springSecurityService和参数在会话中设置

Question

我试图根据自己的需要调整springSecurity插件，所以当用户进行身份验证时，必须检查一个密钥对用户有效，然后存储在用户会话中（用户可以有几个键）。

形式登录：

<form action='${request.contextPath}/j_spring_security_check' method='POST' id='loginForm' name='loginForm' controller="login" onLoading="showSpinner();" onComplete="hideSpinner();" class="form-horizontal" autocomplete='off'> 
        <g:if test='${flash.msg}'><div class='errors_pw3'><g:message code="default.message.login"/> </div><br/></g:if> 
        <div class="control-group" style="margin-left:80px;"> 
         <label class="control-label" for='j_datastore'><g:message code="label.datastore" default="Key:" /></label> 
          <div class="controls"> 
          <input type='text' name='key' id='key' value='${session.user.key}' class="span7"/> 
         </div> 
       </div> 
       <div class="control-group" style="margin-left:80px;"> 
        <label class="control-label" for='j_username'><g:message code="label.ubistoreid" /></label> 
        <div class="controls"> 
         <input type='text' name='j_username' id='username' value='${request.remoteUser}' class="span7"/> 
        </div> 
       </div> 
       <div class="control-group" style="margin-left:80px;"> 
        <label class="control-label" for='j_password'><g:message code="label.password" /></label> 
        <div class="controls"> 
         <input type='password' name='j_password' id='password' class="span7"/> 
        </div> 
       </div> 

登录控制器：

def auth = { 
    def config = SpringSecurityUtils.securityConfig 
    def principal = springSecurityService.principal 
    // Store key in the session 
    session.setAttribute("KEY",params.key) 
    println params.key + "*******" 
    println params.params + "-----" 
    if (springSecurityService.isLoggedIn()) { 
     redirect uri:'/secure' 
    } 
    else if (params["login_error"]) { 
     if(request.getParameterValues('login_error')[0] == '1') { 
      flash.msg = "User or password invalid !" 
     } 
    } 
    String view = 'index' 
    String postUrl = "${request.contextPath}${config.apf.filterProcessesUrl}" 
    render view: view, model: [postUrl: postUrl,rememberMeParameter: config.rememberMe.parameter,params:params] 
} 

】这个params不传递到会话

请，如何修改springSecurityService到： 1）检查密钥条目是否授权给用户？ （用户域类包含一个set<Key> keys条目以授权密钥列表）

2）后来在用户的会话中使用它（一旦被验证）

Answer 1

基本上，我已经实现了一个customRedirect战略。它的工作原理，但我需要一个建议来检查当前用户的密钥对象的有效性后自定义响应;

import javax.servlet.http.HttpServletRequest 
import javax.servlet.http.HttpServletResponse 
import org.apache.commons.lang.StringUtils 
import org.springframework.security.web.DefaultRedirectStrategy 

public class CustomRedirectStrategy extends DefaultRedirectStrategy { 

    static final String adminFailureUrl='/console/index' 
    static final String customerFailureUrl='/login/auth' 
    HttpServletRequest request 
    HttpServletResponse response 
    String url 
    String redirectUrl 

    @Override 
    public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException { 
     def key = request.getParameter("j_key") 
     if(key) { 
      // TODO: process key validation 
      request.session['KEY'] = key 
      def ds = DataStore.findByKeyname(key) 
      if(ds) { 
       request.session['DS'] = ds 
      } 
      log.debug '--------------------' 
      log.debug 'Used Key:'+ key 
      log.debug '--------------------' 
     } else { 
      log.debug '--------------------' 
      log.debug 'No key defined' 
      log.debug '--------------------' 
     } 

     if(request.getParameter('asAdmin') == 'true') { 
      redirectUrl = calculateAdminRedirectUrl(request); 
     } 
     else if (request.getParameter('asUser') == 'true') { 
      redirectUrl = calculateUserRedirectUrl(request); 
     } 
     redirectUrl = response.encodeRedirectURL(redirectUrl); 
     response.sendRedirect(redirectUrl); 
    } 

    private String calculateAdminRedirectUrl(final HttpServletRequest request) { 
     return request.getContextPath() + adminFailureUrl + "?login_error=1"; 
    } 

    private String calculateUserRedirectUrl(final HttpServletRequest request) { 
     return request.getContextPath() + customerFailureUrl + "?login_error=1"; 
    } 
}