        <h:outputStylesheet name="css/custom_login.css" />
    </h:body>
</html>

UsernamePasswordAuthenticationFilter

public class CustomAuthenticationFilter extends UsernamePasswordAuthenticationFilter {

    public static final String SPRING_SECURITY_DEPARTMENT_KEY = "department";

  @Override
  public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

      CustomAuthenticationToken authRequest = getAuthRequest(request);
      setDetails(request, authRequest);

      return this.getAuthenticationManager().authenticate(authRequest);
  }

  private CustomAuthenticationToken getAuthRequest(HttpServletRequest request) {

      String username = obtainUsername(request);
      String password = obtainPassword(request);
      String department = obtainDepartment(request);

      if (username == null) {
          username = "";
      }
      if (password == null) {
          password = "";
      }
      if (department == null) {
          department = "";
      }

      //(username)(separator)(department)
      String usernameDomain = String.format("%s%s%s", 
              username.trim(), 
              String.valueOf(Character.LINE_SEPARATOR), 
              department);

      return new CustomAuthenticationToken(usernameDomain, password, department);
  }

  private String obtainDepartment(HttpServletRequest request) {
      return request.getParameter(SPRING_SECURITY_DEPARTMENT_KEY);
  }
}

编辑

第一个问题我已经想通了 - 登录时需要指向/ login操作的表单操作。我这样做了,我现在正在进入过滤器。也就是说,username为null,密码仍为null。

编辑2

将passwordInput更改为password,将usernameInput更改为username。我删除了SecurityConfig中的usernameParameter和passwordParameter设置。我修复了我的令牌,现在正在我的自定义UserDetails中获取它。

我的BCrypt安全检查并返回“true”。

我仍然得到以下stacktrace:

    11:02:58.626 [http-nio-8080-exec-3] DEBUG com.xfact.config.CustomAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
org.springframework.security.authentication.BadCredentialsException: Bad credentials
    at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:151)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199)
    at org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter$AuthenticationManagerDelegator.authenticate(WebSecurityConfigurerAdapter.java:512)
    at com.xfact.config.CustomAuthenticationFilter.attemptAuthentication(CustomAuthenticationFilter.java:20)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)
答案

对于你的CustomAuthenticationFilter,你没有设置表格参数的名称,这些参数与Spring的默认usernamepassword不同。

以上是关于JSF / Spring Security - 添加其他登录字段不会调用自定义过滤器的主要内容,如果未能解决你的问题,请参考以下文章

在 JSF、Spring、Spring-Security 项目中是不是需要 faces-config.xml? [复制]

Tomcat 上的 Spring Security/JSF/Hibernate 意外会话劫持?

Spring Security 4 和 JSF 2 集成

使用spring security时无法访问jsf页面,出现403

如何在 JSF 中使用 Spring Security Facelets 标签库

Spring Security + JSF 2.0 + Primefaces + Hibernate 配置