简体繁体 English

满足此要求的Spring Security最佳实践

[英]Best practice on Spring Security for this requirement

原文 2014-01-13 15:18:03 3 1 java/ spring/ authentication/ spring-security

Current Spring app requires to add additional authentication checking from a POJO library. 当前的Spring应用程序需要从POJO库中添加其他身份验证检查。 The POJO library includes several customized authentication module to choose. POJO库包括几个定制的身份验证模块供您选择。 Some can be quite simple, like check the username and encrypted password within a URL from database, or from a file, others can be LDAP authentication or Web Service authenticate. 有些可以非常简单，例如从数据库或文件中检查URL中的用户名和加密密码，其他则可以通过LDAP认证或Web Service认证。

The tricky part is current application has its own authentication method within security.xml, and we don't want to compromise either one. 棘手的部分是，当前应用程序在security.xml中具有自己的身份验证方法，我们不想破坏任何一个。

My goal is make this work based on minimal change. 我的目标是基于最小的更改来进行这项工作。

I think there might be several solutions for this but trying to get a good practice: 我认为可能有几种解决方案，但是要设法获得良好的实践：

Customize a Spring authentication provider to handle the pojo authentication for the authentication manager 定制一个Spring authentication provider来处理认证管理器的Pojo认证
Customize a Spring pre-authentication (or something alike) bean for pojo and let app security do the next. 为pojo定制一个Spring pre-authentication （或类似的东西）bean，然后让应用程序安全执行下一步。
Extends a filter class and register in web.xml , so this can make minimal change to the existing spring security context, but I am not sure how to make this handle the LDAP and WS authentication. 扩展了一个filter class并在web.xml注册，因此这可以对现有的spring安全上下文进行最小的更改，但是我不确定如何使它处理LDAP和WS身份验证。

and many other options if anyone can give a better hint. 和许多其他选项（如果有人可以提供更好的提示）。 Thanks in advance. 提前致谢。

1 个解决方案

Create a custom Spring Authentication manager that extends the one that already exists. 创建一个自定义的Spring Authentication Manager，以扩展已经存在的管理器。 Call super.authenticate() and if that goes through then add the extra authentication logic. 调用super.authenticate（），如果成功，则添加额外的身份验证逻辑。