一、前言

在上一篇http://blog.csdn.net/k10509806/archive/2011/04/28/6369131.aspx文 章中，提到的MyUserDetailServiceImpl获取用户权限，在用户没有登陆的时候，Spring Security会让我们自动跳转到默认的登陆界面，但在实际应用绝大多数是用我们自己的登陆界面的，其中就包括一些我们自己的逻辑，比如验证码。所以本 人又研究一下，终于摸清了一些如何配置自己的登陆界面的办法。在这里献丑了。

二、Spring Security的过滤器

通过DEBUG可以看到Spring Security的Filter的顺序

Security filter chain: [
  ConcurrentSessionFilter
  SecurityContextPersistenceFilter
  LogoutFilter
  MyUsernamePasswordAuthenticationFilter
  RequestCacheAwareFilter
  SecurityContextHolderAwareRequestFilter
  RememberMeAuthenticationFilter
  AnonymousAuthenticationFilter
  SessionManagementFilter
  ExceptionTranslationFilter
  MySecurityFilter
  FilterSecurityInterceptor
]

Spring Security的登陆验证用的就是MyUsernamePasswordAuthenticationFilter，所以要实现我们自己的验证，可以写 一个类并继承MyUsernamePasswordAuthenticationFilter类，重写attemptAuthentication方法。

三、applicationContext-Security.xml配置

[xhtml] view plain copy

2. <beans:beans xmlns="http://www.springframework.org/schema/security"

3. xmlns:beans="http://www.springframework.org/schema/beans"

4. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

5. xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd

6. http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"\>

8. <http pattern="/js/**" security="none"/>

9. <http pattern="/resource/**" security="none"></http>

10. <http pattern="/login.jsp" security="none"/>

11. <http use-expressions="true" entry-point-ref="authenticationProcessingFilterEntryPoint">

15. <session-management invalid-session-url="/timeout.jsp">

16. <concurrency-control max-sessions="10" error-if-maximum-exceeded="true" />

17. </session-management>

18. <custom-filter ref="loginFilter" position="FORM_LOGIN_FILTER" />

19. <custom-filter ref="securityFilter" before="FILTER_SECURITY_INTERCEPTOR"/>

20. </http>

22. <beans:bean id="loginFilter"

23. class="com.huaxin.security.MyUsernamePasswordAuthenticationFilter">

25. <beans:property name="filterProcessesUrl" value="/j_spring_security_check"></beans:property>

27. <beans:property name="authenticationSuccessHandler" ref="loginLogAuthenticationSuccessHandler"></beans:property>

29. <beans:property name="authenticationFailureHandler" ref="simpleUrlAuthenticationFailureHandler"></beans:property>

30. <beans:property name="authenticationManager" ref="myAuthenticationManager"></beans:property>

32. <beans:property name="usersDao" ref="usersDao"></beans:property>

33. </beans:bean>

34. <beans:bean id="loginLogAuthenticationSuccessHandler"

35. class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">

36. <beans:property name="defaultTargetUrl" value="/index.jsp"></beans:property>

37. </beans:bean>

38. <beans:bean id="simpleUrlAuthenticationFailureHandler"

39. class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">

41. <beans:property name="defaultFailureUrl" value="/login.jsp"></beans:property>

42. </beans:bean>

44. <beans:bean id="securityFilter" class="com.huaxin.security.MySecurityFilter">

46. <beans:property name="authenticationManager" ref="myAuthenticationManager" />

48. <beans:property name="accessDecisionManager" ref="myAccessDecisionManager" />

50. <beans:property name="securityMetadataSource" ref="mySecurityMetadataSource" />

51. </beans:bean>

53. <authentication-manager alias="myAuthenticationManager">

54. <authentication-provider user-service-ref="myUserDetailServiceImpl" />

55. </authentication-manager>

56. <beans:bean id="myAccessDecisionManager" class="com.huaxin.security.MyAccessDecisionManager"></beans:bean>

57. <beans:bean id="mySecurityMetadataSource" class="com.huaxin.security.MySecurityMetadataSource">

58. <beans:constructor-arg name="resourcesDao" ref="resourcesDao"></beans:constructor-arg>

59. </beans:bean>

60. <beans:bean id="myUserDetailServiceImpl" class="com.huaxin.security.MyUserDetailServiceImpl">

61. <beans:property name="usersDao" ref="usersDao"></beans:property>

62. </beans:bean>

64. <beans:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">

65. <beans:property name="loginFormUrl" value="/login.jsp"></beans:property>

66. </beans:bean>

67. </beans:beans>

这里特别要说明一下，我们的标签不能配置auto-config，因为这样配置后，依然会采用Spring Security的Filter Chain会与下面我们配的custom-filter冲突，最好会抛异常。还有配置一个切入点entry-point-ref="authenticationProcessingFilterEntryPoint"，为了在未登陆的时候，跳转到哪个页面，不配也会抛异常。

position表示替换掉Spring Security原来默认的登陆验证Filter。

四、MyUsernamePasswordAuthenticationFilter

[java] view plain copy

1. package com.huaxin.security;

