堆栈内存溢出
  简体   繁体   English

使用跨上下文属性检查请求参数来保护GWT应用

[英]Securing a GWT app with a request param to be checked in a crosscontext attribute

 原文  2013-03-26 10:50:56       gwt/ spring-security/ cross-context

问题描述

My application is supposed to received a request parameter called sessionId which is supposed to be used to lookup for a crosscontext attribute. 我的应用程序应该收到一个名为sessionId的请求参数,该参数应该用于查找跨上下文属性。

I was looking at Spring Security to implement this and I think already have a good implementation of my AuthenticationProvider : 我正在查看Spring Security来实现这一点,我认为我已经很好地实现了AuthenticationProvider: 

public Authentication authenticate(Authentication authentication) throws AuthenticationException {
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();
ServletContext servletContext = request.getSession().getServletContext();
String sessionId = request.getParameter("sessionId");
if (sessionId != null) {
    ServletContext sc = request.getSession().getServletContext();
    Object obj = sc.getContext("/crosscontext").getAttribute(sessionId);

    if (obj != null) {
        // return new Authentication
    }
} else {
    logger.error("No session id provided in the request");
    return null;
}
if (!GWT.isProdMode()) {
        // return new Authentication
} else {
    logger.error("No session id provided in the request");
    return null;
}
}

Now, what I would like to do is to configure Spring Security to not prompt for a user name and password, to let it reach this authentication provider call the authenticate method. 现在,我想做的是将Spring Security配置为不提示输入用户名和密码,以使其到达此身份​​验证提供程序,请调用authenticate方法。

How can I achieve this ? 我该如何实现?

1 个解决方案

解决方案1
 0 已采纳  2013-04-02 11:45:56

I fixed my issue by reviewing the design of my security and going for something closer to the preauthenticated mechanisms that are already provided by Spring Security. 我通过审查安全性设计并寻求与Spring Security已提供的预认证机制更接近的方式来解决问题。

I extended 2 components of Spring Security. 我扩展了Spring Security的2个组件。 First one is an AbstractPreAuthenticatedProcessingFilter, usually his role is to provide the principal provided in the headers. 第一个是AbstractPreAuthenticatedProcessingFilter,通常他的作用是提供标头中提供的主体。 In my case, I retrieve the header value and search in the context shared between 2 application for an attribute that corresponds to that header and returns it as principal : 就我而言,我检索标头值,并在2个应用程序之间共享的上下文中搜索与该标头相对应的属性,并将其作为principal返回: 

public class MyApplicationPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {

private static final Logger logger = Logger.getLogger(MyApplicationPreAuthenticatedProcessingFilter.class);

@Override
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {

    if (MyApplicationServerUtil.isProdMode()) {
        String principal = request.getHeader("MY_HEADER");
        String attribute = (String) request.getSession().getServletContext().getContext("/crosscontext").getAttribute(principal);
        logger.info("In PROD mode - Found value in crosscontext: " + attribute);
        return attribute;
    } else {
        logger.debug("In DEV mode - passing through ...");
        return "";
    }
}

@Override
protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
    return null;
}

}

The other component is the AuthenticationProvider which will just check if the authentication contains a principal when it runs in prod mode (GWT prod) : 另一个组件是AuthenticationProvider,它将仅在身份验证以产品模式(GWT prod)运行时检查身份验证是否包含主体: 

public class MyApplicationAuthenticationProvider implements AuthenticationProvider {

private static final Logger logger = Logger.getLogger(MyApplicationAuthenticationProvider.class);

public static final String SESSION_ID = "sessionId";

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

    if (MyApplicationServerUtil.isProdMode()) {
        if (StringUtils.isNotEmpty((String) authentication.getPrincipal())) {
            logger.warn("Found credentials: " + (String) authentication.getPrincipal());
            Authentication customAuth = new CustomAuthentication("ROLE_USER");
            customAuth.setAuthenticated(true);
            return customAuth;
        } else {
            throw new PreAuthenticatedCredentialsNotFoundException("Nothing returned from crosscontext for sessionId attribute ["
                    + (String) authentication.getPrincipal() + "]");
        }
    } else {
        Authentication customAuth = new CustomAuthentication("ROLE_USER");
        customAuth.setAuthenticated(true);
        return customAuth;
    }
}

@Override
public boolean supports(Class<?> authentication) {
    return PreAuthenticatedAuthenticationToken.class.isAssignableFrom(authentication);
}

}

I understand that it might not be the most secure application. 我了解它可能不是最安全的应用程序。 However, it will already be running in a secure environment. 但是,它将已经在安全的环境中运行。 But if you have suggestions for improvement, they're welcome ! 但是,如果您有改进的建议,欢迎您!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 保护AppEngine上的GWT应用程序安全 - Securing GWT application on AppEngine 使用Spring Security保护GWT Servlet - Securing GWT servlets with Spring Security 保护已部署的Roo / GWT应用程序 - Securing a deployed Roo/GWT application GWT应用程序上的Selenium测试 - 请求未发送到服务器 - Selenium test on a GWT app - request not sent to server 如何检查 GWT 中是否选中了复选框? - How to check if a checkbox is checked in GWT? GWT RPC属性为空 - GWT RPC attribute empty 具有占位符属性的GWT SuggestBox - GWT SuggestBox with placeholder attribute 智能gwt样式属性 - smart gwt style attribute GWT按属性获取元素 - GWT get Elements by attribute GWT中的POST请求 - POST request in GWT
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM