如何使用Spring 2.5实现自定义身份验证

时间:2013-05-08 20:40:50

标签: spring spring-security

我们正在使用spring 2.5。我们有通用的Web服务来验证用户,它将用户名和密码作为输入,并在验证密码后返回true或false。我们应该如何以及在何处实施此Web服务调用?请回复。感谢

现在我们有以下弹簧配置。我们希望将webservice调用合并到其中。

        

    <intercept-url pattern="/service/**" access="ROLE_ANONYMOUS, ROLE_LEARNER,ROLE_TRAININGADMINISTRATOR,ROLE_LMSADMINISTRATOR,ROLE_REGULATORYANALYST,ROLE_INSTRUCTOR"/>  

    <logout invalidate-session="true" logout-success-url="/login.do"/>
    <anonymous />  <http-basic /> <remember-me />
</http>
<b:bean id="authenticationProcessingFilterEntryPoint" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilterEntryPoint">
    <b:property name="loginFormUrl" value="/login.do"/>
    <b:property name="forceHttps" value="false" />
</b:bean>
<authentication-manager alias='authenticationManagerAlias'/>

<b:bean id="myAuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
    <b:property name="defaultTargetUrl" value="/interceptor.do"/>
    <b:property name="authenticationFailureUrl" value="/login.do"/>
    <b:property name="authenticationManager" ref="authenticationManagerAlias"/>
    <b:property name="authenticationDetailsSource" ref="vu360UserAuthenticationDetailsSource"/>
    <b:property name="alwaysUseDefaultTargetUrl" value="true"/>
    <custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>
</b:bean>    

<b:bean class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
    <b:property name="userDetailsService" ref="userDetailsService"/>
    <b:property name="passwordEncoder" ref="passwordEncoder"/>
    <b:property name="saltSource" ref="saltSource"/>
    <custom-authentication-provider/>  
</b:bean>   
<b:bean class="org.springframework.security.providers.dao.DaoAuthenticationProvider">
    <b:property name="userDetailsService" ref="userDetailsService"/>
    <custom-authentication-provider/>  
</b:bean>

                  

2 个答案:

答案 0 :(得分:2)

实现一个CustomAuthenticationProvider,如:

import com.google.common.collect.Lists;
import java.util.List;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;

public class CustomAuthenticationProvider implements AuthenticationProvider {

public final static Logger log = LogManager.getLogger(CustomAuthenticationProvider.class.getName());

@Override
public Authentication authenticate(Authentication authentication)
        throws AuthenticationException {
    List<GrantedAuthority> AUTHORITIES = Lists.newArrayList();
    AUTHORITIES.add(new GrantedAuthority() {
        @Override
        public String getAuthority() {
            return "ROLE_ADMIN";
        }
    });

        return new UsernamePasswordAuthenticationToken(authentication.getName(), authentication.getCredentials(), AUTHORITIES);
}

@Override
public boolean supports(Class<? extends Object> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

} 

<authentication-manager>
    <authentication-provider  ref="customAuthenticationProvider" >
    </authentication-provider>
</authentication-manager>
<beans:bean id="customAuthenticationProvider" class="com.xkey.principal.CustomAuthenticationProvider"/>

答案 1 :(得分:0)

如果您想自己控制身份验证,可以创建自己的AuthenticationManager来调用Web服务并将其注入AuthenticationProcessingFilter。以下是自定义AuthenticationManager的示例,显然您需要使用用于调用实际服务的任何代码替换示例服务调用。

public class CustomWebServiceAuthenticationManager implements AuthenticationManager {

    public Authentication authenticate(Authentication credentials) throws AuthenticationException {
        String username = credentials.getName();
        String password = (String)credentials.getCredentials();

        // change this to your actual web service call
        boolean successfulAuthentication = myWebService.authenticate(username, password);
        if(successfulAuthentication) {
            // do whatever you need to do to get the correct roles for the user, this is just an example of giving every user the role "ROLE_LEARNER"
            List<GrantedAuthority> roles = Collections.singletonList(new SimpleGrantedAuthority("ROLE_LEARNER"));
            return new UsernamePasswordAuthenticationToken(username, password, roles);
        } else {
            throw new AuthenticationException("Authentication failed, invalid username or password");
        }
    }
}

然后将CustomWebServiceAuthenticationManager添加到您的弹簧配置中,并在AuthenticationProcessingFilter中引用它。

<b:bean id="customWebServiceAuthenticationManager" class="CustomWebServiceAuthenticationManager"/>

<b:bean id="myAuthenticationProcessingFilter" class="org.springframework.security.ui.webapp.AuthenticationProcessingFilter">
    <b:property name="defaultTargetUrl" value="/interceptor.do"/>
    <b:property name="authenticationFailureUrl" value="/login.do"/>
    <b:property name="authenticationManager" ref="customWebServiceAuthenticationManager"/>
    <b:property name="authenticationDetailsSource" ref="vu360UserAuthenticationDetailsSource"/>
    <b:property name="alwaysUseDefaultTargetUrl" value="true"/>
<custom-filter position="AUTHENTICATION_PROCESSING_FILTER"/>

相关问题
最新问题