我试图基于Siteminder的preAuth来确保我的grails应用程序具有spring security.这基本上就是我所需要的.该应用程序仅用于检查一些东西,因此不需要数据库.
我陷入了一些我无法接受的过滤器问题.
起初我只使用了RequestHeaderAuthenticationFilter和自定义UserDetails以及UserDetailsService.
我的春豆:
beans = {
userDetailsService(MyUserDetailsService)
userDetailsServiceWrapper(UserDetailsByNameServiceWrapper) {
userDetailsService = ref('userDetailsService')
}
preauthAuthProvider(PreAuthenticatedAuthenticationProvider) {
preAuthenticatedUserDetailsService = ref('userDetailsServiceWrapper')
}
requestHeaderAuthenticationFilter(RequestHeaderAuthenticationFilter){
principalRequestHeader='SM_USER'
authenticationManager = ref('authenticationManager')
}
}
我有我的MyUserDetailsProvider:
class MyUserDetailsService implements GrailsUserDetailsService {
MyUserDetails loadUserByUsername(String username) throws UsernameNotFoundException{
//some super secret code here ;)
return new MyUserDetails(some needed params)
}
}
我还在每个明智的教程中配置了安全的URL:
grails.plugins.springsecurity.interceptUrlMap = [
'/user/**':['ROLE_MINE'],
'/activation/**':['ROLE_SOMEOTHER, ROLE_MINE'],
'/js/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/css/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/images/**': ['IS_AUTHENTICATED_ANONYMOUSLY'],
'/*': ['IS_AUTHENTICATED_ANONYMOUSLY']
]
和一些提供者(在一些教程中建议保持匿名):
grails.plugins.springsecurity.providerNames = ['preauthAuthProvider','anonymousAuthenticationProvider']
它非常适合数据访问,但它不允许加载资源,特别是图像.错误表示在请求中找不到SM_USER标头.
所以我认为我可以使用像'filters:none'或'security:none'这样的解决方案,以便spring在不检查SM_USER的情况下知道url请求的内容.
我尝试添加过滤器和filterChain的东西:
grails.plugins.springsecurity.filterNames = ['requestHeaderAuthenticationFilter']
grails.plugins.springsecurity.filterChain.chainMap = …