Spring security SpringSecurity-禁用以执行的最佳方式;假登入;
我想找到为测试和开发环境启用/禁用spring安全性的最佳/优雅/便捷的方法。我想在db上使用一个属性,如果该属性设置为on,则必须进行身份验证,否则用户不需要进行身份验证,它直接进入应用程序主页,并带有所有关联角色和假用户名/属性 顺便说一句,我的应用程序有一个简单的身份验证策略:用户之前通过一个不同的web应用程序登录,该应用程序为他提供访问许多其他web应用程序的链接。其中一个链接通过包含用户名和角色的简单提交重定向到我的web应用程序,我的安全链捕获这些信息并执行自动身份验证 如有任何建议,将不胜感激;) 再见! 多尔菲兹 我的一些代码片段 SpringSecurityContext.xml:Spring security SpringSecurity-禁用以执行的最佳方式;假登入;,spring-security,Spring Security,我想找到为测试和开发环境启用/禁用spring安全性的最佳/优雅/便捷的方法。我想在db上使用一个属性,如果该属性设置为on,则必须进行身份验证,否则用户不需要进行身份验证,它直接进入应用程序主页,并带有所有关联角色和假用户名/属性 顺便说一句,我的应用程序有一个简单的身份验证策略:用户之前通过一个不同的web应用程序登录,该应用程序为他提供访问许多其他web应用程序的链接。其中一个链接通过包含用户名和角色的简单提交重定向到我的web应用程序,我的安全链捕获这些信息并执行自动身份验证 如有任何建
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<security:http use-expressions="true" auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<security:intercept-url pattern="/fakeLogin*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/authError*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/VAADIN**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:logout logout-url="/logout" logout-success-url="http://milan-ias-vs.usersad.everis.int/DMTest/" invalidate-session="true" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthenticatedProcessingFilter" />
</security:http>
<bean id="preAuthenticatedProcessingFilterEntryPoint" class="it.ram.authentication.LinkForbiddenEntryPoint" />
<bean id="preAuthenticatedProcessingFilter" class="it.ram.authentication.PreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean class="it.ram.authentication.PreAuthenticatedUserDetailsService" />
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
</beans>
public class PreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {
private final static Log log = LogFactory.getLog(PreAuthenticatedProcessingFilter.class);
public PreAuthenticatedProcessingFilter() {
super();
log.debug("PreAuthenticatedProcessingFilter default constructor");
setAuthenticationDetailsSource(new CustomAuthenticationDetailsSource());
}
public PreAuthenticatedProcessingFilter(AuthenticationManager authenticationManager) {
log.debug("PreAuthenticatedProcessingFilter constructor with AuthMan arg");
setAuthenticationDetailsSource(new CustomAuthenticationDetailsSource());
}
@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
String userName = request.getParameter(Constants.REQUEST_USER_PARAM);
log.debug("getPreAuthenticatedPrincipal - Returning " +userName);
return userName;
}
@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
log.debug("getPreAuthenticatedCredentials - Returning N/A");
return "N/A";
}
public static class CustomAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, SessionUserDetails> {
@Override
public SessionUserDetails buildDetails(HttpServletRequest request) {
log.debug("buildDetails");
// create container for pre-auth data
String role = request.getParameter(Constants.REQUEST_ROLE_PARAM);
return new SessionUserDetails(role);
}
}
}
公共类预验证数据处理筛选器扩展了AbstractPreAuthenticatedProcessingFilter{
private final static Log Log=LogFactory.getLog(PreAuthenticatedProcessingFilter.class);
公共预验证处理筛选器(){
超级();
debug(“PreAuthenticatedProcessingFilter默认构造函数”);
setAuthenticationDetailsSource(新的CustomAuthenticationDetailsSource());
}
公共预验证处理筛选器(AuthenticationManager AuthenticationManager){
log.debug(“带有AuthMan arg的预验证DProcessingFilter构造函数”);
setAuthenticationDetailsSource(新的CustomAuthenticationDetailsSource());
}
@凌驾
受保护对象getPreAuthenticatedPrincipal(HttpServletRequest){
字符串userName=request.getParameter(Constants.request\u USER\u PARAM);
log.debug(“getPreAuthenticatedPrincipal-返回”+用户名);
返回用户名;
}
@凌驾
受保护对象getPreAuthenticatedCredentials(HttpServletRequest){
log.debug(“getPreAuthenticatedCredentials-返回N/A”);
返回“不适用”;
}
公共静态类CustomAuthenticationDetailsSource实现AuthenticationDetailsSource{
@凌驾
公共SessionUserDetails构建详细信息(HttpServletRequest请求){
log.debug(“buildDetails”);
//为预验证数据创建容器
字符串角色=request.getParameter(常量.request\u role\u PARAM);
返回新的SessionUserDetails(角色);
}
}
}
public class PreAuthenticatedUserDetailsService implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> {
private final static Log log = LogFactory.getLog(PreAuthenticatedUserDetailsService.class);
@Override
public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) throws UsernameNotFoundException {
log.debug("loadUserDetails - token.getName(): " +token.getName());
SessionUserDetails sessionUserDetails = (SessionUserDetails) token.getDetails();
List<SimpleGrantedAuthority> authorities = sessionUserDetails.getAuthorities();
return new User(token.getName(), "N/A", true, true, true, true, authorities);
}
}
公共类预认证DuserDetailsService实现AuthenticationUserDetailsService{
private final static Log Log=LogFactory.getLog(PreAuthenticatedUserDetailsService.class);
@凌驾
public UserDetails loadUserDetails(预验证身份验证令牌)引发UsernameNotFoundException{
debug(“loadUserDetails-token.getName():”+token.getName());
SessionUserDetails SessionUserDetails=(SessionUserDetails)标记。getDetails();
List authorities=sessionUserDetails.getAuthories();
返回新用户(token.getName(),“不适用”,true,true,true,authorities);
}
}
SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();
// authentication contains existing (if set and non-null) maybe it is anonymous
// so then you might have a better set of credentials to replace it with
WebappUserDetails webappUserDetails = userContextService.getPrincipal(WebappUserDetails.class);
// The above constructs my custom type that implement spring UserDetails interface
// this is the identity of the user
// You should check things are valid (account enable and valid, etc..)
// Then you make a fake Authentication and attach it to the session context
// There are many token kinds in spring representing different ways to auth
// this token is the kind that might be used for a HTML form based login with
// username and password.
String principal = "myusername"; // username
String credentials = "mypassword"; // password
// Note you should probably not want to hardwire passwords into code and the correct
// way is to setup a new Token type and configure main security XML to allow it
// to the secure URLs (or secured subjects)
Authentication authRequest = new UsernamePasswordAuthenticationToken(principal, credentials);
Authentication authResult = authenticationManager.authenticate(authRequest);
// Check the authResult then attach it to the context
SecurityContextHolder.getContext().setAuthentication(authResult);
假登录?比如匿名用户令牌?登录没有什么特别的,您需要执行一些操作并向HttpSession中添加一个可用的令牌。您可以手动驱动标准的Spring安全API来实现这一点。正如我所猜测的,简单/干净的方法可能是修改我的PreAuthenticationdProcessingFilter,以便检查db上的属性,并最终执行手动身份验证,而忽略表单提交,对吗?