Question

我正在拟定一份申请,其中我需要追捕和回应奥森特事件,以便采取适当行动。目前,I m 仅收取罚款 活动 春天,用户日志人工投放。我现在试图执行“让-梅”的功能。伐木帮助我看到了“Iwant<>m>号”的渔获量为。互动交流活动。一个人能否在下面的法典上坐下来,帮助我应对这一新事件?

@Override public void onApplicationEvent(ApplicationEvent event) { log.info(event.toString()); // debug only: keep track of all events if (event instanceof AuthenticationSuccessEvent) { AuthenticationSuccessEvent authEvent = (AuthenticationSuccessEvent)event; lock.writeLock().lock(); try { sessionAuthMap.put(((WebAuthenticationDetails)authEvent.getAuthentication().getDetails()).getSessionId(), authEvent.getAuthentication()); } finally { lock.writeLock().unlock(); } } else if (event instanceof HttpSessionDestroyedEvent) { HttpSessionDestroyedEvent destroyEvent = (HttpSessionDestroyedEvent)event; lock.writeLock().lock(); try { sessionAuthMap.remove(destroyEvent.getId()); } finally { lock.writeLock().unlock(); } } } 在最初的张贴中,我没有提及在地图上储存Id和Austhentication物体的要求,是因为我用谷歌地球羽翼。用户数据系统是一个单独的、与用户无关的用户,因此用户会议信息从没有通过全球数据系统传送到服务器。出于这一原因,我把GE提出的将用户会议Id(上述地图)列为准参数的请求改写为URL,以便我们能够核实,Id会议对于用户来说确实有效。所有这一切都是存在的,因为我们有科索沃民族解放运动,它需要普惠制,但我们不能允许用户通过大火或你拥有的直接、不受保护的URL。

Spring Config: (sorry, SOkinda fudged the Formatting)

<sec:http use-expressions="true">
<sec:intercept-url pattern="/Login.html*" access="permitAll"/>
<sec:intercept-url pattern="/j_spring_security*" access="permitAll" method="POST"/>
<sec:intercept-url pattern="/main.css*" access="permitAll"/>
<sec:intercept-url pattern="/favicon.ico*" access="permitAll"/>
<sec:intercept-url pattern="/images/**" access="permitAll"/>
<sec:intercept-url pattern="/common/**" access="permitAll"/>
<sec:intercept-url pattern="/earth/**" access="permitAll"/>
<sec:intercept-url pattern="/earth/kml/**" access="permitAll"/>
<sec:intercept-url pattern="/earth/js/**" access="permitAll"/>
<sec:intercept-url pattern="/css/**" access="permitAll"/>   
<sec:intercept-url pattern="/resource*" access="permitAll"/>
<sec:intercept-url pattern="/geom*" access="hasRole( ROLE_SUPERUSER )"/>    
<sec:intercept-url pattern="/status/**" access="permitAll"/>    
<sec:intercept-url pattern="/index.html*" access="hasRole( ROLE_USER )"/>
<sec:intercept-url pattern="/project.html*" access="hasRole( ROLE_USER )"/>
<sec:intercept-url pattern="/js/**" access="hasRole( ROLE_USER )"/>
<sec:intercept-url pattern="/help/**" access="hasRole( ROLE_USER )"/>
<sec:intercept-url pattern="/app/**" access="hasRole( ROLE_USER )"/>
<sec:intercept-url pattern="/data/**" access="hasRole( ROLE_USER )"/>   
<sec:intercept-url pattern="/admin/**" access="hasRole( ROLE_ADMIN )"/> 
<sec:intercept-url pattern="/session/**" access="hasRole( ROLE_USER )"/>
<sec:intercept-url pattern="/" access="hasRole( ROLE_USER )"/>
<sec:intercept-url pattern="/**" access="denyAll"/>
<sec:intercept-url pattern="**" access="denyAll"/>

<sec:session-management session-fixation-protection="none" />

<sec:form-login login-page="/Login.html${dev.gwt.codesrv.htmlparam}" default-target-url="/index.html${dev.gwt.codesrv.htmlparam}" authentication-failure-url="/Login.html${dev.gwt.codesrv.htmlparam}"/>
<sec:http-basic/>
<sec:logout invalidate-session="true" logout-success-url="/Login.html${dev.gwt.codesrv.htmlparam}"/>
 <sec:remember-me key="[REMOVED]" />
 </sec:http>

<bean id="authenticationEventPublisher" class="org.springframework.security.authentication.DefaultAuthenticationEventPublisher" />

<bean id="org.springframework.security.authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <property name="authenticationEventPublisher" ref="authenticationEventPublisher"/>
    <property name="providers">
        <list>
            <ref bean="authenticationProvider" />
            <ref bean="anonymousProvider" />
        </list>
    </property>
</bean>

