客戶希望有以下情形:預認證的使用Spring Security - >基於URL參數
客戶手上出來的鏈接(Web應用地址),2個參數的web應用程序的用戶。基於這些變量,用戶將在webapp中扮演特定的角色。 我不想要任何授權。應該只有身份驗證檢查,它會查看這些url參數並檢查它們是否有效,並將用戶連接到適當的角色。
我怎樣才能認識到這一點?!有沒有可用的解決方案?
謝謝!
對於馬蒂亞斯
客戶希望有以下情形:預認證的使用Spring Security - >基於URL參數
客戶手上出來的鏈接(Web應用地址),2個參數的web應用程序的用戶。基於這些變量,用戶將在webapp中扮演特定的角色。 我不想要任何授權。應該只有身份驗證檢查,它會查看這些url參數並檢查它們是否有效,並將用戶連接到適當的角色。
我怎樣才能認識到這一點?!有沒有可用的解決方案?
謝謝!
對於馬蒂亞斯
我已經解決了這個問題。 對於那些有興趣誰....
的web.xml
<!-- ===== SPRING CONFIG ===== -->
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/applicationContext.xml
/WEB-INF/applicationContext-security.xml
</param-value>
</context-param>
的applicationContext.xml
<context:component-scan base-package="at.beko.rainstar2" />
<tx:annotation-driven transaction-manager="transactionManager" />
的applicationContext-security.xml文件
<!-- Configuring security not finished!! -->
<http create-session="never" use-expressions="true" auto-config="false"
entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
<intercept-url pattern="/authError.xhtml" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
<session-management session-fixation-protection="none" />
</http>
<beans:bean id="userDetailsServiceImpl"
class="at.beko.rainstar2.service.impl.UserDetailsServiceImpl" />
<beans:bean id="preAuthenticatedProcessingFilterEntryPoint"
class="at.beko.rainstar2.model.LinkForbiddenEntryPoint" />
<beans:bean id="preAuthenticationProvider"
class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<beans:property name="preAuthenticatedUserDetailsService"
ref="userDetailsServiceImpl" />
</beans:bean>
<beans:bean id="preAuthFilter"
class="at.beko.rainstar2.service.filter.UrlParametersAuthenticationFilter">
<beans:property name="authenticationManager" ref="appControlAuthenticationManager" />
</beans:bean>
<authentication-manager alias="appControlAuthenticationManager">
<authentication-provider ref="preAuthenticationProvider" />
</authentication-manager>
LinkForbiddenEntryPoint.java
public class LinkForbiddenEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request,
HttpServletResponse response, AuthenticationException authException)
throws IOException, ServletException {
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.sendRedirect("/rainstar2-webapp/authError.xhtml");
}
}
UrlParametersAuthenticationFilter.java
public class UrlParametersAuthenticationFilter extends
AbstractPreAuthenticatedProcessingFilter {
@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
if (request.getParameterMap().size() == 2) {
return true;
}
return false;
}
@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
String[] credentials = new String[2];
credentials[0] = request.getParameter("param1");
credentials[1] = request.getParameter("param2");
return credentials;
}
}
UserDetailsServiceImpl.java
@SuppressWarnings("deprecation")
public class UserDetailsServiceImpl implements
AuthenticationUserDetailsService<Authentication> {
@Override
public UserDetails loadUserDetails(Authentication token)
throws UsernameNotFoundException {
UserDetails userDetails = null;
String[] credentials = (String[]) token.getPrincipal();
boolean principal = Boolean.valueOf(token.getCredentials().toString());
if (credentials != null && principal == true) {
String name = credentials[0];
if ("admin".equalsIgnoreCase(name)) {
userDetails = getAdminUser(name);
} else if ("händler".equalsIgnoreCase(name)) {
userDetails = getRetailerUser(name);
} else if ("user".equalsIgnoreCase(name)) {
userDetails = getUserUser(name);
}
}
if (userDetails == null) {
throw new UsernameNotFoundException("Could not load user : "
+ token.getName());
}
return userDetails;
}
private UserDetails getAdminUser(String username) {
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_RETAILER"));
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_ADMIN"));
return new User(username, "notused", true, true, true, true,
grantedAuthorities);
}
private UserDetails getRetailerUser(String username) {
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_RETAILER"));
return new User(username, "notused", true, true, true, true,
grantedAuthorities);
}
private UserDetails getUserUser(String username) {
Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
return new User(username, "notused", true, true, true, true,
grantedAuthorities);
}
}
我有類似的情況下解決這個問題的方法是使用Servlet過濾器來獲取參數。我建議擴展org.springframework.web.filter.GenericFilterBean。
從這些參數中,創建某種類型的auth對象(如令牌),該對象可以傳遞到您可以自動裝入(或以其他方法獲取)的AuthenticationManager中。
然後您需要有一個AuthenticationProvider,它可以處理您的auth對象,並使用您需要的GrantedAuthority集合生成一個UserDetails對象,以滿足您希望用戶擁有的特定角色。
我想牛逼o實現你的解決方案,但是我在String [] credentials =(String [])token.getPrincipal();中實現了UserDetailsServiceImpl類。 Instate我應該得到的憑據。 – focode 2016-01-31 14:02:11
這篇相關的文章幫助我實現這個https://stackoverflow.com/questions/12478589/springsecurity-custom-automatic-authentication – encastellano 2017-07-26 10:06:26