我是Spring新手,我的要求是我不想用用户名和密码验证用户身份。 用户进行身份验证是其他一些应用程序,我的应用程序通过以下详细信息获取请求:
我只想使用Spring Security根据请求中的角色保护页面。 我已经考虑过编写UserDetailService,但是只添加请求数据,Spring仍然要求提供身份验证信息。 然后我考虑写下面的内容:
public class UserLogin {
/*
@Resource(name = "userDetailsService")
private UserDetailsService userDetailsService;
*/
@Resource(name = "authenticationManager")
private AuthenticationManager authenticationManager;
public boolean login(UserEntity user) {
//UserDetails ud = userDetailsService.loadUserByUsername(username);
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (String role : user.getAuthorities()) {
authorities.add(new GrantedAuthorityImpl(role));
}
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user.getUsername(), user.getPassword(), authorities);
try {
Authentication auth = authenticationManager.authenticate(token);
SecurityContext securityContext = new SecurityContextImpl();
// Places in ThredLocal for future retrieval
SecurityContextHolder.setContext(securityContext);
SecurityContextHolder.getContext().setAuthentication(auth);
} catch (AuthenticationException e) {
return false;
}
return true;
}
}
我是朝着正确的方向前进的吗?如果是这样,如何配置整个事物..在spring-xml。
答案 0 :(得分:8)
您正处于所谓的预身份验证方案中,您将Spring Security配置为仅授权访问,而不是身份验证访问。见http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html。以下是完整配置,您需要实施AbstractPreAuthenticatedProcessingFilter来验证您的身份验证方案的UserPrincipal以及您在上面提到的自定义UserDetailsService。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans
xmlns:security="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:global-method-security secured-annotations="enabled" />
<beans:bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<security:http auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<security:custom-filter position="PRE_AUTH_FILTER" ref="myCustomPreAuthFilter" />
</security:http>
<beans:bean id="myCustomPreAuthFilter" class="com.mypackage.MyCustomPreAuthFilter">
<beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<beans:bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService">
<beans:bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<beans:property name="userDetailsService" ref="myCustomUserDetailsService"/>
</beans:bean>
</beans:property>
</beans:bean>