我是 Spring 的新手,我的要求是我不想使用用户名和密码对用户进行身份验证。
用户身份验证是其他一些应用程序,我的应用程序获取包含以下详细信息的请求:
我只想使用 Spring Security 根据请求中的角色来保护页面。
我已经考虑过写UserDetailService,但是只是增加了request-data,Spring还是要求认证信息。
然后我想写一些类似下面的东西:
public class UserLogin {
/*
@Resource(name = "userDetailsService")
private UserDetailsService userDetailsService;
*/
@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager;
public boolean login(UserEntity user) {
//UserDetails ud = userDetailsService.loadUserByUsername(username);
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (String role : user.getAuthorities()) {
authorities.add(new GrantedAuthorityImpl(role));
}
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), authorities);
try {
Authentication auth = authenticationManager.authenticate(token);
SecurityContext securityContext = new SecurityContextImpl();
// Places in ThredLocal for future retrieval
SecurityContextHolder.setContext(securityContext);
SecurityContextHolder.getContext().setAuthentication(auth);
} catch (AuthenticationException e) {
return false;
}
return true;
}
}
我是否朝着正确的方向前进。如果是这样,如何在 spring-xml 中配置整个事情..。
最佳答案
您处于所谓的预身份验证场景中,您将 Spring Security 配置为仅授权访问,而不是身份验证访问。见 http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html .这是一个完整的配置,你需要在这里实现 AbstractPreAuthenticatedProcessingFilter
grep 您的身份验证方案的 UserPrincipal
,以及自定义 UserDetailsService
你上面提到的。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:global-method-security secured-annotations="enabled" />
<beans:bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<security:http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<security:custom-filter position="PRE_AUTH_FILTER" ref="myCustomPreAuthFilter" />
</security:http>
<beans:bean id="myCustomPreAuthFilter" class="com.mypackage.MyCustomPreAuthFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="myCustomUserDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>
关于spring-security - Spring 3.0 安全性 - 带身份验证的授权,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/7025398/