Spring Security:如何使用zoneinfo

时间:2017-01-04 01:28:43

标签: spring-security jwt

有人可以建议如何使用Spring Security框架保护Web套接字端点吗?

我有一个使用Spring Security保护的应用程序。 其中一个端点是Web套接字。 在Web套接字处理程序内部,我需要对连接到Web套接字的用户进行身份验证。 具体来说,我需要获取userid和zone / tenant id。

如果我在spring-security.xml中使用标签 sec:http 表示websocket端点(请参阅下面的文件),这会触发登录,然后在网络套接字的 @onOpen中(会话会话)处理程序 当我调用 session.getUserPrincipal()时,返回的主体内部有一个正确的用户名。

但是我还需要区域/租户ID信息。

我正在尝试使用 SecurityContextHolder.getContext()。getAuthentication(),它应包含它,但调用返回null。 显然, sec:http 不会导致为Web套接字请求创建身份验证对象。

我被提到了

http://docs.spring.io/autorepo/docs/spring-security/4.1.x/reference/html/websocket.html

http://docs.spring.io/autorepo/docs/spring-security/4.1.x/reference/html/appendix-namespace.html#nsa-websocket-security

似乎建议要为websocket端点获取带有区域信息的身份验证器,我需要将以下部分添加到spring-security.xml:

<sec:websocket-message-broker>
    <sec:intercept-message pattern="/WebSocket.svc" access="isAuthenticated()" />
</sec:websocket-message-broker>

然而,当我添加它并尝试启动应用程序时,它会失败,并带有以下回溯/消息:

org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: Security namespace does not support decoration of element [websocket-message-broker]
Offending resource: ServletContext resource [/WEB-INF/spring-security.xml]
    at org.springframework.beans.factory.parsing.FailFastProblemReporter.fatal(FailFastProblemReporter.java:60) ~[spring-beans-4.3.1.RELEASE.jar:4.3.1.RELEASE]
    at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:68) ~[spring-beans-4.3.1.RELEASE.jar:4.3.1.RELEASE]
    at org.springframework.beans.factory.parsing.ReaderContext.fatal(ReaderContext.java:55) ~[spring-beans-4.3.1.RELEASE.jar:4.3.1.RELEASE]
    at org.springframework.security.config.SecurityNamespaceHandler.reportUnsupportedNodeType(SecurityNamespaceHandler.java:144) ~[spring-security-config-4.1.2.RELEASE.jar:4.1.2.RELEASE]

我正在使用Spring Security 4.1.2和4.3.1作为主Spring。

从Spring文档中还不清楚 sec:websocket-message-broker sec:http 是否应该与Web套接字端点一起使用或者是互斥的

感谢您的建议。

塞吉

P.S。我的spring-security.xml看起来像这样:

<?xml version="1.0" encoding="UTF-8" ?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:oauth="http://www.springframework.org/schema/security/oauth2"
    xmlns:sec="http://www.springframework.org/schema/security"
    xmlns:websocket="http://www.springframework.org/schema/websocket"
    xsi:schemaLocation="http://www.springframework.org/schema/security/oauth2
        http://www.springframework.org/schema/security/spring-security-oauth2-1.0.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-4.1.xsd
        http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-4.1.xsd">

    <sec:http pattern="/Consumer.svc/**" create-session="never"
        entry-point-ref="oauthAuthenticationEntryPoint"
        access-decision-manager-ref="accessDecisionManager"
        authentication-manager-ref="authenticationManager"
        use-expressions="true">
        <sec:anonymous enabled="false" />
        <sec:intercept-url pattern="/Consumer.svc/**" access="isAuthenticated()" />
        <sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
    </sec:http>

    <sec:http pattern="/WebSocket.svc" create-session="never"
        entry-point-ref="oauthAuthenticationEntryPoint"
        access-decision-manager-ref="accessDecisionManager"
        authentication-manager-ref="authenticationManager"
        use-expressions="true">
        <sec:anonymous enabled="false" />
        <sec:intercept-url pattern="/WebSocket.svc" access="isAuthenticated()"  />
        <sec:custom-filter ref="resourceServerFilter" before="PRE_AUTH_FILTER" />
        <sec:access-denied-handler ref="oauthAccessDeniedHandler" />
    </sec:http>

    <sec:websocket-message-broker>
        <sec:intercept-message pattern="/WebSocket.svc" access="isAuthenticated()" />
    </sec:websocket-message-broker>

    <bean id="oauthAuthenticationEntryPoint"
        class="org.springframework.security.oauth2.provider.error.OAuth2AuthenticationEntryPoint">
    </bean>

    <bean id="oauthWebExpressionHandler"
        class="org.springframework.security.oauth2.provider.expression.OAuth2WebSecurityExpressionHandler">
    </bean>

    <bean id="accessDecisionManager"
        class="org.springframework.security.access.vote.UnanimousBased">
        <constructor-arg>
            <list>
                <bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
                    <property name="expressionHandler" ref="oauthWebExpressionHandler" />
                </bean>
                <bean class="org.springframework.security.access.vote.AuthenticatedVoter"  />
            </list>
        </constructor-arg>
    </bean>

    <sec:authentication-manager alias="authenticationManager"/>

    <oauth:resource-server id="resourceServerFilter"
        resource-id="springsec" token-services-ref="offlineTokenServices" />

    <bean id="oauthAccessDeniedHandler"
        class="org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler" />

    <!-- ... also some other elements here ... -->

</beans>

1 个答案:

答案 0 :(得分:0)

有必要将以下内容添加到pom.xml:

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-messaging</artifactId>
        <version>4.1.2.RELEASE</version>
    </dependency>

     <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-messaging</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-websocket</artifactId>
        <version>${spring.version}</version>
    </dependency>

这是spring-security.xml:

<bean id="springSecurityMessagePathMatcher"    
class="org.springframework.util.AntPathMatcher"/>

现在Spring在启动时不会抛出异常并解析spring-security.xml,但它也不起作用。 SecurityContextHolder.getContext()。getAuthentication()仍然返回null。