Java 如何实现Spring的预认证过滤器?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/20187205/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to implement Spring's pre-authentication filter?
提问by Koohoolinn
I'm trying to implement pre-authenicated security in our web application but I'm not sure how to do it correctly. There aren't that many examples out there. And the ones that are seem to have a much simpler setup than ours.
我正在尝试在我们的 Web 应用程序中实施预身份验证的安全性,但我不确定如何正确执行。没有那么多例子。而那些似乎比我们的设置要简单得多的设置。
We get our authentication details in a request header as an XML with a firstname, lastname, user ID and an error tag, if any occured.
我们在请求标头中以 XML 形式获取身份验证详细信息,其中包含名字、姓氏、用户 ID 和错误标记(如果发生)。
I'm extending AbstractPreAuthenticatedProcessingFilterand in its getPreAuthenticatedPrincipal()I extract the header, unmarshall it, and do some validation.
我正在扩展AbstractPreAuthenticatedProcessingFilter并在其中getPreAuthenticatedPrincipal()提取标头,对其进行解组,并进行一些验证。
Now the questions:
现在的问题:
- If everything's OK, do I just return my unmarshalled shibboleth from
getPreAuthenticatedPrincipal()? - If something's wrong, do I just throw a
PreAuthenticatedCredentialsNotFoundException? - What do I return from
getPreAuthenticatedCredentials()? Is"N/A"sufficient?
- 如果一切正常,我是否只需返回我未编组的 shibboleth
getPreAuthenticatedPrincipal()? - 如果出了什么问题,我就扔一个
PreAuthenticatedCredentialsNotFoundException吗? - 我从
getPreAuthenticatedCredentials()什么地方回来?是否"N/A"足够?
I suppose at some point I have t create an Authenticationand a Principal.
我想在某些时候我还没有创建一个Authentication和一个Principal.
Is this a good approach?
Principal dynamicUser = new DynamicUser(rijksregisterNummer); List<SimpleGrantedAuthority> grantedAuthorities = Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")); Authentication authentication = new AnonymousAuthenticationToken(rijksregisterNummer, dynamicUser, grantedAuthorities);At what point (in which class) do I set it in the Spring Security?
What other classes do I need to extend?
How do I configure the Spring Security configuration XML? Like this? What am I missing?
<http> <custom-filter position="PRE_AUTH_FILTER" ref="myPreAuthFilter" /> </http> <bean id="myPreAuthFilter" class="my.package.MyPreAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager"/> </bean> <authentication-manager alias="authenticationManager"> <authentication-provider ref="customAuthenticationProvider"/> </authentication-manager>
这是一个好方法吗?
Principal dynamicUser = new DynamicUser(rijksregisterNummer); List<SimpleGrantedAuthority> grantedAuthorities = Arrays.asList(new SimpleGrantedAuthority("ROLE_USER")); Authentication authentication = new AnonymousAuthenticationToken(rijksregisterNummer, dynamicUser, grantedAuthorities);在什么时候(在哪个类中)我在 Spring Security 中设置它?
我还需要扩展哪些其他类?
如何配置 Spring Security 配置 XML?像这样?我错过了什么?
<http> <custom-filter position="PRE_AUTH_FILTER" ref="myPreAuthFilter" /> </http> <bean id="myPreAuthFilter" class="my.package.MyPreAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager"/> </bean> <authentication-manager alias="authenticationManager"> <authentication-provider ref="customAuthenticationProvider"/> </authentication-manager>
External users go through pre-authentication (using an e-ID and card reader) and then hit our web application. Internal users however, have to authenticate with a uername and password, a normal authentication procedure.
外部用户通过预认证(使用电子身和读卡器),然后点击我们的 Web 应用程序。但是,内部用户必须使用用户名和密码进行身份验证,这是正常的身份验证程序。
- How can I set it up that when there isn't an shibboleth (thus a login from our internal users), I can display a login form?
- 我如何设置,当没有 shibboleth(因此来自我们内部用户的登录)时,我可以显示登录表单?
Lot's of question, I know. I hope you can guide me through.
很多问题,我知道。我希望你能指导我通过。
回答by KLaalo
This is an old question but still relevant. As said, there was many questions. What caught my eye was the observation that there are not many example implementations.
这是一个老问题,但仍然相关。如上所述,有很多问题。引起我注意的是观察到没有很多示例实现。
I've been playing with an implementation. You can find it here: https://github.com/klaalo/reqTokenAuth.
我一直在玩一个实现。你可以在这里找到它:https: //github.com/klaalo/reqTokenAuth。
It is easy to mix and match with authentication methods on WebSecurityConfigurerAdapterso that you can have traditional form based authentication for legacy users.
它很容易与身份验证方法混合和匹配,WebSecurityConfigurerAdapter以便您可以为旧用户使用基于表单的传统身份验证。
The implementation is based on the setting where Apache mod_auth_openidcsits in front of the application. However, the implementation should work fine also with Shibboleth SP.
该实现基于 Apache mod_auth_openidc位于应用程序前面的设置。但是,该实现也应该适用于Shibboleth SP。
I didn't quite catch your sentiment about sending authentication details in HTTP Request headers as XML. Shibboleth SP is about SAML-authentication. You should leave the details about authentication for the SAML SP and only enjoy the benefits of readily authenticated user in your application. There's no need for unmarshalling the XML, Shibboleth does that for you. You get user details as clean Strings representing SAML attribute values in HTTP Headers or HttpServletRequestattributes (when Tomcat/AJP is used).
我不太明白您关于将 HTTP 请求标头中的身份验证详细信息作为 XML 发送的看法。Shibboleth SP 是关于 SAML 身份验证的。您应该留下有关 SAML SP 身份验证的详细信息,并且只在您的应用程序中享受经过身份验证的用户的好处。无需解组 XML,Shibboleth 会为您完成。您将获得用户详细信息,作为表示 HTTP 标头或HttpServletRequest属性(使用 Tomcat/AJP 时)中的SAML 属性值的干净字符串。
