如果您的身份验证已使用SSO服务完成,那么您应该使用spring security的pre-authentication filters之一。然后,你可以指定一个UserDetails服务(可能为自定义),将使用预认证的用户原则来填充的GrantedAuthority的
SpringSecurity包括几个预认证过滤器,包括J2eePreAuthenticatedProcessingFilter和RequestHeaderPreAuthenticatedProcessingFilter。如果你找不到一个适合你的工具,那么它也是可能的,而且你自己也不难编写,只要你知道请求中的SSO实现填充数据的位置。 (这取决于课程的实施。)
只需实现Filter接口做这样的事情在doFilter方法:
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// principal is set in here as a header or parameter. you need to find out
// what it's named to extract it
HttpServletRequest req = (HttpServletRequest) request;
if (SecurityContextHolder.getContext().getAuthentication() == null) {
// in here, get your principal, and populate the auth object with
// the right authorities
Authentication auth = doAuthentication(req);
SecurityContextHolder.getContext().setAuthentication(auth);
}
chain.doFilter(request, response);
}
我更新了我的答案。 – 2009-08-24 18:01:40