gembin

OSGi, Eclipse Equinox, ECF, Virgo, Gemini, Apache Felix, Karaf, Aires, Camel, Eclipse RCP

HBase, Hadoop, ZooKeeper, Cassandra

Flex4, AS3, Swiz framework, GraniteDS, BlazeDS etc.

There is nothing that software can't fix. Unfortunately, there is also nothing that software can't completely fuck up. That gap is called talent.

About Me

 

为Spring Security添加IP限制功能

项目中要为SpringSecurity添加IP限制功能,一开始的做法是继承DaoAuthenticationProvider,在additionalAuthenticationChecks方法中使用WebAuthenticationDetails的getRemoteAddress获取客户端IP,然后判断是否需要限制登录。

在tomcat上单独部署时,这样做一切正常,当使用apache作为前端代理时,发现总是提示IP错误,从日志中发现,getRemoteAddress方法总是返回apache的IP。查看WebAuthenticationDetails的源码发现:

this.remoteAddress = request.getRemoteAddr();

当有代理存在时,request.getRemoteAddr()是不能正确获取客户端IP的(http://mrlee23.javaeye.com/blog/510747),

需要使用http header中的x-forwarded-for获取IP,方法如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
public static final String getIpAddr(final HttpServletRequest request)
throws Exception {
if (request == null) {
throw (new Exception(
"getIpAddr method HttpServletRequest Object is null"));
}
String ipString = request.getHeader("x-forwarded-for");
if (StringUtils.isBlank(ipString) || "unknown".equalsIgnoreCase(ipString)) {
ipString = request.getHeader("Proxy-Client-IP");
}
if (StringUtils.isBlank(ipString) || "unknown".equalsIgnoreCase(ipString))request.getHeader("WL-Proxy-Client-IP");
}
if (StringUtils.isBlank(ipString) || "unknown".equalsIgnoreCase(ipString))request.getRemoteAddr();
}

// 多个路由时,取第一个非unknown的ip
final String[] arr = ipString.split(",");
for (final String str : arr) {
if (!"unknown".equalsIgnoreCase(str))ipString = str;
break;
}
}

return ipString;
}

参考http://www.blogjava.net/taochen1984/articles/310072.html中的说明自定义Spring Security的一些组件:

  • 扩展WebAuthenticationDetails,保存request为一个属性
  • 扩展WebAuthenticationDetailsSource,设置clazz为上面扩展出来的WebAuthenticationDetails修改spring security配置文件,添加以下bean:
       <bean id="authenticationProcessingFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <property name="authenticationDetailsSource" ref="authenticationDetailsSource" />
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="filterProcessesUrl" value="/j_spring_security_check" />
        <property name="authenticationSuccessHandler" ref="authenticationSuccessHandler" />
        <property name="authenticationFailureHandler" ref="authenticationFailureHandler" />
        </bean>
        <bean id="authenticationSuccessHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
        <property name="defaultTargetUrl" value="/loginsuccess.jsp" />
        </bean>
        <bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/admin.jsp?error=1" />
        </bean>
        <bean id="authenticationDetailsSource" class="javacommon.security.springsecurity.CustomWebAuthenticationDetailsSource"/>
        <bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/admin.jsp" />
        <property name="forceHttps" value="false" />
        </bean>

    取消s:http的auto-config属性,将自定义的authenticationProcessingFilter设置为FORM_LOGIN_FILTER:

<s:http access-denied-page="/fault.jsp"  entry-point-ref="authenticationProcessingFilterEntryPoint">
<s:logout logout-success-url="/admin.jsp" />
<s:remember-me/>
<s:anonymous/>
<s:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter" />
</s:http>

from: http://codingmu.ixiezi.com/

posted on 2010-10-11 17:24 gembin 阅读(3399) 评论(0)  编辑  收藏 所属分类: Spring


只有注册用户登录后才能发表评论。


网站导航:
 

导航

统计

常用链接

留言簿(6)

随笔分类(440)

随笔档案(378)

文章档案(6)

新闻档案(1)

相册

收藏夹(9)

Adobe

Android

AS3

Blog-Links

Build

Design Pattern

Eclipse

Favorite Links

Flickr

Game Dev

HBase

Identity Management

IT resources

JEE

Language

OpenID

OSGi

SOA

Version Control

最新随笔

搜索

积分与排名

最新评论

阅读排行榜

评论排行榜

free counters