SpringSecurity实现多登录成功页面和登录成功返回被拦截界面

使用SrpingSceurity作为认证和授权的安全框架可以省下很多基础工作.

具体可以参考SpringSecurity,这里不多说了.主要是记录一下使用中碰到的问题.

 

问题1

项目有不同客户端需要不同的返回界面,比如Android的登录返回json格式数据.网页登录跳转到登录成功页面.

SpringSecurity的默认配置是做不到这点的.以下是配置登录成功页面的地方.

 

 

 

 这里如果loginsuccess.jsp页面是登录成功页,那么Android的登录就不好返回json格式了.

 

解决方法

使用AuthenticationSuccessHandler

 

----------------示例见下----------------

1.定制自己的AuthenticationSuccessHandler类,实现AuthenticationSuccessHandler接口

 

package com.gt.util;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

public class MyAuthenticationSuccessHandler implements
		AuthenticationSuccessHandler {

	@Override
	public void onAuthenticationSuccess(HttpServletRequest request,
			HttpServletResponse response, Authentication auth)
			throws IOException, ServletException {		
		String f = request.getParameter("f");
		if (StringUtils.isNotEmpty(f)) {
			if(f.equals("android")){
				response.setCharacterEncoding("UTF-8");
				response.getWriter().write("登录成功"+LoginUserUtil.getUser());
			}
			
		}else{
			
			request.getRequestDispatcher("/account/user.exp").forward(request, response);
						
		}

	}

}

 

 

2.登录页面中指定f参数.只是示例,可以自己根据业务定制.

 

3.修改配置文件

增加authentication-success-handler-ref="expaiSuccessHandler"

去掉default-target-url="/loginsuccess.jsp"

 

 

官方文档介绍

 Attribute : authentication-success-handler-ref

Reference to an AuthenticationSuccessHandler bean which should be used to handle a successful 

 authentication request. Should not be used in combination with default-target-url (or always-use-

 default-target-url) as the implementation should always deal with navigation to the subsequent 

 destination

 

4.修改配置文件,增加bean定义

 

---------------------------问题1end--------------------- 

 

 

问题2

登录后返回拦截前的界面

 

思路

在拦截后,进入登录页面前,把被拦截地址放入session中.登录成功从session取出被拦截地址并且跳转.

 

-------------代码示例-----------

1.增加MyLoginUrlAuthenticationEntryPoint 继承 LoginUrlAuthenticationEntryPoint

 

package com.gt.util;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;
import org.springframework.security.web.util.RedirectUrlBuilder;

public class MyLoginUrlAuthenticationEntryPoint extends
		LoginUrlAuthenticationEntryPoint {

	public void commence(HttpServletRequest request,
			HttpServletResponse response, AuthenticationException authException)
			throws IOException, ServletException {
		String returnUrl = buildHttpReturnUrlForRequest(request);
		request.getSession().setAttribute("ru", returnUrl);
		super.commence(request, response, authException);
	}

	protected String buildHttpReturnUrlForRequest(HttpServletRequest request)
			throws IOException, ServletException {


		RedirectUrlBuilder urlBuilder = new RedirectUrlBuilder();
		urlBuilder.setScheme("http");
		urlBuilder.setServerName(request.getServerName());
		urlBuilder.setPort(request.getServerPort());
		urlBuilder.setContextPath(request.getContextPath());
		urlBuilder.setServletPath(request.getServletPath());
		urlBuilder.setPathInfo(request.getPathInfo());
		urlBuilder.setQuery(request.getQueryString());

		return urlBuilder.getUrl();
	}

}

 

 

2.修改配置文件,增加引用

 

 

 

 

 

 

3.修改MyAuthenticationSuccessHandler,增加获取被拦截地址并且跳转代码

 

package com.gt.util;

import java.io.IOException;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;

public class MyAuthenticationSuccessHandler implements
		AuthenticationSuccessHandler {

	@Override
	public void onAuthenticationSuccess(HttpServletRequest request,
			HttpServletResponse response, Authentication auth)
			throws IOException, ServletException {		
		String f = request.getParameter("f");
		if (StringUtils.isNotEmpty(f)) {
			if(f.equals("android")){
				response.setCharacterEncoding("UTF-8");
				response.getWriter().write("登录成功"+LoginUserUtil.getUser());
			}
			
		}else{
			String ru = (String)request.getSession().getAttribute("ru");
			request.getSession().removeAttribute("ru");
			if(StringUtils.isNotEmpty(ru)){
				response.sendRedirect(ru);
				//request.getRequestDispatcher(ru).forward(request, response);
			}else{
				request.getRequestDispatcher("/account/user.exp").forward(request, response);
			}
			
		}

	}

}