Spring security Spring Security 2.0.x-基于角色类型的过滤器+;基于会话的bean状态
我们有一个应用程序,具有代理权限的用户需要能够看到应用程序中的链接 例如,我们可能有:Spring security Spring Security 2.0.x-基于角色类型的过滤器+;基于会话的bean状态,spring-security,Spring Security,我们有一个应用程序,具有代理权限的用户需要能够看到应用程序中的链接 例如,我们可能有: <s:intercept-url pattern="/resourceManager.htm" access=" ROLE_ADMIN_GROUP, ROLE_PROXY"/> 获取我试图访问的url元数据的最佳方法是什么 如果没有办法获取url的所有允许角色的信息,那么我想我必须在页面上这样做 升级到Spring Security 3会给我更多的灵活性吗?我最终创建了一个runAsManage
<s:intercept-url pattern="/resourceManager.htm" access=" ROLE_ADMIN_GROUP, ROLE_PROXY"/>
获取我试图访问的url元数据的最佳方法是什么
如果没有办法获取url的所有允许角色的信息,那么我想我必须在页面上这样做
升级到Spring Security 3会给我更多的灵活性吗?我最终创建了一个runAsManager实现,如果处于代理模式,它将作为代理用户运行。否则,如果用户仅具有链接的代理角色,则会重定向它们。runAsManager仅在代理模式下修改身份验证对象 我已经包含了每个类的片段,以免文章太长 RunAsProxy代码段
public Authentication buildRunAs(Authentication authentication, Object object,
ConfigAttributeDefinition config) {
//probably need to do something to cache the proxied user's roles
if(proxySummary.isProxyMode())
{
SpringSecurityLdapTemplate template = new SpringSecurityLdapTemplate(contextSource);
String dn = proxySummary.getLoggedInUser();
String [] tmp = { "uid", "cn" };
DirContextOperations user = template.retrieveEntry(dn, tmp);
GrantedAuthority[] proxiedAuthorities = authoritiesPopulator.getGrantedAuthorities(user, user.getStringAttribute("cn").toString());
return new RunAsUserToken(this.key, authentication.getPrincipal(), authentication.getCredentials(),
proxiedAuthorities, authentication.getClass());
}
return null;
}
拦截器代码->扩展AbstractSecurityInterceptor实现过滤器,已排序
public void invoke(FilterInvocation fi) throws IOException, ServletException {
//same code as from proxy security interceptor here ...
//config attributes are the roles assigned to a link
ConfigAttributeDefinition cad = ((DefaultFilterInvocationDefinitionSource)objectDefinitionSource).lookupAttributes(fi.getRequestUrl());
if(cad != null)
{
HashSet<String> configAttributes = new HashSet<String>();
for(Object ca: cad.getConfigAttributes())
{
configAttributes.add(((ConfigAttribute)ca).getAttribute());
}
SecurityContext sc = SecurityContextHolder.getContext();
HashSet<String> authorities = new HashSet<String>();
for(GrantedAuthority ga: sc.getAuthentication().getAuthorities())
{
authorities.add(ga.getAuthority());
}
//intersection and remaining available roles to determine
//if they just have the proxy role
authorities.retainAll(configAttributes);
if(authorities.size() == 1 && authorities.contains("ROLE_PROXY"))
{
//redirect to page telling them to proxy
((HttpServletResponse)fi.getResponse()).sendRedirect("jsp/doProxy.jsp");
}
//System.out.println(cad);
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
//other boilderplate code
}
public void invoke(FilterInvoke fi)抛出IOException、ServletException{
//与此处代理安全拦截器中的代码相同。。。
//配置属性是分配给链接的角色
ConfigAttributeDefinition cad=((DefaultFilterInitiationDefinitionSource)objectDefinitionSource).lookupAttributes(fi.getRequestUrl());
如果(cad!=null)
{
HashSet configAttributes=新HashSet();
对于(对象ca:cad.getConfigAttributes())
{
添加(((ConfigAttribute)ca.getAttribute());
}
SecurityContext sc=SecurityContextHolder.getContext();
HashSet authorities=新HashSet();
对于(授权ga:sc.getAuthentication().getAuthority())
{
authorities.add(ga.getAuthority());
}
//要确定的交叉点和剩余可用角色
//如果他们只是代理角色
权限。保留(配置属性);
if(authorities.size()==1&&authorities.contains(“角色\u代理”))
{
//重定向到告诉他们代理的页面
((HttpServletResponse)fi.getResponse()).sendRedirect(“jsp/doProxy.jsp”);
}
//系统输出打印(cad);
fi.getRequest().setAttribute(已应用过滤器,布尔值为.TRUE);
//其他锅炉板代码
}
弹簧设置
<bean id="proxySecurityInterceptor" class="org.springframework.security.intercept.web.ProxySecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="_accessManager"/>
<property name="proxySummary" ref="proxySummary" />
<property name="runAsManager" ref="runAsProxy" />
<property name="objectDefinitionSource">
<s:filter-invocation-definition-source>
