Spring Security SSO
[英]Spring Security SSO
问题描述
I would like to include SSO to my J2EE projects. 
我想将SSO包含到我的J2EE项目中。 I'm trying to find a solution which does not need another server than my application server. 我试图找到一种解决方案,除了我的应用程序服务器之外,不需要其他服务器。
Here's the environment : 这是环境:
- Glassfish v3.1.2 Glassfish v3.1.2
- 2 identical projects using Spring MVC / Security (let's say project1 and project2) 使用Spring MVC / Security的2个相同项目(假设project1和project2)
What do projects implement : 项目执行什么:
- a simple ajax login form 一个简单的ajax登录表单
a controller with login and test methods :
具有登录和测试方法的控制器: @Controller public class ProjectController { public static final String REMEMBER_ME_ACTIVE = "on"; @Autowired SecurityContextRepository repository; @Autowired RememberMeServices rememberMeServices; @RequestMapping(value = "/login", method = RequestMethod.GET) public Object login(HttpServletRequest request, HttpServletResponse response) { System.out.println("[GET] login"); System.out.println(SecurityContextHolder.getContext().getAuthentication()); System.out.println(request.getSession().getId()); return new ModelAndView("login"); } @RequestMapping(value = "/login", method = RequestMethod.POST) @ResponseBody public Object login(@RequestParam("j_username") String username, @RequestParam("j_password") String password, @RequestParam("_spring_security_remember_me") String rememberMe, HttpServletRequest request, HttpServletResponse response) { System.out.println("[POST] login"); System.out.println(SecurityContextHolder.getContext().getAuthentication()); System.out.println(request.getSession().getId()); try { UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password); SecurityContext context = SecurityContextHolder.getContext(); context.setAuthentication(token); repository.saveContext(context, request, response); if (REMEMBER_ME_ACTIVE.equals(rememberMe)) { rememberMeServices.loginSuccess(request, response, token); } return "OK"; } catch (BadCredentialsException e) { return "BadCredentialsException"; } catch (Exception e) { e.printStackTrace(); return "Exception : " + e.getMessage(); } } @RequestMapping(value = "/test", method = RequestMethod.GET) public Object test(HttpServletRequest request, HttpServletResponse response) { System.out.println("[GET] test"); System.out.println(SecurityContextHolder.getContext().getAuthentication()); System.out.println(request.getSession().getId()); return new ModelAndView("test"); } }spring-security.xml :
spring-security.xml: <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd"> <!-- security config --> <http auto-config="false" use-expressions="true" > <http-basic/> <intercept-url pattern="/login" access="hasRole('ROLE_ANONYMOUS')"/> <intercept-url pattern="/**" access="hasAnyRole('ROLE_USER')" /> <form-login login-page="/login" login-processing-url="/spring/login" authentication-failure-url="/login" default-target-url="/" always-use-default-target="true" /> <remember-me services-ref="tokenBasedRememberMeServices" key="XXXXXX_1234567890" use-secure-cookie="true" /> <logout logout-url="/spring/logout" invalidate-session="false" logout-success-url="/login" /> <session-management invalid-session-url="/login" session-fixation-protection="newSession"> <concurrency-control max-sessions="3" error-if-maximum-exceeded="false" expired-url="/login" session-registry-ref="sessionRegistry" /> </session-management> </http> <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <!-- authentication config --> <authentication-manager> <authentication-provider ref="userAuthenticationProvider"/> </authentication-manager> <beans:bean id="userAuthenticationProvider" class="be.xxx.spring.security.UserAuthenticationProvider" /> <beans:bean id="tokenBasedRememberMeServices" class="be.xxx.spring.security.TokenBasedRememberMeServices"> <beans:constructor-arg name="key" value="XXXXXX_1234567890"/> <beans:constructor-arg name="userDetailsService" ref="userDetailsService"/> </beans:bean> <beans:bean id="userDetailsService" class="be.xxx.spring.security.UserDetailsService" /> </beans:beans>
Till now, I found that Glassfish was supporting SSO as written here but it does not seem to work alongside Spring Security. 直到现在,我发现Glassfish仍支持此处编写的SSO,但似乎不能与Spring Security一起使用。 When logged-in in project1, I can't see JSESSIONIDSSO. 在project1中登录后,看不到JSESSIONIDSSO。 So when I start project2, it sends me the login form... Also tried to specify the same realm-name in web.xml but no changes. 因此,当我启动project2时,它会发送登录表单给我...也尝试在web.xml中指定相同的领域名称,但未进行任何更改。
After some googleing, I found some things about PreAuthenticationFilter but I really don't know how to implement a SSO solution with this. 经过一番谷歌搜索后,我发现了有关PreAuthenticationFilter的一些信息,但是我真的不知道如何用此实现SSO解决方案。
Could you help me to find out a solution ? 您能帮我找出解决方案吗?
Thanks, 谢谢,
Smoky 烟
1 个解决方案
解决方案1
0 2014-04-15 10:42:45
如果项目相同,则始终可以使用粘性会话并在项目之间共享会话。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.