2. import javax.servlet.http.HttpServletRequest;

3. import javax.servlet.http.HttpServletResponse;

4. import javax.servlet.http.HttpSession;

5. import org.apache.commons.lang.xwork.StringUtils;

6. import org.springframework.security.authentication.AuthenticationServiceException;

7. import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

8. import org.springframework.security.core.Authentication;

9. import org.springframework.security.core.AuthenticationException;

10. import org.springframework.security.web.WebAttributes;

11. import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;

12. import com.huaxin.bean.Users;

13. import com.huaxin.dao.UsersDao;

14. /*

15. *

16. * UsernamePasswordAuthenticationFilter源码

17. attemptAuthentication

18. this.getAuthenticationManager()

19. ProviderManager.java

20. authenticate(UsernamePasswordAuthenticationToken authRequest)

21. AbstractUserDetailsAuthenticationProvider.java

22. authenticate(Authentication authentication)

23. P155 user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);

24. DaoAuthenticationProvider.java

25. P86 loadUserByUsername

26. */

27. public class MyUsernamePasswordAuthenticationFilter extends UsernamePasswordAuthenticationFilter{

28. public static final String VALIDATE_CODE = "validateCode";

29. public static final String USERNAME = "username";

30. public static final String PASSWORD = "password";

31. private UsersDao usersDao;

32. public UsersDao getUsersDao() {

33. return usersDao;

34. }

35. public void setUsersDao(UsersDao usersDao) {

36. this.usersDao = usersDao;

37. }

38. @Override

39. public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

40. if (!request.getMethod().equals("POST")) {

41. throw new AuthenticationServiceException("Authentication method not supported: " + request.getMethod());

42. }

43. //检测验证码

44. checkValidateCode(request);

45. String username = obtainUsername(request);

46. String password = obtainPassword(request);

47. //验证用户账号与密码是否对应

48. username = username.trim();

49. Users users = this.usersDao.findByName(username);

50. if(users == null || !users.getPassword().equals(password)) {

51. /*

52. 在我们配置的simpleUrlAuthenticationFailureHandler处理登录失败的处理类在这么一段

53. 这样我们可以在登录失败后，向用户提供相应的信息。

54. if (forwardToDestination) {

55. request.setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);

56. } else {

57. HttpSession session = request.getSession(false);

58. if (session != null || allowSessionCreation) {

59. request.getSession().setAttribute(WebAttributes.AUTHENTICATION_EXCEPTION, exception);

60. }

61. }

62. */

63. throw new AuthenticationServiceException("用户名或者密码错误！");

64. }

65. //UsernamePasswordAuthenticationToken实现 Authentication

66. UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

67. // Place the last username attempted into HttpSession for views

68. // 允许子类设置详细属性

69. setDetails(request, authRequest);

70. // 运行UserDetailsService的loadUserByUsername 再次封装Authentication

71. return this.getAuthenticationManager().authenticate(authRequest);

72. }

73. protected void checkValidateCode(HttpServletRequest request) {

74. HttpSession session = request.getSession();

75. String sessionValidateCode = obtainSessionValidateCode(session);

76. //让上一次的验证码失效

77. session.setAttribute(VALIDATE_CODE, null);

78. String validateCodeParameter = obtainValidateCodeParameter(request);

79. if (StringUtils.isEmpty(validateCodeParameter) || !sessionValidateCode.equalsIgnoreCase(validateCodeParameter)) {

80. throw new AuthenticationServiceException("验证码错误！");

81. }

82. }

83. private String obtainValidateCodeParameter(HttpServletRequest request) {

84. Object obj = request.getParameter(VALIDATE_CODE);

85. return null == obj ? "" : obj.toString();

86. }

87. protected String obtainSessionValidateCode(HttpSession session) {

88. Object obj = session.getAttribute(VALIDATE_CODE);

89. return null == obj ? "" : obj.toString();

90. }

91. @Override

92. protected String obtainUsername(HttpServletRequest request) {

93. Object obj = request.getParameter(USERNAME);

94. return null == obj ? "" : obj.toString();

95. }

96. @Override

97. protected String obtainPassword(HttpServletRequest request) {

98. Object obj = request.getParameter(PASSWORD);

99. return null == obj ? "" : obj.toString();

100. }

101. }

有时间，大家看看源码吧。

五、login.jsp

[php] view plain copy

2. <span style="color:red"><%=session.getAttribute(WebAttributes.AUTHENTICATION_EXCEPTION) %>
3. <form action="j_spring_security_check" method="post">
4. Account：
   
5. Password：
   

六、完了，源码大家可以看下我上一篇文章http://blog.csdn.net/k10509806/archive/2011/04/28/6369131.aspx。