使用身份验证回退配置 Crowd Spring Security
Posted
技术标签:
【中文标题】使用身份验证回退配置 Crowd Spring Security【英文标题】:Configure Crowd Spring Security with an authentication fallback 【发布时间】:2014-11-25 05:37:04 【问题描述】:我有一个现有的 Java/Spring/Hibernate webapp,具有经典的数据库身份验证。 我刚刚成功地将它迁移到了 Crowd SSO 平台。 一切都按预期工作,但现在我想将 Spring Security 配置为在 Crowd 服务器关闭时回退到我以前的身份验证系统。
我从未配置过这样的级联身份验证,到目前为止我用谷歌阅读的内容对我没有帮助。你知道我是怎么做到的吗?
这是我的 Spring 安全配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/util
http://www.springframework.org/schema/util/spring-util-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd"
xmlns:util="http://www.springframework.org/schema/util"
default-autowire="byName">
<http entry-point-ref="crowdAuthenticationProcessingFilterEntryPoint">
<intercept-url pattern="/**/login" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**/logout" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/**/login.html" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/admin/**" access="ROLE_ADMINISTRATOR"/>
<intercept-url pattern="/**" access="ROLE_ADMINISTRATOR"/>
<custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter"/>
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter"/>
</http>
<!-- My previous authentication filter -->
<beans:bean id="authenticationFilter"
class="my.package.security.CustomAuthenticationProcessingFilter">
<beans:property name="authenticationManager" ref="formAuthenticationManager"/>
<beans:property name="filterProcessesUrl" value="/login"/>
<beans:property name="continueChainBeforeSuccessfulAuthentication" value="false"/>
<beans:property name="postOnly" value="true"/>
<beans:property name="authenticationSuccessHandler" ref="authenticationHandler"/>
<beans:property name="authenticationFailureHandler" ref="authenticationHandler"/>
</beans:bean>
<beans:bean id="authenticationHandler" class="my.package.security.CustomAuthenticationHandler">
<beans:property name="alwaysUseDefaultTargetUrl" value="false"/>
</beans:bean>
<beans:bean id="customAuthenticationProvider"
class="my.package.security.MyDaoAuthenticationProvider">
<beans:property name="SaltSource">
<beans:bean class="org.springframework.security.authentication.dao.ReflectionSaltSource">
<beans:property name="userPropertyToUse" value="salt"/>
</beans:bean>
</beans:property>
</beans:bean>
<!-- Crowd config -->
<beans:bean id="crowdUserDetailsService" class="my.package.security.CustomCrowdUserDetailsServiceImpl">
<beans:property name="authenticationManager" ref="crowdAuthenticationManager"/>
<beans:property name="groupMembershipManager" ref="crowdGroupMembershipManager"/>
<beans:property name="userManager" ref="crowdUserManager"/>
<beans:property name="authorityPrefix" value=""/>
<beans:property name="userController" ref="userController"/>
</beans:bean>
<beans:bean id="crowdAuthenticationProvider" class="com.atlassian.crowd.integration.springsecurity.RemoteCrowdAuthenticationProvider">
<beans:constructor-arg ref="crowdAuthenticationManager"/>
<beans:constructor-arg ref="httpAuthenticator"/>
<beans:constructor-arg ref="crowdUserDetailsService"/>
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider ref='crowdAuthenticationProvider' />
</authentication-manager>
<beans:bean id="crowdAuthenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:constructor-arg value="/login.html"/>
</beans:bean>
<beans:bean id="authenticationProcessingFilter" class="com.atlassian.crowd.integration.springsecurity.CrowdSSOAuthenticationProcessingFilter">
<beans:property name="httpAuthenticator" ref="httpAuthenticator"/>
<beans:property name="authenticationManager" ref="authenticationManager"/>
<beans:property name="filterProcessesUrl" value="/login"/>
<beans:property name="authenticationFailureHandler">
<beans:bean class="com.atlassian.crowd.integration.springsecurity.UsernameStoringAuthenticationFailureHandler">
<beans:property name="defaultFailureUrl" value="/login.html?login_error=1"/>
</beans:bean>
</beans:property>
<beans:property name="authenticationSuccessHandler">
<beans:bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<beans:property name="defaultTargetUrl" value="/flexibility.html"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean id="crowdLogoutHandler" class="com.atlassian.crowd.integration.springsecurity.CrowdLogoutHandler">
<beans:property name="httpAuthenticator" ref="httpAuthenticator"/>
</beans:bean>
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.html"/>
<beans:constructor-arg>
<beans:list>
<beans:ref bean="crowdLogoutHandler"/>
<beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
</beans:list>
</beans:constructor-arg>
<beans:property name="filterProcessesUrl" value="/logout"/>
</beans:bean>
【问题讨论】:
【参考方案1】:您需要的是一个配置了多个身份验证提供程序的身份验证管理器。 This 举个例子
【讨论】:
如果我在 中添加 ,我可以看到我的 DAOProvider 使用得很好(与调试器一起使用),但似乎很奇怪 authentication.getDetails() 仍然是 CrowdSSOAuthenticationDetails 的一个实例。并且登录仍然不起作用。似乎没有存储安全上下文:响应将重定向发送到登录页面后,但新请求将我带回登录页面...... 好的,我必须扩展 Crowd bean 以支持两种身份验证模式并使它们一起工作。但我接受你的回答,因为这是解决我的问题的第一步以上是关于使用身份验证回退配置 Crowd Spring Security的主要内容,如果未能解决你的问题,请参考以下文章
如何在同一应用程序中使用 spring-sample 示例配置 Spring Security 基本身份验证和 SAML 身份验证
如何使用 spring security 和 spring boot 对 Google 用户进行身份验证,将 mongoDB 作为存储库?
如何支持 NTLM 身份验证并回退到 ASP.NET MVC 中的表单?