SpringSecurity - 自定义自动身份验证

Question

这是我的情景:

• Web应用程序为许多应用程序执行一种SSO
• 登录用户而不是单击链接,应用程序发出一个帖子,其中包含用户信息(名称,pwd [无用],角色)
• 我正在其中一个应用程序上实现SpringSecurity,以便从其功能(会话中的权限,其类提供的方法等)中受益

所以,我需要开发一个自定义过滤器 - 我猜 - 能够从请求中检索用户信息,从数据库检索,通过自定义DetailsUserService,有关用户的更多信息(电子邮件等等),然后执行身份验证该用户,根据从请求中检索到的角色.

我在看预身份验证过滤器,但我不确定它是否是正确的选择.似乎当主体已经在会话中时,预期会使用这些对象,由某些先前的身份验证机制放置(是不是？).

我认为,一旦确定了正确的过滤器,我应该在以下内容中执行:

GrantedAuthority[] ga= new GrantedAuthority[1];
ga[0] = new GrantedAuthorityImpl(myUser.getRole());

SecurityContext sc = SecurityContextHolder.getContext();
Authentication a = new UsernamePasswordAuthenticationToken(userName, userPwd, ga);
a = authenticationManager.authenticate(a);
sc.setAuthentication(a);

这是解决我问题的正确方向吗？你有什么建议可以帮助我找到遗失的东西吗？

谢谢你们,

卢卡

加成:

嗨Xearxess!很抱歉再次打扰你,但似乎根据SpringSecurity 2.0.4翻译你的代码比我想象的更困难:S问题是XML ...我尝试了不同的配置,但我总是遇到命名空间问题,缺少属性等等......

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:security="http://www.springframework.org/schema/security"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
              http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">  

    <security:http>
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:logout logout-url="/logout" logout-success-url="http://milan-ias-vs.usersad.everis.int/DMTest/" invalidate-session="true" />
        <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthenticatedProcessingFilter" />
    </security:http>

    <bean id="preAuthenticatedProcessingFilter" class="it.novartis.ram.authentication.PreAuthenticatedProcessingFilter">
        <custom-filter position="PRE_AUTH_FILTER"/>
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService">
            <bean class="it.novartis.ram.authentication.PreAuthenticatedUserDetailsService" />
        </property>
    </bean>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="preauthAuthProvider" />
    </security:authentication-manager>

</beans>

引用CUSTOM-FILTER元素的2行是两次不同的尝试,它们都被标记为错误.如何指定过滤器作为属性的位置？

此外,auth manager定义上的身份验证提供程序引用也标记为错误.我认为我需要将它指定为属性,对吧？

希望你能给我最后一次推动;)再次感谢你,

卢卡

Answer 1

为了完整起见,在Spring Security 4中,事情略有改变.例如,强烈建议使用Java配置.通过这种方式,可以更轻松地与Spring Boot集成.

它遵循Java配置,等同于上面答案中给出的XML配置.

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilterBefore(customAuthFilter(), AbstractPreAuthenticatedProcessingFilter.class)
            .authenticationProvider(preauthAuthProvider())
            .authorizeRequests()
            .anyRequest().authenticated();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(preauthAuthProvider());
    }

    @Bean
    public PreAuthenticatedAuthenticationProvider preauthAuthProvider() {
        PreAuthenticatedAuthenticationProvider preauthAuthProvider =
            new PreAuthenticatedAuthenticationProvider();
                preauthAuthProvider.setPreAuthenticatedUserDetailsService(
                    userDetailsServiceWrapper());
        return preauthAuthProvider;
    }

    @Bean
    public OnlyRolesPreAuthenticatedUserDetailsService userDetailsServiceWrapper() {
        OnlyRolesPreAuthenticatedUserDetailsService service =
            new MyPreAuthenticatedUserDetailsService();
        return service;
    }

    @Bean
    public MyPreAuthenticatedProcessingFilter customAuthFilter() throws Exception {
        MyPreAuthenticatedProcessingFilter filter = new MyPreAuthenticatedProcessingFilter();
        filter.setAuthenticationManager(authenticationManager());
        return filter;
    }
}

我认为上面的代码是值得的,因为互联网中的例子非常基础,Spring文档缺乏这些细节.

Answer 2

是的,预身份验证方案正是您所需要的.

似乎当主体已经在会话中时,预期会使用这些对象,由某些先前的身份验证机制放置(是不是？).

实际上,您可以根据需要使用预身份验证来创建PreAuthenticatedAuthenticationToken请求.只是做我的另外一个问题说明几件事情.

首先扩展AbstractPreAuthenticatedProcessingFilter以从请求获取用户名和角色:

public class MyPreAuthenticatedProcessingFilter
    extends AbstractPreAuthenticatedProcessingFilter {

  public MyPreAuthenticatedProcessingFilter(
      AuthenticationManager authenticationManager) {
    setAuthenticationDetailsSource(new MyAuthenticationDetailsSource());
  }

  @Override
  protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
    return "Anonymous";
  }

  @Override
  protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
    return "N/A";
  }

  public static class MyAuthenticationDetailsSource implements 
      AuthenticationDetailsSource<HttpServletRequest, MySessionUserDetails> {
    // roles probably should be encrypted somehow
    static final String ROLES_PARAMETER = "pre_auth_roles";

    @Override
    public MySessionUserDetails buildDetails(HttpServletRequest req) {
      // create container for pre-auth data
      return new MySessionUserDetails(req.getParameter(ROLES_PARAMETER));
    }
  }
}

MySessionUserDetailsclass将spring赋值为List of of List SimpleGrantedAuthority或任何其他GrantedAuthority实现.此外,列表被推荐并优于GrantedAuthority[].

二,实施AuthenticationUserDetailsService:

public class MyPreAuthenticatedUserDetailsService implements 
    AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> {

  @Override
  public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token)
      throws UsernameNotFoundException {
    MySessionUserDetails sessionUserDetails =
        (MySessionUserDetails) token.getDetails();
    List<GrantedAuthority> authorities = sessionUserDetails.getAuthorities();
    return new User(token.getName(), "N/A", true, true, true, true, authorities);
  }
}

然后在你的XML连接块中:

<security:http use-expressions="true">
  <security:intercept-url pattern="/**" access="isAuthenticated()" />
  <security:custom-filter position="PRE_AUTH_FILTER"
      ref="myPreAuthenticationFilter" />
</security:http>

<bean id="myPreAuthenticationFilter"
    class="com.example.MyPreAuthenticatedProcessingFilter">
  <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
  <property name="preAuthenticatedUserDetailsService">
    <bean class="com.example.MyPreAuthenticatedUserDetailsService" />
  </property>
</bean>

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>

瞧!您应该User在您的应用程序中使用经过身份验证的主体.

我在这里编写的代码需要Spring Security 3.1,如果您即将使用它,我强烈推荐它(它确实需要Spring 3.0.7+).另外,Spring Security参考手册是您的朋友!