<s:intercept-url pattern="/groupManager.htm*" access="ROLE_GLOBAL_ADMIN, ROLE_ADMIN_GROUP, ROLE_PROXY"/>
</s:filter-invocation-definition-source>
</property>
<s:custom-filter after="FILTER_SECURITY_INTERCEPTOR" />
</bean>
我最终创建了一个runAsManager实现,该实现在代理模式下作为代理用户运行。否则,如果该用户仅具有链接的代理角色,则它们将被重定向。runAsManager仅在代理模式下修改身份验证对象 我已经包含了每个类的片段,以免文章太长 RunAsProxy代码段
public Authentication buildRunAs(Authentication authentication, Object object,
ConfigAttributeDefinition config) {
//probably need to do something to cache the proxied user's roles
if(proxySummary.isProxyMode())
{
SpringSecurityLdapTemplate template = new SpringSecurityLdapTemplate(contextSource);
String dn = proxySummary.getLoggedInUser();
String [] tmp = { "uid", "cn" };
DirContextOperations user = template.retrieveEntry(dn, tmp);
GrantedAuthority[] proxiedAuthorities = authoritiesPopulator.getGrantedAuthorities(user, user.getStringAttribute("cn").toString());
return new RunAsUserToken(this.key, authentication.getPrincipal(), authentication.getCredentials(),
proxiedAuthorities, authentication.getClass());
}
return null;
}
拦截器代码->扩展AbstractSecurityInterceptor实现过滤器,已排序
public void invoke(FilterInvocation fi) throws IOException, ServletException {
//same code as from proxy security interceptor here ...
//config attributes are the roles assigned to a link
ConfigAttributeDefinition cad = ((DefaultFilterInvocationDefinitionSource)objectDefinitionSource).lookupAttributes(fi.getRequestUrl());
if(cad != null)
{
HashSet<String> configAttributes = new HashSet<String>();
for(Object ca: cad.getConfigAttributes())
{
configAttributes.add(((ConfigAttribute)ca).getAttribute());
}
SecurityContext sc = SecurityContextHolder.getContext();
HashSet<String> authorities = new HashSet<String>();
for(GrantedAuthority ga: sc.getAuthentication().getAuthorities())
{
authorities.add(ga.getAuthority());
}
//intersection and remaining available roles to determine
//if they just have the proxy role
authorities.retainAll(configAttributes);
if(authorities.size() == 1 && authorities.contains("ROLE_PROXY"))
{
//redirect to page telling them to proxy
((HttpServletResponse)fi.getResponse()).sendRedirect("jsp/doProxy.jsp");
}
//System.out.println(cad);
fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
//other boilderplate code
}
public void invoke(FilterInvoke fi)抛出IOException、ServletException{
//与此处代理安全拦截器中的代码相同。。。
//配置属性是分配给链接的角色
ConfigAttributeDefinition cad=((DefaultFilterInitiationDefinitionSource)objectDefinitionSource).lookupAttributes(fi.getRequestUrl());
如果(cad!=null)
{
HashSet configAttributes=新HashSet();
对于(对象ca:cad.getConfigAttributes())
{
添加(((ConfigAttribute)ca.getAttribute());
}
SecurityContext sc=SecurityContextHolder.getContext();
HashSet authorities=新HashSet();
对于(授权ga:sc.getAuthentication().getAuthority())
{
authorities.add(ga.getAuthority());
}
//要确定的交叉点和剩余可用角色
//如果他们只是代理角色
权限。保留(配置属性);
if(authorities.size()==1&&authorities.contains(“角色\u代理”))
{
//重定向到告诉他们代理的页面
((HttpServletResponse)fi.getResponse()).sendRedirect(“jsp/doProxy.jsp”);
}
//系统输出打印(cad);
fi.getRequest().setAttribute(已应用过滤器,布尔值为.TRUE);
//其他锅炉板代码
}
弹簧设置
<bean id="proxySecurityInterceptor" class="org.springframework.security.intercept.web.ProxySecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager"/>
<property name="accessDecisionManager" ref="_accessManager"/>
<property name="proxySummary" ref="proxySummary" />
<property name="runAsManager" ref="runAsProxy" />
<property name="objectDefinitionSource">
<s:filter-invocation-definition-source>
<s:intercept-url pattern="/groupManager.htm*" access="ROLE_GLOBAL_ADMIN, ROLE_ADMIN_GROUP, ROLE_PROXY"/>
</s:filter-invocation-definition-source>
</property>
<s:custom-filter after="FILTER_SECURITY_INTERCEPTOR" />
</bean>
我正在使用自定义runAsManager(技术上为runAsProxy)实现上述安全过滤器拦截器。它的行为似乎符合预期,但我需要确保我没有做任何会导致性能问题的事情。如果可行,我将发布代码。我正在使用自定义runAsManager(技术上为runAsProxy)将上述作为安全筛选器拦截器实现。它的行为似乎符合预期,但我需要确保我没有做任何会导致性能问题的事情。如果成功,将发布代码。