我在我的Web应用程序中使用带有安全性的Spring框架。我有一个Guest用户及其在我的数据库中的权限,但我无法实现AnonymousAuthenticationFilter和AnonymousAuthenticationProvider来使用该用户。这是我的appSecurity配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<bean id="loginUrlAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/login" p:useForward="false" p:forceHttps="false" />
<bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"
p:defaultTargetUrl="/" />
<bean id="failureHandler"
class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
p:defaultFailureUrl="/login?error=true" p:useForward="false" />
<bean id="accessDeniedHandler"
class="com.asosyalbebe.springtest.gui.user.security.CustomAccessDeniedHandler">
<property name="accessDeniedUrl" value="/accessDenied" />
</bean>
<bean id="userDetailsService"
class="com.asosyalbebe.springtest.gui.user.service.UserServiceImpl" />
<bean id="tokenBasedRememberMeServices"
class="com.asosyalbebe.springtest.gui.user.security.CustomRememberMeServices">
<property name="alwaysRemember" value="true" />
<property name="key" value="abcdef123456" />
<property name="parameter" value="remember" />
<property name="cookieName" value="_ab_memo" />
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<bean id="authenticationProcessingFilter"
class="com.asosyalbebe.springtest.gui.user.security.AuthenticationProcessingFilter">
<property name="filterProcessesUrl" value="/j_spring_security_check" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="postOnly" value="true" />
<property name="authenticationSuccessHandler" ref="successHandler" />
<property name="authenticationFailureHandler" ref="failureHandler" />
<property name="rememberMeServices" ref="tokenBasedRememberMeServices" />
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="anonymousAuthProvider" />
<security:authentication-provider
ref="rememberMeAuthProvider" />
<security:authentication-provider
ref="customAuthenticationProvider" />
</security:authentication-manager>
<bean id="anonymousAuthProvider" class="com.asosyalbebe.springtest.gui.user.security.CustomAnonymousAuthProvider">
<property name="userDetailsService" ref="userDetailsService" />
<property name="key" value="foobar" />
</bean>
<bean name="rememberMeAuthProvider"
class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
<property name="key" value="xy1245aazpo98qwe" />
</bean>
<bean id="customAuthenticationProvider"
class="com.asosyalbebe.springtest.gui.user.security.UserAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<bean id="securityContextPersistenceFilter"
class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name='securityContextRepository'>
<bean
class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
<property name='allowSessionCreation' value='false' />
</bean>
</property>
</bean>
<bean id="customLogoutSuccessHandler" class="com.asosyalbebe.springtest.gui.user.security.CustomLogoutSuccessHandler" />
<bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<constructor-arg ref="customLogoutSuccessHandler" />
<constructor-arg>
<list>
<bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
<ref bean="tokenBasedRememberMeServices"/>
</list>
</constructor-arg>
</bean>
<bean name="rememberMeAuthenticationFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="rememberMeServices" ref="tokenBasedRememberMeServices" />
</bean>
<bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
<property name="key" value="foobar" />
<property name="userAttribute" value="anonymousUser,PRIV_ANONYMOUS" />
</bean>
<bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
<property name="authenticationEntryPoint" ref="loginUrlAuthenticationEntryPoint" />
<property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</bean>
<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<property name="rolePrefix" value="PRIV_"/>
</bean>
<bean id="accessDecisionManager" class="com.asosyalbebe.springtest.gui.user.security.CustomAccessDecisionManager">
<property name="allowIfAllAbstainDecisions" value="false" />
<property name="decisionVoters">
<list>
<ref bean="roleVoter" />
</list>
</property>
</bean>
<bean id="securityMetadataSource" class="com.asosyalbebe.springtest.gui.user.security.CustomFilterInvocationDefinitionSource"/>
<bean id="filterInvocationInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<property name="authenticationManager" ref="authenticationManager" />
<property name="accessDecisionManager" ref="accessDecisionManager" />
<property name="securityMetadataSource" ref="securityMetadataSource" />
<property name="rejectPublicInvocations" value="false"/>
</bean>
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map path-type="ant">
<security:filter-chain pattern="/**"
filters="securityContextPersistenceFilter,
logoutFilter,
authenticationProcessingFilter,
rememberMeAuthenticationFilter,
anonymousProcessingFilter,
exceptionTranslationFilter,
filterInvocationInterceptor" />
</security:filter-chain-map>
</bean>
</beans>
这是我的自定义匿名身份验证提供程序:
package com.asosyalbebe.springtest.gui.user.security;
import org.springframework.security.authentication.AnonymousAuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import com.asosyalbebe.springtest.gui.user.model.GuiUser;
import com.asosyalbebe.springtest.gui.user.service.UserService;
@SuppressWarnings("deprecation")
public class CustomAnonymousAuthProvider extends AnonymousAuthenticationProvider {
private UserService userDetailsService;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
GuiUser user = userDetailsService.getGuestUser();
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(user, "pwd", user.getAuthorities());
result.setDetails(user);
return result;
}
@Override
public boolean supports(Class<?> class1) {
return true;
}
public void setUserDetailsService(UserService userDetailsService) {
this.userDetailsService = userDetailsService;
}
}
我认为authenticate中的CustomAnonymousAuthProvider方法永远不会被执行。我还能做什么?
答案 0 :(得分:2)
从AuthenticationManager的角度来看,当时过滤器创建的AnonymousAuthenticationToken已经过身份验证(isAuthenticated属性为true),所以它不会尝试对其进行身份验证。因此,不会调用您的提供商。
最简单的选择是自定义AnonymousAuthenticationFilter以直接使用数据库中的权限。