具有不同 UsernamePasswordAuthToken 的多个 AuthenticationProvider 来验证不同的登录表单而无需回退验证

Posted 2023-02-27

【中文标题】具有不同 UsernamePasswordAuthToken 的多个 AuthenticationProvider 来验证不同的登录表单而无需回退验证

【英文标题】：Multiple AuthenticationProvider with different UsernamePasswordAuthToken to authenticate different login forms without fallback authentication

【发布时间】：2020-01-12 20:35:28

【问题描述】：

在使用 spring security 时，我查看了 *** 中有趣的线程，需要针对 不同的身份验证提供程序 对 两组用户 进行身份验证，表示员工反对LDAP 和客户反对DATABASE。 Thread 提出了一个公认的解决方案，即使用带有单选按钮的单一登录表单来区分员工和客户，并具有 自定义身份验证过滤器，该过滤器根据 userType 区分登录请求并设置不同的 authenticationToken(customerAuthToken /employeeAuthToken）并请求进行身份验证。将有两个AuthenticationProvider 实现，身份验证由支持令牌完成并决定。 通过这种方式，线程能够提供有趣的解决方案来避免 Spring Security 默认提供的回退身份验证。

看看线程Configuring Spring Security 3.x to have multiple entry points

因为答案完全在 xml 配置中。我只是想让解决方案在 java 配置中可用。我将在答案中发布。

现在我的问题，随着春季版本的发展，除了我的答案之外，是否有可能通过任何新功能/最小配置来获得相同的功能？

【参考方案1】：

由于this thread给出了完整的信息，我只是发布Java配置参考的代码。

在这里我假设以下事情 1. 用户和管理员作为两组用户。 2. 为简单起见，两者都使用内存身份验证。 - 如果 userType 是用户，则只有用户凭据才可以工作。 - 如果 userType 是 Admin，则只有管理员凭据才能工作。 - 并且应该能够为不同的权限提供相同的应用程序接口。

还有代码You can download working code from my github repository

---

CustomAuthenticationFilter

@Component
public class MyAuthenticationFilter extends UsernamePasswordAuthenticationFilter

    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException
    
        UsernamePasswordAuthenticationToken authToken = null;

        if ("user".equals(request.getParameter("userType"))) 
        
            authToken = new UserUsernamePasswordAuthenticationToken(request.getParameter("userName"), request.getParameter("password"));
        
        else 
        
            authToken = new AdminUsernamePasswordAuthenticationToken(request.getParameter("userName"), request.getParameter("password"));
        

        setDetails(request, authToken);

        return super.getAuthenticationManager().authenticate(authToken);
    

CustomAuthentictionTokens

public class AdminUsernamePasswordAuthenticationToken extends UsernamePasswordAuthenticationToken
   
    public AdminUsernamePasswordAuthenticationToken(Object principal, Object credentials)
    
        super(principal, credentials);
    

    public AdminUsernamePasswordAuthenticationToken(Object principal, Object credentials,
            Collection<? extends GrantedAuthority> authorities)
    
        super(principal, credentials, authorities);
    


public class UserUsernamePasswordAuthenticationToken extends UsernamePasswordAuthenticationToken

    public UserUsernamePasswordAuthenticationToken(Object principal, Object credentials)
    
        super(principal, credentials);
    

    public UserUsernamePasswordAuthenticationToken(Object principal, Object credentials,
            Collection<? extends GrantedAuthority> authorities)
    
        super(principal, credentials, authorities);
    

CustomAuthentictionProvider - For Admin

@Component
public class AdminCustomAuthenticationProvider implements AuthenticationProvider

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException
    
        String username = authentication.getName();
        String password = authentication.getCredentials().toString();

        if (username.equals("admin") && password.equals("admin@123#"))
        
            List<GrantedAuthority> authorityList = new ArrayList<>();
            GrantedAuthority authority = new SimpleGrantedAuthority("ROLE_ADMIN");
            authorityList.add(authority);

            return new UserUsernamePasswordAuthenticationToken(username, password, authorityList);
        
        return null;
    

    @Override
    public boolean supports(Class<?> authentication)
    
        return authentication.equals(AdminUsernamePasswordAuthenticationToken.class);
    

CustomAuthentictionProvider - For User

@Component
public class UserCustomAuthenticationProvider implements AuthenticationProvider

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException
    

        String username = authentication.getName();
        String password = authentication.getCredentials().toString();

        if (username.equals("user") && password.equals("user@123#"))
        
            List<GrantedAuthority> authorityList = new ArrayList<>();
            GrantedAuthority authority = new SimpleGrantedAuthority("ROLE_USER");
            authorityList.add(authority);

            return new UserUsernamePasswordAuthenticationToken(username, password, authorityList);
        
        return null;
    

    @Override
    public boolean supports(Class<?> authentication)
    
        return authentication.equals(UserUsernamePasswordAuthenticationToken.class);
    

CustomHandlers required for CustomFilter

@Component
public class CustomAuthenticationFailureHandler implements AuthenticationFailureHandler

    @Override
    public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException
    
        response.sendRedirect(request.getContextPath() + "/login?error=true");
       


@Component
public class CustomAuthenticationSuccessHandler implements AuthenticationSuccessHandler

    @Override
    public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException
    
        HttpSession session = request.getSession();
        if (session != null)
        
            session.removeAttribute(WebAttributes.AUTHENTICATION_EXCEPTION);
        
        response.sendRedirect(request.getContextPath() + "/app/user/dashboard");
    

最后是SpringSecurityConfiguration

@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter 

    @Autowired
    DataSource dataSource;

    @Autowired
    private AdminCustomAuthenticationProvider adminCustomAuthenticationProvider;

    @Autowired
    private UserCustomAuthenticationProvider userCustomAuthenticationProvider;

    @Autowired
    private CustomAuthenticationSuccessHandler customAuthenticationSuccessHandler;

    @Autowired
    private CustomAuthenticationFailureHandler customAuthenticationFailureHandler;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception
    
        auth.authenticationProvider(adminCustomAuthenticationProvider);
        auth.authenticationProvider(userCustomAuthenticationProvider);
    

    @Bean
    public MyAuthenticationFilter myAuthenticationFilter() throws Exception
    
        MyAuthenticationFilter authenticationFilter = new MyAuthenticationFilter();

        authenticationFilter.setAuthenticationSuccessHandler(customAuthenticationSuccessHandler);
        authenticationFilter.setAuthenticationFailureHandler(customAuthenticationFailureHandler);
        authenticationFilter.setRequiresAuthenticationRequestMatcher(new AntPathRequestMatcher("/login", "POST"));
        authenticationFilter.setAuthenticationManager(authenticationManagerBean());

        return authenticationFilter;
    

    @Override
    protected void configure(final HttpSecurity http) throws Exception
    
        http
        .addFilterBefore(myAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class)
        .csrf().disable()
        .authorizeRequests()
            .antMatchers("/resources/**", "/", "/login")
                .permitAll()
            .antMatchers("/config/*", "/app/admin/*")
                .hasRole("ADMIN")
            .antMatchers("/app/user/*")
                .hasAnyRole("ADMIN", "USER")
            .antMatchers("/api/**")
                .hasRole("APIUSER")
        .and().exceptionHandling()
            .accessDeniedPage("/403")
        .and().logout()
            .logoutSuccessHandler(new CustomLogoutSuccessHandler())
            .invalidateHttpSession(true);

        http.sessionManagement().maximumSessions(1).expiredUrl("/login?expired=true");
    

希望这将有助于理解配置多重身份验证而不使用回退身份验证。