在Spring Security中使用DefaultJaasAuthenticationProvider配置以使用linux用户名/密码进行登录验证。 JpamLoginModule用于身份验证。我成功通过身份验证,但我在授权方面遇到了问题(ROLE_USER,ROLE_ADMIN), 我正在获取HTTP状态403 - 访问被拒绝错误。
我在spring-security.xml中使用的配置
<security:authentication-manager>
<security:authentication-provider ref="jaasAuthProvider" />
</security:authentication-manager>
<bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<property name="configuration">
<bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<constructor-arg>
<map>
<entry key="SPRINGSECURITY">
<array>
<bean class="javax.security.auth.login.AppConfigurationEntry">
<constructor-arg value="net.sf.jpam.jaas.JpamLoginModule" />
<constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</constructor-arg>
<constructor-arg>
<map></map>
</constructor-arg>
</bean>
</array>
</entry>
</map>
</constructor-arg>
</bean>
</property>
<property name="authorityGranters">
<list>
<bean class="it.webapps.pam.RoleGranter" />
</list>
</property>
</bean>
<bean id="userDetailsService" class="it.webapps.pam.UserDetailsServiceImpl">
</bean>
RoleGranter.java代码
public class RoleGranter implements AuthorityGranter {
public RoleGranter() {
System.out.print("=== Creating My Authority Granter ===");
}
@Override
public Set<String> grant(Principal principal) {
return Collections.singleton("ROLE_ADMIN");
}
}
建议会非常有帮助
答案 0 :(得分:2)
基于:http://jpam.sourceforge.net/xref/net/sf/jpam/jaas/JpamLoginModule.html和https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
看起来您需要扩展JpamLoginModule以更改提交的行为。需要在扩展的JpamLoginModule中为主题分配主体。然后,AbstractJaasAuthenticationProvider(DefaultJaasAuthenticationProvider)将循环遍历这些主体并将它们发送到您的authorityGranters(RoleGranter)。
<authentication-manager>
<authentication-provider ref="jaasAuthProvider" />
</authentication-manager>
<beans:bean id="userService" class="blah.UserDetailsServiceImpl" />
<beans:bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<beans:property name="configuration">
<beans:bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<beans:constructor-arg>
<beans:map>
<beans:entry key="SPRINGSECURITY">
<beans:array>
<beans:bean class="javax.security.auth.login.AppConfigurationEntry">
<beans:constructor-arg value="blah.RoleGrantingJpamLoginModule" />
<beans:constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</beans:constructor-arg>
<beans:constructor-arg>
<beans:map></beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:array>
</beans:entry>
</beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:property>
<beans:property name="authorityGranters">
<beans:list>
<beans:bean class="blah.RoleGranter" />
</beans:list>
</beans:property>
</beans:bean>
package blah;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import net.sf.jpam.jaas.JpamLoginModule;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
public class RoleGrantingJpamLoginModule extends JpamLoginModule {
private Subject subject;
@Override
public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) {
super.initialize(subject, callbackHandler, sharedState, options);
this.subject = subject;
}
@Override
public boolean commit() throws LoginException {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null);
subject.getPrincipals().add(token);
return super.commit();
}
}
package blah;
import static java.util.Arrays.asList;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new User(username, "password", asList(new SimpleGrantedAuthority("ROLE_ADMIN")));
}
}
答案 1 :(得分:0)
尝试返回“ADMIN”而不是“ROLE_ADMIN”。 Spring会自动添加“ROLE”。