通过URL进行Spring Security身份验证

时间:2013-03-08 10:05:04

标签: spring spring-mvc spring-security

我有一个Spring MVC应用程序,它使用Spring Security和基于表单的登录进行授权/身份验证。

现在我想添加一个特殊的网址,其中包含一个无需其他信息即可访问的令牌,因为该令牌对于用户来说是唯一的:

http://myserver.com/special/5f6be0c0-87d7-11e2-9e96-0800200c9a66/text.pdf

如何配置Spring Security以使用该令牌进行用户身份验证?

3 个答案:

答案 0 :(得分:1)

您可以提供自定义PreAuthenticatedProcessingFilter和PreAuthenticatedAuthenticationProvider。有关详细信息,请参阅Pre-Authentication Scenarios章节。

答案 1 :(得分:1)

您需要定义自定义预授权过滤器。

http代码中的安全应用环境中:

<custom-filter position="PRE_AUTH_FILTER" ref="preAuthTokenFilter" />

然后定义你的过滤器bean(及其属性):

<beans:bean class="com.yourcompany.PreAuthTokenFilter"
      id="preAuthTokenFilter">
    <beans:property name="authenticationDetailsSource" ref="authenticationDetailsSource" />
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
</beans:bean>

创建从GenericFilterBean扩展的自定义过滤器

public class PreAuthTokenFilter extends GenericFilterBean {

private AuthenticationEntryPoint authenticationEntryPoint;
private AuthenticationManager authenticationManager;
private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource();

@Override
public void doFilter(ServletRequest req, ServletResponse resp,
                     FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) resp;

    String token = getTokenFromHeader(request);//your method

    if (StringUtils.isNotEmpty(token)) {
        /* get user entity from DB by token, retrieve its username and password*/

        if (isUserTokenValid(/* some args */)) {
            try {
                UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
                authRequest.setDetails(this.authenticationDetailsSource.buildDetails(request));
                Authentication authResult = this.authenticationManager.authenticate(authRequest);
                SecurityContextHolder.getContext().setAuthentication(authResult);
            } catch (AuthenticationException e) {
            }
        }
    }

    chain.doFilter(request, response);
}

/*
other methods
*/

如果您不想要或无法检索密码,则需要创建自己的AbstractAuthenticationToken,它只接收用户名asram(principal)并使用它代替UsernamePasswordAuthenticationToken

public class PreAuthToken extends AbstractAuthenticationToken {

    private final Object principal;

    public PreAuthToken(Object principal) {
        super(null);
        super.setAuthenticated(true);
        this.principal = principal;
    }

    @Override
    public Object getCredentials() {
        return "";
    }

    @Override
    public Object getPrincipal() {
        return principal;
    }
}

答案 2 :(得分:0)

我遇到了这个问题,并使用Spring Security RembereMe Service基础结构的自定义实现解决了这个问题。这是你需要做的。

  • 定义您自己的身份验证对象

    公共类LinkAuthentication扩展了AbstractAuthenticationToken {     @覆盖     public Object getCredentials()     {         return null;     } 

    @Override
public Object getPrincipal()
{

    return the prncipal that that is passed in via the constructor 
}

    }

定义

public class LinkRememberMeService implements RememberMeServices, LogoutHandler
{    
    /**
     * It might appear that once this method is called and returns an authentication object, that authentication should be finished and the
     * request should proceed. However, spring security does not work that way.
     * 
     * Once this method returns a non null authentication object, spring security still wants to run it through its authentication provider
     * which, is totally brain dead on the part of Spring this, is why there is also a
     * LinkAuthenticationProvider
     * 
     */
    @Override
    public Authentication autoLogin(HttpServletRequest request, HttpServletResponse response)
    {
        String accessUrl = ServletUtils.getApplicationUrl(request, "/special/");
        String requestUrl = request.getRequestURL().toString();
        if (requestUrl.startsWith(accessUrl))
        {
            // take appart the url extract the token, find the user details object 
                    // and return it. 
            LinkAuthentication linkAuthentication = new LinkAuthentication(userDetailsInstance);
            return linkAuthentication;
        } else
        {
            return null;
        }
    }

    @Override
    public void loginFail(HttpServletRequest request, HttpServletResponse response)
    {
    }

    @Override
    public void loginSuccess(HttpServletRequest request, HttpServletResponse response, Authentication successfulAuthentication)
    {
    }

    @Override
    public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication)
    {
    }
}


public class LinkAuthenticationProvider implements AuthenticationProvider
{

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException
    {
        // Spring Security is totally brain dead and over engineered
        return authentication;
    }

    @Override
    public boolean supports(Class<?> authentication)
    {
        return LinkAuthentication.class.isAssignableFrom(authentication);
    }

}

破解spring security xml的其余部分以定义自定义身份验证提供程序,并自定义记住我的服务。

P.S。如果你在URL中对GUID进行base64编码,那么它将缩短几个字符。您可以使用Apache commons编解码器base64二进制编码器/解码器来做更安全的URL链接。

public static String toBase64Url(UUID uuid)
{
    return Base64.encodeBase64URLSafeString(toBytes(uuid));
}
相关问题
最新问题