问题
H i'm using spring security
for form-login i have
<http auto-config="true">
<intercept-url pattern="/pages/**" access="ROLE_USER" />
<form-login authentication-success-handler-ref="authenticationSuccessHandler" login-page="/login.html" default-target-url="/pages/index.html"
always-use-default-target="true" authentication-failure-url="/login.html" />
<logout logout-success-url="/login.html" invalidate-session="true" />
<anonymous enabled='false'/>
</http>
here i can set an authentication-success-handler-ref, how can i add one to my basic authentication:
<http pattern="/REST/**" realm="REALM" entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/**" access="ROLE_USER" />
<http-basic />
<logout logout-url="/REST/logout" success-handler-ref="restLogoutSuccessHandler" />
</http>
i thought abour overriding BasicAuthenticationFilter, but how can i inject my cutom class for <http-basic />
回答1:
You cannot set an authentication success handler for BASIC authentication. You can, however, extend BasicAuthenticationFilter and override onSuccessfulAuthentication method:
@Component("customBasicAuthFilter")
public class CustomBasicAuthFilter extends BasicAuthenticationFilter {
@Autowired
public CustomBasicAuthFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
}
protected void onSuccessfulAuthentication(javax.servlet.http.HttpServletRequest request, javax.servlet.http.HttpServletResponse response, Authentication authResult) {
// Do what you want here
}
}
Inject it in your security configuration with something like:
<http entry-point-ref="basicEntryPoint">
<custom-filter ref="customBasicAuthFilter" position="BASIC_AUTH_FILTER"/>
</http>
<authentication-manager alias="authenticationManager">
...
</authentication-manager>
Update: Or with Java config instead of XML:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.addFilterAt(customBasicAuthFilter, BasicAuthenticationFilter.class)
.exceptionHandling().authenticationEntryPoint(basicEntryPoint);
}
回答2:
As a workaround you can use http-basic in conjuction with form-login:
<http auto-config="true">
...
<http-basic />
<form-login authentication-success-handler-ref="authenticationSuccessHandler" ... />
...
</http>
BasicAuthenticationFilter will work.
EDIT. If you want set up your overriden version of BasicAuthenticationFilter I think you need to:
- Add it to filter chain at BASIC_AUTH_FILTER position as explained here
- Set up corresponding BasicAuthenticationEntryPoint entry point via entry-point-ref attribute of http tag.
回答3:
Instead of using an AuthenticationSuccessHandler you can rely on Spring Security's event mechanism and listen to AuthenticationSuccessEvent by using the ApplicationListener interface:
@Component
public class AuthenticationEventListener implements
ApplicationListener<AuthenticationSuccessEvent>
{
@Override
public void onApplicationEvent (AuthenticationSuccessEvent event) {
// do what you want here
// example: persist event to the database
}
}
See also this answer here: https://stackoverflow.com/a/11384001/474034
来源:https://stackoverflow.com/questions/16734537/spring-security-3-http-basic-authentication-success-handler