我已经烧了几天试图得到一些应该简单易用的东西。我有一个与Spring Security 3.0.5一起使用的应用程序(Web应用程序),我有一段时间试图为支持LDAP的东西切换authentication-manager。
我正在使用JSF,似乎大多数教程都面向jsp
我绝不是一个春天的专家,而且我在网上散布的一些教程中混淆了一些东西。
我不是100%确定这个文件究竟是做什么的?
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/mvc"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:beans="http://www.springframework.org/schema/beans"
xsi:schemaLocation="
http://www.springframework.org/schema/mvc http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd">
<!-- DispatcherServlet Context: defines this servlet's request-processing infrastructure -->
<!-- Handles HTTP GET requests for /resources/** by efficiently serving up static resources in the ${webappRoot}/resources directory -->
<resources mapping="/resources/**" location="/resources/" />
<!-- Resolves views selected for rendering by @Controllers to .jsp resources in the /WEB-INF/views directory -->
<beans:bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<beans:property name="prefix" value="/WEB-INF/views/" />
<beans:property name="suffix" value=".jsp" />
</beans:bean>
</beans:beans>
此文件似乎定义了安全配置,以及Web应用程序的哪些部分被锁定。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<http use-expressions="true">
<intercept-url pattern="/ff/**" access="isAuthenticated()" />
<intercept-url pattern="/**" access="permitAll()" />
<!-- Custom login page -->
<form-login login-page="/login.jsf" authentication-failure-url="/login-fail.jsf"/>
<!-- Custom logout page -->
<logout logout-success-url="/login.jsf" invalidate-session="true"/>
</http>
<!-- Use inline authentication provider. -->
<authentication-manager>
<authentication-provider>
<password-encoder hash="md5"/>
<user-service>
<user name="admin" password="21232f297a57a5a743894a0e4a801fc3" authorities="ROLE_ADMIN,ROLE_USER" />
<user name="raj" password="0b438dd454bc6a17de239ebf0a46b91b" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
看来这个文件告诉web-app哪些额外的弹簧圆角解析
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/spring/root-context.xml
/WEB-INF/spring/security.xml
</param-value>
</context-param>
<!-- Enable Spring Security -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!-- Allow login pages with JSF which redirects to security check, therefore we have to add the forward entry here -->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/spring/servlet-context.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/spring/</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
</web-app>
最后我有一个处理安全问题的bean(我认为)
import java.util.Collection;
import javax.faces.bean.ManagedBean;
import javax.faces.bean.SessionScoped;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
/**
* Code from: http://www.baeldung.com/get-user-in-spring-security
*/
@ManagedBean
@SessionScoped
public class SecurityWrapper {
public String getUser() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (!(authentication instanceof AnonymousAuthenticationToken)) {
String currentUserName = authentication.getName();
return currentUserName;
}
return "NO USER DETECTED";
}
/*This is a example for to obtain the rol name for example for generate automatic menu */
public String getRole() {
/*This is a example for to obtain the rol name for example for generate automatic menu */
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String namePrincipalRol = null;
if (auth instanceof AnonymousAuthenticationToken) {
namePrincipalRol = "ROLE_ANONYMOUS";
} else {
namePrincipalRol = auth.getAuthorities().iterator().next().getAuthority();
}
return namePrincipalRol;
}
private void getUserDetails() {
UserDetails userDetails = (UserDetails) SecurityContextHolder.getContext().
getAuthentication().getPrincipal();
System.out.println(userDetails.getPassword());
System.out.println(userDetails.getUsername());
System.out.println(userDetails.isEnabled());
}
private boolean hasRole(String role) {
Collection<GrantedAuthority> authorities = (Collection<GrantedAuthority>) SecurityContextHolder.getContext().getAuthentication().getAuthorities();
boolean hasRole = false;
for (GrantedAuthority authority : authorities) {
hasRole = authority.getAuthority().equals(role);
if (hasRole) {
break;
}
}
return hasRole;
}
public String logout(){
getUserDetails();
SecurityContextHolder.clearContext();
return "loggedout";
}
}
所以这就是我遇到问题的地方。 1)我放在一起的示例代码(很多来自:http://www.baeldung.com/get-user-in-spring-security)正在运行 Spring 3.0.5 ,这可能已经过时了,但我希望这不应该。我已经尝试集成和/或切换我的LDAP身份验证提供程序的各种路由,但我一直遇到问题,我的教程是不同的版本,当我尝试升级spring的东西去kaboom。我认为这应该是一个直接的过程,但我想知道如何向前推进。
堆栈上有各种答案用于集成Spring LDAP,但它们(大部分)都与.jsp相关,而不是.xhtml可能/可能无关紧要 - 而且我遇到了很多麻烦整合其他的。
这应该是一个直接的过程还是实际上比我意识到的更多?如果/只是简单地换掉我的<authentication-manager>或者我还需要添加特殊的java代码吗?
答案 0 :(得分:0)
所以......假设你有Spring安全工作,你希望切换到LDAP
您需要在文件Security.xml中使用您的身份验证管理器:
<sec:authentication-manager alias="webAuthenticationManager">
<sec:authentication-provider ref="ldapActiveDirectoryAuthProvider" />
</sec:authentication-manager>
执行此操作的实际bean:
<bean id="ldapActiveDirectoryAuthProvider" class="org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider">
<constructor-arg value="yourcompany.com" />
<constructor-arg value="ldap://yourserver.yourcompany.com:389 " />
<property name="authoritiesMapper" ref="dataAutomationGrantedAuthoritiesMapper" />
<property name="useAuthenticationRequestCredentials" value="true" />
</bean>
您还需要将组映射到Spring安全角色:
<!-- Mapping of Groups (user is member of) to Application roles used by Spring security -->
<bean id="dataAutomationGrantedAuthoritiesMapper" class="com.deltarail.view.web.login.DataAutomationGrantedAuthoritiesMapper">
<property name="groupToRoleMap">
<util:map>
<entry key="SystemAdministrators" value="ROLE_SYSADMIN" />
<entry key="Maint" value="ROLE_MAINT" />
<entry key="General"value="ROLE_USER" />
</util:map>
</property>
</bean>