java Spring Security 可以有多个安全上下文吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1070420/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can I have multiple security contexts with spring security?
提问by Vasil
I have one security context definition that uses PreAuthenticatedProcessingFilterEntryPoint for the flex part of my application. How can I have another definition that will use standard form login with html forms for another part of my application? Here's what I currently have:
我有一个安全上下文定义,该定义将 PreAuthenticatedProcessingFilterEntryPoint 用于我的应用程序的 flex 部分。我如何才能有另一个定义,将标准表单登录与 html 表单一起用于我的应用程序的另一部分?这是我目前拥有的:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http auto-config="true" access-denied-page="/admin/access-denied">
<intercept-url pattern="/admin/login*" filters="none"/>
<intercept-url pattern="/admin/access-denied" filters="none"/>
<intercept-url pattern="/admin/**/*" access="ROLE_ADMIN" />
<form-login login-page="/admin/login" authentication-failure-url="/admin/login?login_error=1"
default-target-url="/admin/index" login-processing-url="/admin/login-process"/>
<logout logout-success-url="/admin/login"/>
</http>
<global-method-security jsr250-annotations="enabled" />
<beans:bean id="preAuthenticatedEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" >
</beans:bean>
<beans:bean id="userAccountManager" class="com.mycomp.service.managers.jpa.UserAccountJpaManager" />
<beans:bean id="userService" class="com.mycomp.auth.DefaultUserDetailsService" />
<beans:bean id="defaultPasswordEncoder" class="com.mycomp.auth.DefaultPasswordEncoder" />
<authentication-provider user-service-ref="userService">
<password-encoder ref="defaultPasswordEncoder"/>
</authentication-provider>
</beans:beans>
What I'd like to do is use another authentication provider for the urls that are in the admin site, the one I currently have is for the flex application. So I want the security for the admin urls to use another userDetailsService bean.
我想要做的是为管理站点中的 url 使用另一个身份验证提供程序,我目前拥有的一个用于 flex 应用程序。所以我希望管理 url 的安全性使用另一个 userDetailsService bean。
回答by gutch
It has been tricky to do until recently, but now it is easy!
直到最近都很难做到,但现在很容易!
Spring Security has added support for the scenario in version 3.1. It is currently available as a Release Candidate, implemented by SEC-1171. Details of the syntax are in the manual included with 3.1.
Spring Security 在 3.1 版本中增加了对场景的支持。它目前可用作发布候选版本,由SEC-1171实施。语法的详细信息在 3.1 附带的手册中。
It's pretty simple to use. Basically you just define multiple httpelements in your Spring Security configuration, one for each context. We're using it like this:
使用起来非常简单。基本上,您只需http在 Spring Security 配置中定义多个元素,每个上下文一个。我们像这样使用它:
<!-- Configure realm for system administration users -->
<security:http pattern="/admin/**" create-session="stateless">
<security:intercept-url pattern='/**' access='ROLE_ADMIN' requires-channel="https" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
</security:http>
<!-- Configure realm for standard users -->
<security:http auto-config="true" access-denied-page="/error/noaccess" use-expressions="true" create-session="ifRequired">
<security:form-login
...
...
</security:http>
The key thing to note is the pattern="/admin/**"on the first httpelement. This tells Spring that all URLs under /adminare subject to that context instead of the default context — and thus URLs under /adminuse your preauthorisation filter instead.
要注意的关键是pattern="/admin/**"第一个http元素上的 。这告诉 Spring 下的所有 URL/admin都受该上下文而不是默认上下文的约束——因此下的 URL/admin使用您的预授权过滤器。
回答by rodrigoap
Map each filter chain to a diferent URL pattern:
将每个过滤器链映射到不同的 URL 模式:
<bean id="myfilterChainProxy"
class="org.springframework.security.util.FilterChainProxy">
<security:filter-chain-map pathType="ant">
<security:filter-chain pattern="/flex" filters="filterF"/>
<security:filter-chain pattern="/**" filters="filter1,filter2,filter3"/>
</security:filter-chain-map>
</bean>
回答by Gandalf
It's all about what parts of your application are intercepted by the Spring Security filter chain. Somewhere in your xml configuration (depending on if you did the simple tag config or not) there is an intercept regexlike this :
这完全是关于您的应用程序的哪些部分被 Spring Security 过滤器链拦截。在您的 xml 配置中的某处(取决于您是否进行了简单的标记配置),有一个像这样的拦截正则表达式:
<intercept-url pattern="/**" ...>
You can have different intercept patterns that use different configurations (aka different parts of the security filter chain). I could give you a more concrete answer if you post your current configuration xml.
您可以拥有使用不同配置(即安全过滤器链的不同部分)的不同拦截模式。如果您发布当前的配置 xml,我可以给您一个更具体的答案。
EDIT: Currently you are using the httptag to define your Spring Security configuration. This tag is used as a shortcut/helper and it auto defines a lot of pieces of the Security Filter chain that can also be setup manually. I think your use case does not fit the auto setup paradigm so you will need to manually setup the filter chain for different URL patterns (as seen in the post below mine). You can create your own PreAuthenticationFilter (which will take a custom UserDetailsService) and add that where appropriate to your filter chain intercept mapping.
编辑:目前您正在使用http标签来定义您的 Spring Security 配置。此标签用作快捷方式/帮助程序,它自动定义了许多也可以手动设置的安全过滤器链。我认为您的用例不适合自动设置范例,因此您需要为不同的 URL 模式手动设置过滤器链(如我下面的帖子所示)。您可以创建您自己的 PreAuthenticationFilter(它将采用自定义 UserDetailsService)并将其添加到您的过滤器链拦截映射的适当位置。
