1. 首页
  2. 问答
  3. 自春季3.0保安过滤器,多入口点,AuthenticationProvider的

自春季3.0保安过滤器,多入口点,AuthenticationProvider的

2013-02-12 46 views
6

我需要我的安全有以下逻辑:自春季3.0保安过滤器,多入口点,AuthenticationProvider的

  1. 检查头参数
  2. 的存在取决于paremeter的存在请执行重定向到登录页面(如果没有通过身份验证),或者检查基本身份验证令牌

在这两种情况下,我都有相同的身份验证提供程序,但我无法使其工作。 委派入口点工作正常,但我从来没有在我的自定义的AuthenticationProvider ...

这里是我的安全配置:

<security:global-method-security 
    secured-annotations="enabled" /> 

<security:http entry-point-ref="delegatingAuthenticationEntryPoint" 
    use-expressions="true" auto-config="false"> 
    <!-- <security:custom-filter position="FORM_LOGIN_FILTER" --> 
    <!-- ref="usernamePasswordAuthenticationFilter" /> --> 
    <!-- <security:custom-filter position="BASIC_AUTH_FILTER" --> 
    <!-- ref="basicAuthenticationFilter" /> --> 
    <security:intercept-url pattern="/login*" 
     filters="none" /> 
    <security:intercept-url pattern="/portimaLogin*" 
     filters="none" /> 
    <security:intercept-url pattern="/**" 
     access="isAuthenticated()" /> 
</security:http> 

<bean id="delegatingAuthenticationEntryPoint" 
    class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint"> 
    <constructor-arg> 
     <map> 
      <entry key="hasHeader('portima','true')" value-ref="PortimaLoginUrlAuthenticationEntryPoint" /> 
     </map> 
    </constructor-arg> 
    <property name="defaultEntryPoint" ref="authenticationEntryPoint" /> 
</bean> 

<bean id="usernamePasswordAuthenticationFilter" 
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" /> 
</bean> 

<bean id="basicAuthenticationFilter" 
    class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> 
</bean> 

<bean id="PortimaLoginUrlAuthenticationEntryPoint" 
    class="be.ap.common.security.spring.PortimaLoginUrlAuthenticationEntryPoint"> 
    <property name="loginFormUrl" value="${portima.login.page}" /> 
</bean> 

<bean id="authenticationEntryPoint" 
    class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint"> 
    <property name="realmName" value="AP" /> 
</bean> 

<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider 
     ref="authenticationProvider" /> 
</security:authentication-manager> 

<bean id="authenticationProvider" class="be.ap.common.security.spring.APAuthenticationProvider" /> 

<bean id="userDetailsService" class="be.ap.common.security.spring.APUserDetailsService" />

任何想法?

来源

2013-02-12 Olivier Mahieu

+0

您的自定义AuthenticationProvider是否正确实施'supports()'方法?如果它对于'UsernamePasswordAuthenticationToken'类返回false,那么永远不会要求它处理由你的过滤器创建的认证令牌。 – zagyi 2013-02-12 10:31:00

+0

它甚至不支持支持方法... – 2013-02-12 10:47:50

+0

@Override public boolean supports(Class <?extends Object> authentication){ return UserPasswordAuthenticationToken.class.isAssignableFrom(authentication); } – 2013-02-12 10:49:45

回答

12

我终于有它的工作。

这里是我的背景文件:

<security:http entry-point-ref="delegatingAuthenticationEntryPoint" 
    use-expressions="true"> 
    <security:custom-filter position="PRE_AUTH_FILTER" 
     ref="preAuthenticationFilter" /> 
    <security:custom-filter position="FORM_LOGIN_FILTER" 
     ref="usernamePasswordAuthenticationFilter" /> 
    <security:custom-filter position="BASIC_AUTH_FILTER" 
     ref="basicAuthenticationFilter" /> 
    <security:intercept-url pattern="/login*" 
     filters="none" /> 
    <security:intercept-url pattern="/portimaLogin*" 
     filters="none" /> 
    <security:intercept-url pattern="/accessDenied*" 
     filters="none" /> 
    <security:intercept-url pattern="/**" 
     access="isAuthenticated()" /> 
    <security:access-denied-handler ref="accessDeniedHandler" /> 
</security:http> 

