Spring使用匿名身份验证提供程序来使用访客用户

时间:2014-04-28 11:54:15

标签: java spring spring-mvc spring-security

我在我的Web应用程序中使用带有安全性的Spring框架。我有一个Guest用户及其在我的数据库中的权限,但我无法实现AnonymousAuthenticationFilter和AnonymousAuthenticationProvider来使用该用户。这是我的appSecurity配置:

<?xml version="1.0" encoding="UTF-8"?>

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
    xmlns:p="http://www.springframework.org/schema/p"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <bean id="loginUrlAuthenticationEntryPoint" 
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint" 
        p:loginFormUrl="/login" p:useForward="false" p:forceHttps="false" />

    <bean id="successHandler"
        class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"
        p:defaultTargetUrl="/" />

    <bean id="failureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler"
        p:defaultFailureUrl="/login?error=true" p:useForward="false" />

    <bean id="accessDeniedHandler"
        class="com.asosyalbebe.springtest.gui.user.security.CustomAccessDeniedHandler">
        <property name="accessDeniedUrl" value="/accessDenied" />
    </bean>

    <bean id="userDetailsService"
        class="com.asosyalbebe.springtest.gui.user.service.UserServiceImpl" />

    <bean id="tokenBasedRememberMeServices"
        class="com.asosyalbebe.springtest.gui.user.security.CustomRememberMeServices">
        <property name="alwaysRemember" value="true" />
        <property name="key" value="abcdef123456" />
        <property name="parameter" value="remember" />
        <property name="cookieName" value="_ab_memo" />
        <property name="userDetailsService" ref="userDetailsService" />
    </bean>

    <bean id="authenticationProcessingFilter"
        class="com.asosyalbebe.springtest.gui.user.security.AuthenticationProcessingFilter">
        <property name="filterProcessesUrl" value="/j_spring_security_check" />
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="postOnly" value="true" />
        <property name="authenticationSuccessHandler" ref="successHandler" />
        <property name="authenticationFailureHandler" ref="failureHandler" />
        <property name="rememberMeServices" ref="tokenBasedRememberMeServices" />
    </bean>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
            ref="anonymousAuthProvider" />
        <security:authentication-provider
            ref="rememberMeAuthProvider" />
        <security:authentication-provider
            ref="customAuthenticationProvider" />
    </security:authentication-manager>

    <bean id="anonymousAuthProvider" class="com.asosyalbebe.springtest.gui.user.security.CustomAnonymousAuthProvider">
        <property name="userDetailsService" ref="userDetailsService" />
        <property name="key" value="foobar" />
    </bean>

    <bean name="rememberMeAuthProvider"
        class="org.springframework.security.authentication.RememberMeAuthenticationProvider">
        <property name="key" value="xy1245aazpo98qwe" />
    </bean>

    <bean id="customAuthenticationProvider"
        class="com.asosyalbebe.springtest.gui.user.security.UserAuthenticationProvider">
        <property name="userDetailsService" ref="userDetailsService" />
    </bean>

    <bean id="securityContextPersistenceFilter"
        class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
        <property name='securityContextRepository'>
            <bean
                class='org.springframework.security.web.context.HttpSessionSecurityContextRepository'>
                <property name='allowSessionCreation' value='false' />
            </bean>
        </property>
    </bean>

    <bean id="customLogoutSuccessHandler" class="com.asosyalbebe.springtest.gui.user.security.CustomLogoutSuccessHandler" />

    <bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <constructor-arg ref="customLogoutSuccessHandler" />
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler" />
                <ref bean="tokenBasedRememberMeServices"/> 
            </list>
        </constructor-arg>
    </bean>

    <bean name="rememberMeAuthenticationFilter" class="org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="rememberMeServices" ref="tokenBasedRememberMeServices" />
    </bean>

    <bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter">
        <property name="key" value="foobar" />
        <property name="userAttribute" value="anonymousUser,PRIV_ANONYMOUS" />
    </bean>

    <bean id="exceptionTranslationFilter" class="org.springframework.security.web.access.ExceptionTranslationFilter">
        <property name="authenticationEntryPoint" ref="loginUrlAuthenticationEntryPoint" />
        <property name="accessDeniedHandler" ref="accessDeniedHandler"/>
    </bean>

    <bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
        <property name="rolePrefix" value="PRIV_"/>
    </bean>

    <bean id="accessDecisionManager" class="com.asosyalbebe.springtest.gui.user.security.CustomAccessDecisionManager">
        <property name="allowIfAllAbstainDecisions" value="false" />
        <property name="decisionVoters">
            <list>
                <ref bean="roleVoter" />
            </list>
        </property>
    </bean>

    <bean id="securityMetadataSource" class="com.asosyalbebe.springtest.gui.user.security.CustomFilterInvocationDefinitionSource"/>

    <bean id="filterInvocationInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="accessDecisionManager" ref="accessDecisionManager" />
        <property name="securityMetadataSource" ref="securityMetadataSource" />
        <property name="rejectPublicInvocations" value="false"/>
    </bean>

    <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
            <security:filter-chain pattern="/**"
                filters="securityContextPersistenceFilter,
                logoutFilter,
                authenticationProcessingFilter,
                rememberMeAuthenticationFilter,
                anonymousProcessingFilter,
                exceptionTranslationFilter,
                filterInvocationInterceptor" />
        </security:filter-chain-map>
    </bean>
</beans>

这是我的自定义匿名身份验证提供程序:

package com.asosyalbebe.springtest.gui.user.security;

import org.springframework.security.authentication.AnonymousAuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

import com.asosyalbebe.springtest.gui.user.model.GuiUser;
import com.asosyalbebe.springtest.gui.user.service.UserService;

@SuppressWarnings("deprecation")
public class CustomAnonymousAuthProvider extends AnonymousAuthenticationProvider {
    private UserService userDetailsService;

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        GuiUser user = userDetailsService.getGuestUser();

        UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(user, "pwd", user.getAuthorities());
        result.setDetails(user);

        return result;
    }

    @Override
    public boolean supports(Class<?> class1) {
        return true;
    }

    public void setUserDetailsService(UserService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }
}

我认为authenticate中的CustomAnonymousAuthProvider方法永远不会被执行。我还能做什么?

1 个答案:

答案 0 :(得分:2)

AuthenticationManager的角度来看,当时过滤器创建的AnonymousAuthenticationToken已经过身份验证(isAuthenticated属性为true),所以它不会尝试对其进行身份验证。因此,不会调用您的提供商。

最简单的选择是自定义AnonymousAuthenticationFilter以直接使用数据库中的权限。