Spring security 使用spring安全性和基本身份验证对REST服务进行身份验证
我正在尝试使用spring security为我的REST服务实现基本身份验证,并满足以下要求:Spring security 使用spring安全性和基本身份验证对REST服务进行身份验证,spring-security,basic-authentication,Spring Security,Basic Authentication,我正在尝试使用spring security为我的REST服务实现基本身份验证,并满足以下要求: <bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter"> <property name="authenticationManager" ref="myAuthenticationManager" /> <property name="a
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
- 授权由应用程序的其他部分完成(因此过滤器链中没有角色)
- 我想在没有任何自动配置的情况下用普通bean配置所有东西
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
我的代码如下:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<security:filter-chain pattern="/rest/**" filters="basicAuthenticationFilter,exceptionTranslationFilter" />
</list>
</constructor-arg>
</bean>
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
我的假设是,我可能需要一个filterSecurityInterceptor,然后是一个accessDecisionManager。我不想使用它们,因为在我看来,它们关心授权(与身份验证相反),而且在我的应用程序的这一点上,我没有任何角色
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
我只想检查用户名/密码组合是否正确
并相应地作出反应(401或403)
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
我想我遗漏了一些非常基本的东西,因此任何提示或帮助都将不胜感激。如果没有授权(从Spring Security的角度来看),则允许任何请求,因此不需要验证。因此,是的,您需要一个
过滤器安全interceptor
,即使它只是根据用户是否经过身份验证来做出决定
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
您还需要在筛选器链的开始处使用SecurityContextPersistenceFilter
,因为即使您的应用程序是无状态的,也需要在每个请求结束时清除安全上下文
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>
您可能会发现它非常有用,因为它更详细地讨论了纯bean配置。当使用“FilterSecurityInterceptor”时,我必须定义一个“AccessDecisionManager”。由于我只想进行身份验证(即证明某人拥有一对有效的凭据),我的假设是,我可以通过提供“AccessDecisionManager”并为其提供“SecurityMetadataSource”来实现这一点,如下所示:“”
<bean id="basicAuthenticationFilter" class="authentication.MyBasicAuthenticationFilter">
<property name="authenticationManager" ref="myAuthenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="myRealm" />
</bean>