<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="passwordEncoder" ref="passwordEncoder"/>
    <property name="saltSource" ref="saltSource"/>
    <property name="userDetailsService" ref="userService" />
</bean>

<bean id="anonymousProvider" class="org.springframework.security.authentication.AnonymousAuthenticationProvider">
    <property name="key" value="[REMOVED]" />
</bean>

Answer 1


根据, “在春天安全3中,用户首先由AusthenticationManager认证,一旦成功认证,便会设立一个会议”。


Instead, you could implement your own AuthenticationSuccessHandler (probably by subclassing SavedRequestAwareAuthenticationSuccessHandler). You can put whatever logic you want in the onAuthenticationSuccess method, so move your existing logic there:

public class MyAuthenticationSuccessHandler extends SavedRequestAwareAuthenticationSuccessHandler {
    // declare and initialize lock and sessionAuthMap at some point...
    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, 
            HttpServletResponse response, Authentication authentication) 
            throws ServletException, IOException {
        lock.writeLock().lock();
        try {
            sessionAuthMap.put(request.getSession().getId(), authentication);
        } finally {
            lock.writeLock().unlock();
        }
        super.onAuthenticationSuccess(request, response, authentication);
    }
}


Then, update your configs so that Spring Security invokes this class during the authentication process. Here s how:

步骤1:定制<代码>UsernamePaswordAuthenticationFilter,该编码由<代码><form-login>要素创建。具体来说,将这一内容列入<代码><http://www.un.org/french/sc/presidency>。

<sec:custom-filter position="FORM_LOGIN_FILTER" ref="myFilter" />

第2步:界定我的密码,并贴上<代码>。

<bean id="myFilter" 
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="authenticationFailureHandler" ref="myAuthenticationSuccessHandler" />
    <property name="authenticationSuccessHandler" ref="myAuthenticationFailureHandler" />
</bean>

<bean id="myAuthenticationSuccessHandler" 
    class="my.MyAuthenticationSuccessHandler">
<!-- set properties here -->
</bean>

<!-- you can subclass this or one of its parents, too -->
<bean id="myAuthenticationFailureHandler" 
    class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
    <!-- set properties such as exceptionMappings here -->
</bean>

详情见 rel=“nofollow”http://static.children.org/children-security/site/docs/3.0.x/fer/ns-config.html。另见docs。

BTW 您的问题提醒我注意奥乌特。基本上,由于资源所有人的授权,你重新向客户发出象征性的准入。

Answer 2

Please read the update at bottom of this post

Have you tried just adding another "else if" based on "event instance of InteractiveAuthenticationSuccessEvent"?

    @Override
    public void onApplicationEvent(ApplicationEvent event) {
    log.info(event.toString()); // debug only: keep track of all events
    if (event instanceof AuthenticationSuccessEvent) {
        AuthenticationSuccessEvent authEvent = (AuthenticationSuccessEvent)event;
        lock.writeLock().lock();
        try {
            sessionAuthMap.put(((WebAuthenticationDetails)authEvent.getAuthentication().getDetails()).getSessionId(), authEvent.getAuthentication());
        } finally {
            lock.writeLock().unlock();
        }
    } else if (event instanceof InteractiveAuthenticationSuccessEvent) {
        InteractiveAuthenticationSuccessEvent authEvent = (InteractiveAuthenticationSuccessEvent)event;
        lock.writeLock().lock();
        try {
            sessionAuthMap.put(((WebAuthenticationDetails)authEvent.getAuthentication().getDetails()).getSessionId(), authEvent.getAuthentication());
        } finally {
            lock.writeLock().unlock();
        }
    } else if (event instanceof HttpSessionDestroyedEvent) {
        HttpSessionDestroyedEvent destroyEvent = (HttpSessionDestroyedEvent)event;
        lock.writeLock().lock();
        try {
            sessionAuthMap.remove(destroyEvent.getId());
        } finally {
            lock.writeLock().unlock();
        }
    }
}

UPDATE: Your question is basically, "How can I get one http client (i.e. the Google Earth plugin) to appear authenticated to my site as someone who logged in using another http client (the user s browser)?" Even if you could get that to work, it doesn t seem like a good idea, security-wise. Another interesting question would be, "How can I load KML into the Google Earth plugin other than by having the plugin request the KML file over http?" According to their docs, there is a method, parsekml(), which takes a String containing KML data. So in theory you could load the protected KML data using a JavaScript/AJAX call from the user s browser, which would be compatible with your site s normal security setup, then pass the returned KML to parsekml().

友情链接