預認證的使用Spring Security - >基於URL參數

Question

客戶希望有以下情形：

客戶手上出來的鏈接（Web應用地址），2個參數的web應用程序的用戶。基於這些變量，用戶將在webapp中扮演特定的角色。 我不想要任何授權。應該只有身份驗證檢查，它會查看這些url參數並檢查它們是否有效，並將用戶連接到適當的角色。

我怎樣才能認識到這一點？！有沒有可用的解決方案？

謝謝！

對於馬蒂亞斯

Answer 1

我已經解決了這個問題。 對於那些有興趣誰....

的web.xml

<!-- ===== SPRING CONFIG ===== --> 
<listener> 
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
</listener> 

<listener> 
    <listener-class>org.springframework.web.context.request.RequestContextListener</listener-class> 
</listener> 

<filter> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
</filter> 

<filter-mapping> 
    <filter-name>springSecurityFilterChain</filter-name> 
    <url-pattern>/*</url-pattern> 
</filter-mapping> 

<context-param> 
    <param-name>contextConfigLocation</param-name> 
    <param-value> 
     /WEB-INF/applicationContext.xml 
     /WEB-INF/applicationContext-security.xml 
    </param-value> 
</context-param> 

的applicationContext.xml

<context:component-scan base-package="at.beko.rainstar2" /> 

<tx:annotation-driven transaction-manager="transactionManager" /> 

的applicationContext-security.xml文件

<!-- Configuring security not finished!! --> 
<http create-session="never" use-expressions="true" auto-config="false" 
    entry-point-ref="preAuthenticatedProcessingFilterEntryPoint"> 
    <intercept-url pattern="/authError.xhtml" access="permitAll" /> 
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')" /> 
    <custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" /> 
    <session-management session-fixation-protection="none" /> 
</http> 

<beans:bean id="userDetailsServiceImpl" 
    class="at.beko.rainstar2.service.impl.UserDetailsServiceImpl" /> 

<beans:bean id="preAuthenticatedProcessingFilterEntryPoint" 
    class="at.beko.rainstar2.model.LinkForbiddenEntryPoint" /> 

<beans:bean id="preAuthenticationProvider" 
    class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider"> 
    <beans:property name="preAuthenticatedUserDetailsService" 
     ref="userDetailsServiceImpl" /> 
</beans:bean> 

<beans:bean id="preAuthFilter" 
    class="at.beko.rainstar2.service.filter.UrlParametersAuthenticationFilter"> 
    <beans:property name="authenticationManager" ref="appControlAuthenticationManager" /> 
</beans:bean> 

<authentication-manager alias="appControlAuthenticationManager"> 
    <authentication-provider ref="preAuthenticationProvider" /> 
</authentication-manager> 

LinkForbiddenEntryPoint.java

public class LinkForbiddenEntryPoint implements AuthenticationEntryPoint { 

@Override 
public void commence(HttpServletRequest request, 
     HttpServletResponse response, AuthenticationException authException) 
     throws IOException, ServletException { 
    HttpServletResponse httpResponse = (HttpServletResponse) response; 
    httpResponse.sendRedirect("/rainstar2-webapp/authError.xhtml"); 
} 

}

UrlParametersAuthenticationFilter.java

public class UrlParametersAuthenticationFilter extends 
    AbstractPreAuthenticatedProcessingFilter { 

@Override 
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) { 
    if (request.getParameterMap().size() == 2) { 
     return true; 
    } 
    return false; 
} 

@Override 
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) { 
    String[] credentials = new String[2]; 
    credentials[0] = request.getParameter("param1"); 
    credentials[1] = request.getParameter("param2"); 
    return credentials; 
} 

}

UserDetailsS​​erviceImpl.java

@SuppressWarnings("deprecation") 
public class UserDetailsServiceImpl implements 
    AuthenticationUserDetailsService<Authentication> { 

@Override 
public UserDetails loadUserDetails(Authentication token) 
     throws UsernameNotFoundException { 
    UserDetails userDetails = null; 

      String[] credentials = (String[]) token.getPrincipal(); 
    boolean principal = Boolean.valueOf(token.getCredentials().toString()); 

    if (credentials != null && principal == true) { 
     String name = credentials[0]; 
     if ("admin".equalsIgnoreCase(name)) { 
      userDetails = getAdminUser(name); 
     } else if ("händler".equalsIgnoreCase(name)) { 
      userDetails = getRetailerUser(name); 
     } else if ("user".equalsIgnoreCase(name)) { 
      userDetails = getUserUser(name); 
     } 
    } 

    if (userDetails == null) { 
     throw new UsernameNotFoundException("Could not load user : " 
       + token.getName()); 
    } 

    return userDetails; 
} 

private UserDetails getAdminUser(String username) { 
    Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>(); 
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER")); 
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_RETAILER")); 
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_ADMIN")); 
    return new User(username, "notused", true, true, true, true, 
      grantedAuthorities); 
} 

private UserDetails getRetailerUser(String username) { 
    Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>(); 
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER")); 
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_RETAILER")); 
    return new User(username, "notused", true, true, true, true, 
      grantedAuthorities); 
} 

private UserDetails getUserUser(String username) { 
    Collection<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>(); 
    grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER")); 
    return new User(username, "notused", true, true, true, true, 
      grantedAuthorities); 
} 

}

Answer 2

我有類似的情況下解決這個問題的方法是使用Servlet過濾器來獲取參數。我建議擴展org.springframework.web.filter.GenericFilterBean。

從這些參數中，創建某種類型的auth對象（如令牌），該對象可以傳遞到您可以自動裝入（或以其他方法獲取）的AuthenticationManager中。

然後您需要有一個AuthenticationProvider，它可以處理您的auth對象，並使用您需要的GrantedAuthority集合生成一個UserDetails對象，以滿足您希望用戶擁有的特定角色。