spring-security - Spring 3.0 安全性 - 带身份验证的授权

Question

我是 Spring 的新手，我的要求是我不想使用用户名和密码对用户进行身份验证。
用户身份验证是其他一些应用程序，我的应用程序获取包含以下详细信息的请求:

用户名

角色

我只想使用 Spring Security 根据请求中的角色来保护页面。
我已经考虑过写UserDetailService，但是只是增加了request-data，Spring还是要求认证信息。
然后我想写一些类似下面的东西:

public class UserLogin {

/*
@Resource(name = "userDetailsService")
private UserDetailsService userDetailsService;
*/

@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager;

public boolean login(UserEntity user) {

    //UserDetails ud = userDetailsService.loadUserByUsername(username);

    Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
    for (String role : user.getAuthorities()) {
        authorities.add(new GrantedAuthorityImpl(role));
    }

    UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), authorities);

    try {
        Authentication auth = authenticationManager.authenticate(token);

        SecurityContext securityContext = new SecurityContextImpl();

        // Places in ThredLocal for future retrieval
        SecurityContextHolder.setContext(securityContext);
        SecurityContextHolder.getContext().setAuthentication(auth);

    } catch (AuthenticationException e) {
        return false;
    }

    return true;
}
}

我是否朝着正确的方向前进。如果是这样，如何在 spring-xml 中配置整个事情..。

Answer 1

您处于所谓的预身份验证场景中，您将 Spring Security 配置为仅授权访问，而不是身份验证访问。见 http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html .这是一个完整的配置，你需要在这里实现 AbstractPreAuthenticatedProcessingFilter grep 您的身份验证方案的 UserPrincipal ，以及自定义 UserDetailsService你上面提到的。

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<security:global-method-security secured-annotations="enabled" />

<beans:bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />

<security:http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
    <security:custom-filter position="PRE_AUTH_FILTER" ref="myCustomPreAuthFilter" />
</security:http>

<beans:bean id="myCustomPreAuthFilter" class="com.mypackage.MyCustomPreAuthFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>

<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <beans:property name="preAuthenticatedUserDetailsService">
        <beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <beans:property name="userDetailsService" ref="myCustomUserDetailsService"/>
        </beans:bean>
    </beans:property>
</beans:bean>