java 无需表单登录的 Spring Security
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/11985709/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Spring security without form login
提问by quarks
I have implemented Spring Security Expression in my application Spring controller:
我在我的应用程序 Spring 控制器中实现了 Spring Security Expression:
@Controller
@RequestMapping("init")
public class InitController {
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/", method = RequestMethod.GET)
public @ResponseBody String home(){
return "This is the init page";
}
}
With this security configuration:
使用此安全配置:
<http auto-config="true" create-session="stateless" use-expressions="true">
<intercept-url pattern="/_ah*" access="permitAll" />
<intercept-url pattern="/init/*" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/init*" access="hasRole('ROLE_ADMIN')"/>
</http>
When this resource is accessed the the default Spring login form is displayed (http://localhost:8888/spring_security_login) however I don't want this to happen and that I just want to have the credentials to be inserted in the request header like "x-authorization-key" or whatever that fits the scenario.
当访问此资源时,会显示默认的 Spring 登录表单 ( http://localhost:8888/spring_security_login) 但是我不希望这种情况发生,我只想将凭据插入到请求标头中,例如“x-authorization-key”或其他任何内容这符合场景。
What is the possible solution for this?
对此的可能解决方案是什么?
- Is it a good to just have the x-authorization-key to be in the request
- If so, how does it fit with the Spring security mechanism, that is how that it fit with the "hasRole" expression
- It is important the the my web service is stateless, and each request gets authenticated
- Finally, how to do deal with Spring security without having to deal with the Spring login form
- 只在请求中包含 x-authorization-key 是不是很好
- 如果是这样,它如何与 Spring 安全机制相适应,即它如何与“hasRole”表达式相适应
- 重要的是我的 Web 服务是无状态的,并且每个请求都经过身份验证
- 最后,如何在不处理Spring登录表单的情况下处理Spring security
header
标题
回答by Shaun the Sheep
You should probably read the description on what auto-configdoes, then remove it to disable form-login. Your configuration will be clearer if you specifically configure what you want to use.
你可能必须阅读有关说明什么auto-config没有,然后将其删除禁用form-login。如果您专门配置要使用的内容,您的配置会更清晰。
It's not clear from your question what you want to be included in the x-authorization-keyheader. If you are just authenticating with a client Id and shared secret then you might as well use basic authentication since it is already supported out of the box and you can just add <http-basic />to your configuration. If you have something more customized in mind, then you will probably have to implement a custom filter and add it to the Spring Security filter chainto extract the credentials and process them.
从你的问题中不清楚你想在x-authorization-key标题中包含什么。如果您只是使用客户端 ID 和共享密钥进行身份验证,那么您也可以使用基本身份验证,因为它已经支持开箱即用,您可以添加<http-basic />到您的配置中。如果您有更多自定义的想法,那么您可能需要实现自定义过滤器并将其添加到 Spring Security 过滤器链中以提取凭据并处理它们。
How your authentication mechanism fits is also dependent on what it actually consists of. Normally your users will have assigned roles which are loaded when they authenticate, usually from a database of some kind. The hasRoleexpression simply checks whether the current user has the specified role. Often you will only need to create a UserDetailsServicewhich loads your user information in a standard format which is easily plugged into the framework. This is covered at length elsewhere. If you really need something more customized this blog articleon GAE integration includes details of how you might go about integrating with a more complicated system.
您的身份验证机制如何适应还取决于它的实际组成。通常,您的用户会分配到角色,这些角色会在他们进行身份验证时加载,通常来自某种数据库。该hasRole表达式只是检查当前用户是否具有指定的角色。通常,您只需要创建一个UserDetailsService以标准格式加载用户信息的文件,该格式很容易插入到框架中。这在别处有详细介绍。如果您真的需要更多定制的东西,这篇关于 GAE 集成的博客文章包含有关如何与更复杂的系统集成的详细信息。
Spring Security will not create or use a sessionif you use create-session='stateless'.
春季安全将无法创建或使用会话,如果你使用create-session='stateless'。
P.S. You don't really need to include the same security attributes both at the URL level and on your controller which handles the same URL.
PS 你真的不需要在 URL 级别和处理相同 URL 的控制器上包含相同的安全属性。
