使用要在crosscontext属性中检查的请求参数保护GWT应用
我的应用程序应该收到一个名为sessionId的请求参数,该参数应该用于查找跨上下文属性 我正在考虑Spring Security来实现这一点,我认为我的AuthenticationProvider已经有了一个很好的实现:使用要在crosscontext属性中检查的请求参数保护GWT应用,gwt,spring-security,cross-context,Gwt,Spring Security,Cross Context,我的应用程序应该收到一个名为sessionId的请求参数,该参数应该用于查找跨上下文属性 我正在考虑Spring Security来实现这一点,我认为我的AuthenticationProvider已经有了一个很好的实现: public Authentication authenticate(Authentication authentication) throws AuthenticationException { HttpServletRequest request = ((ServletR
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
ServletContext servletContext = request.getSession().getServletContext();
String sessionId = request.getParameter("sessionId");
if (sessionId != null) {
ServletContext sc = request.getSession().getServletContext();
Object obj = sc.getContext("/crosscontext").getAttribute(sessionId);
if (obj != null) {
// return new Authentication
}
} else {
logger.error("No session id provided in the request");
return null;
}
if (!GWT.isProdMode()) {
// return new Authentication
} else {
logger.error("No session id provided in the request");
return null;
}
}
现在,我想做的是将Spring安全性配置为不提示输入用户名和密码,让它到达这个身份验证提供者调用authenticate方法
如何实现这一点?我通过审查我的安全性设计并寻求更接近Spring安全性已经提供的预验证机制,解决了我的问题 我扩展了Spring Security的两个组件。 第一个是AbstractPreAuthenticatedProcessingFilter,通常他的角色是提供头中提供的主体。在本例中,我检索标题值,并在2个应用程序之间共享的上下文中搜索与该标题对应的属性,并将其作为主体返回:
public class MyApplicationPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {
private static final Logger logger = Logger.getLogger(MyApplicationPreAuthenticatedProcessingFilter.class);
@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
if (MyApplicationServerUtil.isProdMode()) {
String principal = request.getHeader("MY_HEADER");
String attribute = (String) request.getSession().getServletContext().getContext("/crosscontext").getAttribute(principal);
logger.info("In PROD mode - Found value in crosscontext: " + attribute);
return attribute;
} else {
logger.debug("In DEV mode - passing through ...");
return "";
}
}
@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
return null;
}
}
另一个组件是AuthenticationProvider,它在prod模式(GWT prod)下运行时只检查身份验证是否包含主体:
公共类MyApplicationAuthenticationProvider实现AuthenticationProvider{
私有静态最终记录器Logger=Logger.getLogger(MyApplicationAuthenticationProvider.class);
公共静态最终字符串会话\u ID=“sessionId”;
@凌驾
公共身份验证(身份验证)引发AuthenticationException{
if(MyApplicationServerUtil.isProdMode()){
if(StringUtils.isNotEmpty((String)authentication.getPrincipal()){
warn(“找到凭据:”+(字符串)身份验证.getPrincipal());
Authentication customAuth=新的CustomAuthentication(“角色\用户”);
customAuth.setAuthenticated(true);
返回customAuth;
}否则{
抛出新的PreAuthenticatedCredentialsNotFoundException(“没有从会话ID属性的交叉上下文返回任何内容[”
+(字符串)authentication.getPrincipal()+“]”;
}
}否则{
Authentication customAuth=新的CustomAuthentication(“角色\用户”);
customAuth.setAuthenticated(true);
返回customAuth;
}
}
@凌驾
公共布尔支持(类身份验证){
返回PreAuthenticatedAuthenticationToken.class.isAssignableFrom(身份验证);
}
}
我知道它可能不是最安全的应用程序。但是,它将已经在一个安全的环境中运行。但是如果你有改进的建议,欢迎 你能展示你的安全xml吗?
public class MyApplicationAuthenticationProvider implements AuthenticationProvider {
private static final Logger logger = Logger.getLogger(MyApplicationAuthenticationProvider.class);
public static final String SESSION_ID = "sessionId";
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if (MyApplicationServerUtil.isProdMode()) {
if (StringUtils.isNotEmpty((String) authentication.getPrincipal())) {
logger.warn("Found credentials: " + (String) authentication.getPrincipal());
Authentication customAuth = new CustomAuthentication("ROLE_USER");
customAuth.setAuthenticated(true);
return customAuth;
} else {
throw new PreAuthenticatedCredentialsNotFoundException("Nothing returned from crosscontext for sessionId attribute ["
+ (String) authentication.getPrincipal() + "]");
}
} else {
Authentication customAuth = new CustomAuthentication("ROLE_USER");
customAuth.setAuthenticated(true);
return customAuth;
}
}
@Override
public boolean supports(Class<?> authentication) {
return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication);
}
}