SpringSecurity2.0的简单SSO

项目需要做一个简单的SSO到我们用SpringSecurity2.0的系统，因为没有统一的用户LDAP，采用post用户名密码的方式。现在要处理的就是2件事，一是能够post通过验证，二是验证通过要跳转到指定的页面。一很好实现: http://localhost:8081/j_spring_security_check?j_username=admin&j_password=1，采用的默认配置就可以通过验证。简单看一下spring源码，AuthenticationProcessingFilter是默认filterChain中的一个，由它来处理form方式的验证，验证代码如下：



Java代码
public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {  
        String username = obtainUsername(request);  
        String password = obtainPassword(request);  
 
        if (username == null) {  
            username = "";  
        }  
 
        if (password == null) {  
            password = "";  
        }  
 
        username = username.trim();  
 
        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);  
 
        // Place the last username attempted into HttpSession for views  
        HttpSession session = request.getSession(false);  
 
        if (session != null || getAllowSessionCreation()) {  
            request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, username);  
        }  
 
        // Allow subclasses to set the "details" property  
        setDetails(request, authRequest);  
 
        return this.getAuthenticationManager().authenticate(authRequest);  
    } 

public Authentication attemptAuthentication(HttpServletRequest request) throws AuthenticationException {
        String username = obtainUsername(request);
        String password = obtainPassword(request);

        if (username == null) {
            username = "";
        }

        if (password == null) {
            password = "";
        }

        username = username.trim();

        UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);

        // Place the last username attempted into HttpSession for views
        HttpSession session = request.getSession(false);

        if (session != null || getAllowSessionCreation()) {
            request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, username);
        }

        // Allow subclasses to set the "details" property
        setDetails(request, authRequest);

        return this.getAuthenticationManager().authenticate(authRequest);
    }Java代码
protected String obtainUsername(HttpServletRequest request) {  
        return request.getParameter(usernameParameter);  
    } 

protected String obtainUsername(HttpServletRequest request) {
        return request.getParameter(usernameParameter);
    }Java代码
public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";  
    public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";  
    public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME"; 

public static final String SPRING_SECURITY_FORM_USERNAME_KEY = "j_username";
    public static final String SPRING_SECURITY_FORM_PASSWORD_KEY = "j_password";
    public static final String SPRING_SECURITY_LAST_USERNAME_KEY = "SPRING_SECURITY_LAST_USERNAME";Java代码
    private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;  
    private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY; 

    private String usernameParameter = SPRING_SECURITY_FORM_USERNAME_KEY;
    private String passwordParameter = SPRING_SECURITY_FORM_PASSWORD_KEY;Java代码
public String getDefaultFilterProcessesUrl() {  
        return "/j_spring_security_check";  
    } 

public String getDefaultFilterProcessesUrl() {
        return "/j_spring_security_check";
    } url中的3个参数代码中都出现了。

     第二个问题就复杂一点了，配置的默认页面是index.jsp，现在要跳转到其它页面。查不到文档，还是自己看源码。AuthenticationProcessingFilter extends了AbstractProcessingFilter，这个类有很多与配置对应的属性，一个我们需要的属性就是targetUrlResolver：

Java代码
private TargetUrlResolver targetUrlResolver = new TargetUrlResolverImpl(); 

private TargetUrlResolver targetUrlResolver = new TargetUrlResolverImpl(); 这里就是处理验证后的跳转，看默认的TargetUrlResolverImpl类实现：

Java代码
public String determineTargetUrl(SavedRequest savedRequest, HttpServletRequest currentRequest,  
            Authentication auth) {  
 
        String targetUrl = currentRequest.getParameter(targetUrlParameter);  
          
        if (StringUtils.hasText(targetUrl)) {  
            try {  
                return URLDecoder.decode(targetUrl, "UTF-8");  
            } catch (UnsupportedEncodingException e) {  
                throw new IllegalStateException("UTF-8 not supported. Shouldn't be possible");  
            }  
        }  
 
        if (savedRequest != null) {  
            if (!justUseSavedRequestOnGet || savedRequest.getMethod().equals("GET")) {  
                targetUrl = savedRequest.getFullRequestUrl();  
            }  
        }  
 
        return targetUrl;  
    } 

public String determineTargetUrl(SavedRequest savedRequest, HttpServletRequest currentRequest,
            Authentication auth) {

        String targetUrl = currentRequest.getParameter(targetUrlParameter);
       
        if (StringUtils.hasText(targetUrl)) {
            try {
                return URLDecoder.decode(targetUrl, "UTF-8");
            } catch (UnsupportedEncodingException e) {
                throw new IllegalStateException("UTF-8 not supported. Shouldn't be possible");
            }
        }

        if (savedRequest != null) {
            if (!justUseSavedRequestOnGet || savedRequest.getMethod().equals("GET")) {
                targetUrl = savedRequest.getFullRequestUrl();
            }
        }

        return targetUrl;
}     这里targetUrl也是先getParameter，这意味着通过url参数指定跳转页面成为了可能

Java代码
public static String DEFAULT_TARGET_PARAMETER = "spring-security-redirect";  
      
    private String targetUrlParameter = DEFAULT_TARGET_PARAMETER; 

public static String DEFAULT_TARGET_PARAMETER = "spring-security-redirect";
   
    private String targetUrlParameter = DEFAULT_TARGET_PARAMETER; 找到了这个参数，spring-security-redirect，尝试url：

http://localhost:8081/j_spring_security_check?j_username=admin&j_password=1&spring-security-redirect=draft.do