<!-- Spring Security Custom Filters --> 

<bean id="usernamePasswordAuthenticationFilter" 
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationFailureHandler" ref="authenticationFailureHandler" /> 
</bean> 

<bean id="basicAuthenticationFilter" 
    class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
    <property name="authenticationEntryPoint" ref="authenticationEntryPoint" /> 
</bean> 

<bean id="preAuthenticationFilter" class="be.ap.common.security.spring.APPreAuthenticationFilter"> 
    <property name="authenticationManager" ref="authenticationManager" /> 
</bean> 

<!-- Spring Security Custom EntryPoint --> 

<bean id="delegatingAuthenticationEntryPoint" 
    class="org.springframework.security.web.authentication.DelegatingAuthenticationEntryPoint"> 
    <constructor-arg> 
     <map> 
      <entry key="hasHeader('portima','true')" value-ref="PortimaLoginUrlAuthenticationEntryPoint" /> 
     </map> 
    </constructor-arg> 
    <property name="defaultEntryPoint" ref="authenticationEntryPoint" /> 
</bean> 

<bean id="PortimaLoginUrlAuthenticationEntryPoint" 
    class="be.ap.common.security.spring.PortimaLoginUrlAuthenticationEntryPoint"> 
    <property name="loginFormUrl" value="${portima.login.page}" /> 
</bean> 

<bean id="authenticationEntryPoint" 
    class="be.ap.common.security.spring.APBasicAuthenticationEntryPoint"> 
    <property name="realmName" value="AP" /> 
</bean> 
<bean id="accessDeniedHandler" 
    class="org.springframework.security.web.access.AccessDeniedHandlerImpl"> 
    <property name="errorPage" value="/accessDenied" /> 
</bean> 

<bean id="authenticationFailureHandler" 
    class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> 
    <property name="exceptionMappings"> 
     <props> 
      <prop 
       key="org.springframework.security.authentication.BadCredentialsException"> 
       /accessDenied 
      </prop> 
      <prop 
       key="org.springframework.security.authentication.CredentialsExpiredException"> 
       /accessDenied 
      </prop> 
      <prop key="org.springframework.security.authentication.LockedException"> 
       /accessDenied 
      </prop> 
      <prop 
       key="org.springframework.security.authentication.DisabledException"> 
       /accessDenied 
      </prop> 
     </props> 
    </property> 
</bean> 

<!-- Spring Security Authentication Manager --> 

<security:authentication-manager alias="authenticationManager"> 
    <security:authentication-provider 
     ref="authenticationProvider" /> 
</security:authentication-manager> 

<bean id="authenticationProvider" class="be.ap.common.security.spring.APAuthenticationProvider" /> 

<bean id="userDetailsService" class="be.ap.common.security.spring.APUserDetailsService" /> 

<!-- for Mock --> 
<bean id="SSOService" class="be.ap.security.service.SSOServiceMockImpl" />

正如你可以看到我增加了一些东西太多。

为了修复它,我重新设置了auto-config属性,取消了过滤器的注释,并正确定义了它们。

对于其他人谁想要它所做的快速理解,这里是流量:

  1. PRE_AUTH_FILTER将检查SSO般的服务预填验证对象(如果SSO已完成认证)
  2. delegatingAuthenticationEntryPoint然后将选择如何取决于请求头认证
  3. 的两种方式是:
    • 定制LoginUrlAuthenticationEntryPoint
    • 定制BasicAuthenticationEntryPoint

基本验证和LoginURLAuth使用相同的AuthenticationProvider时PREAUTH使用我的SSO服务。

希望它可以帮助别人!

来源

2013-02-13 13:43:23

 相关问题

  • 暂无相关问题^_^