重写org.springframework.security.ui.webapp.AuthenticationProcessingFilter:
package com.cay.core.web; import java.io.IOException; import java.util.HashMap; import java.util.Map; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.springframework.security.Authentication; import org.springframework.security.AuthenticationException; import org.springframework.security.ui.webapp.AuthenticationProcessingFilter; import org.springframework.security.util.RedirectUtils; import com.cay.utils.RenderUtils; public class AjaxableAuthenticationProcessingFilter extends AuthenticationProcessingFilter { /** * If true, causes any redirection URLs to be calculated minus the protocol * and context path (defaults to false). */ private boolean useRelativeContext = false; public void setUseRelativeContext(boolean useRelativeContext) { this.useRelativeContext = useRelativeContext; } protected void onSuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, Authentication authResult) throws IOException { super.onSuccessfulAuthentication(request, response, authResult); if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))){ Map<String, Object> message = new HashMap<String, Object>(); message.put("success", true); message.put("status", "1"); RenderUtils.renderJSON(response, message); } } protected void onUnsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException { super.onUnsuccessfulAuthentication(request, response, failed); if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))){ Map<String, Object> message = new HashMap<String, Object>(); message.put("success", true); message.put("status", "-1"); message.put("message", failed.getMessage()); RenderUtils.renderJSON(response, message); } } protected void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException { // ignore redirect when request via ajax if (!"XMLHttpRequest".equals(request.getHeader("X-Requested-With"))){ RedirectUtils.sendRedirect(request, response, url, useRelativeContext); } } }
applicationContext-security.xml如下:
<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <http entry-point-ref="authenticationProcessingFilterEntryPoint"> <intercept-url pattern="/pages/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/new/commons/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/new/core/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/new/extjs/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/favicon.ico" access="ROLE_ANONYMOUS" /> <intercept-url pattern="/**" access="ROLE_AUTHENTICATED" /> <!-- 定制AuthenticationProcessingFilter不能使用form-login标签与auto-config="true" --> <!-- 同时必须使用logout、http-basic与anonymous标签 --> <logout logout-success-url="/pages/login.jsp" /> <http-basic /> <anonymous /> <!-- <form-login login-page="/pages/login.jsp" authentication-failure-url="/pages/login.jsp?error=true" default-target-url="/index.do" /> --> </http> <authentication-provider user-service-ref="userDetailsService"> <password-encoder hash="md5" /> </authentication-provider> <beans:bean id="authenticationProcessingFilter" class="com.cay.core.web.AjaxableAuthenticationProcessingFilter"> <custom-filter position="AUTHENTICATION_PROCESSING_FILTER" /> <beans:property name="defaultTargetUrl" value="/index.do" /> <beans:property name="authenticationFailureUrl" value="/pages/login.jsp?error=true"/> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> <authentication-manager alias="authenticationManager"/> <beans:bean id="authenticationProcessingFilterEntryPoint" class="com.cay.core.web.handler.AjaxableAuthenticationProcessingFilterEntryPoint"> <beans:property name="loginFormUrl" value="/pages/login.jsp" /> </beans:bean> <beans:bean id="messageSource" class="org.springframework.context.support.ReloadableResourceBundleMessageSource"> <beans:property name="basename" value="classpath:com/cay/security/messages" /> </beans:bean> <beans:bean id="localeResolver" class="org.springframework.web.servlet.i18n.AcceptHeaderLocaleResolver" /> </beans:beans>
参考链接:
http://forum.springsource.org/showthread.php?56167-Overriding-AUTHENTICATION_PROCESSING_FILTER
http://forum.springsource.org/showthread.php?57373-How-to-replace-form-login
http://loianegroner.com/2010/02/integrating-spring-security-with-extjs-login-page/
http://stackoverflow.com/questions/4885893/how-to-differentiate-ajax-requests-from-normal-http-requests
http://androider.iteye.com/blog/588379