我的应用从Oracle Access Manager SSO获取带有用户名的AUTH_USER请求标头。 Spring Security"其他主题" 2.2.1有一个例子" PreAuth"这似乎是我需要的,但不是一个完整的例子。
下面的代码段来自docs / examples,而不是基于注释的配置。
Siteminder示例配置 - 使用带有 RequestHeaderAuthenticationFilter 的XML和 PreAuthenticatedAuthenticationProvider 以及UserDetailsService来查找用户。
这如何映射到基于Java的配置?
<security:http>
<!-- Additional http configuration omitted -->
<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="AUTH_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth. PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
Spring Security preauth示例具有完全不同的设置(XML配置更加令人生畏)。没有提到预认证过滤器或如何设置标题名称。
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login","/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.jee()
.mappableRoles("USER","ADMIN");
}
}
spring-boot-sample-web-secure扩展了WebMvcConfigurerAdapter而不是WebSecurityConfigurerAdapter,只进行基本的基于表单的登录,没有关于如何从pre-auth AUTH_USER标头获取用户标识的信息。
public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {
... omitted...
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private SecurityProperties security;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin()
.loginPage("/login").failureUrl("/login?error").permitAll();
}
}
}
我已经阅读了很多参考文章或文章,但它们似乎与当前代码和Spring-boot无关,所以试图了解如何配置应用程序pre-auth安全性。
答案 0 :(得分:1)
这是我根据注入的userService配置pre-auth安全性的方法:
@Configuration
@EnableWebSecurity
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(jsr250Enabled = true, securedEnabled = true, prePostEnabled = true, proxyTargetClass = true)
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
private static final Logger LOG = Logger.getLogger(ApplicationSecurity.class.getName());
@Autowired
private UserService userService; // implements AuthenticationUserDetailsService...
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
LOG.info("configure autentication provider with custom userService");
PreAuthenticatedAuthenticationProvider paaProvider = new PreAuthenticatedAuthenticationProvider();
paaProvider.setPreAuthenticatedUserDetailsService(userService);
auth.authenticationProvider(paaProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
LOG.info("configure autentication filter");
// ...
}
}