使用Spring Security进行预身份验证 - >基于URL参数

时间:2012-03-28 07:14:58

标签: url authentication spring-security

客户希望拥有以下方案:

客户将带有2个参数的链接(webapp地址)分发给webapp用户。基于这些变量,用户将在webapp中承担特定角色。 我不想要任何授权。应该只进行身份验证检查,查看这些url参数并检查它们是否有效,并将用户连接到相应的角色。

我怎么能意识到这一点?!是否已有解决方案?

谢谢!

问马蒂亚斯

2 个答案:

答案 0 :(得分:22)

我已经解决了这个问题。 对于那些有兴趣的人....

的web.xml

<!-- ===== SPRING CONFIG ===== -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<listener>
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/applicationContext.xml
        /WEB-INF/applicationContext-security.xml
    </param-value>
</context-param>

的applicationContext.xml

<context:component-scan base-package="at.beko.rainstar2" />

<tx:annotation-driven transaction-manager="transactionManager" />

的applicationContext-security.xml文件

<!-- Configuring security not finished!! -->
<http create-session="never" use-expressions="true" auto-config="false"
    entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
    <intercept-url pattern="/authError.xhtml" access="permitAll" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
    <session-management session-fixation-protection="none" />
</http>

<beans:bean id="userDetailsServiceImpl"
    class="at.beko.rainstar2.service.impl.UserDetailsServiceImpl" />

<beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
    class="at.beko.rainstar2.model.LinkForbiddenEntryPoint" />

<beans:bean id="preAuthenticationProvider"
    class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <beans:property name="preAuthenticatedUserDetailsService"
        ref="userDetailsServiceImpl" />
</beans:bean>

<beans:bean id="preAuthFilter"
    class="at.beko.rainstar2.service.filter.UrlParametersAuthenticationFilter">
    <beans:property name="authenticationManager" ref="appControlAuthenticationManager" />
</beans:bean>

<authentication-manager alias="appControlAuthenticationManager">
    <authentication-provider ref="preAuthenticationProvider" />
</authentication-manager>

LinkForbiddenEntryPoint.java

public class LinkForbiddenEntryPoint implements AuthenticationEntryPoint {

@Override
public void commence(HttpServletRequest request,
        HttpServletResponse response, AuthenticationException authException)
        throws IOException, ServletException {
    HttpServletResponse httpResponse = (HttpServletResponse) response;
    httpResponse.sendRedirect("/rainstar2-webapp/authError.xhtml");
}

}

UrlParametersAuthenticationFilter.java

public class UrlParametersAuthenticationFilter extends
    AbstractPreAuthenticatedProcessingFilter {

@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
    if (request.getParameterMap().size() == 2) {
        return true;
    }
    return false;
}

@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
    String[] credentials = new String[2];
    credentials[0] = request.getParameter("param1");
    credentials[1] = request.getParameter("param2");
    return credentials;
}

}

UserDetailsS​​erviceImpl.java

@SuppressWarnings("deprecation")
public class UserDetailsServiceImpl implements
    AuthenticationUserDetailsService<Authentication> {

@Override
public UserDetails loadUserDetails(Authentication token)
        throws UsernameNotFoundException {
    UserDetails userDetails = null;

            String[] credentials = (String[]) token.getPrincipal();
    boolean principal = Boolean.valueOf(token.getCredentials().toString());

    if (credentials != null && principal == true) {
        String name = credentials[0];
        if ("admin".equalsIgnoreCase(name)) {
            userDetails = getAdminUser(name);
        } else if ("händler".equalsIgnoreCase(name)) {
            userDetails = getRetailerUser(name);
        } else if ("user".equalsIgnoreCase(name)) {
            userDetails = getUserUser(name);
        }
    }

    if (userDetails == null) {
        throw new UsernameNotFoundException("Could not load user : "
                + token.getName());
    }

    return userDetails;
}

private UserDetails getAdminUser(String username) {
    Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_RETAILER"));
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
    return new User(username, "notused", true, true, true, true,
            grantedAuthorities);
}

private UserDetails getRetailerUser(String username) {
    Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_RETAILER"));
    return new User(username, "notused", true, true, true, true,
            grantedAuthorities);
}

private UserDetails getUserUser(String username) {
    Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
    return new User(username, "notused", true, true, true, true,
            grantedAuthorities);
}

}

答案 1 :(得分:2)

我在类似情况下解决这个问题的方法是使用servlet过滤器来获取参数。我建议扩展org.springframework.web.filter.GenericFilterBean。

从这些参数中,创建某种类型的auth对象(例如令牌),可以将其传递到您可以自动加入的AuthenticationManager中(或获取其他方法)。

然后,您将需要一个可以处理auth对象的AuthenticationProvider,并使用GrantedAuthority集合生成U​​serDetails对象,以满足您希望用户拥有的特定角色。