[英]Pass authentication info between web service and business layer (Spring, tomcat)
I have spring web service and a business layer deployed separately on two tomcat
servers. 我在两个tomcat
服务器上分别部署了spring Web服务和一个业务层。 (As explained in the question Spring WS separately deploy web service and bussiness layer ). (如Spring WS问题中单独解释的那样, 部署Web服务和业务层 )。
Business layer is just a servlet container and web service communicate with it spring httpinvoker
. 业务层只是一个servlet容器,Web服务通过它与httpinvoker
通信。
I use tomcat container based authentication with springs PreAuthenticatedAuthenticationProvider
and J2eePreAuthenticatedProcessingFilter
. 我将基于tomcat容器的身份验证与springs PreAuthenticatedAuthenticationProvider
和J2eePreAuthenticatedProcessingFilter
。 Here I does not provide client application with any authentication token. 在这里,我没有为客户端应用程序提供任何身份验证令牌。 (I mean I am not manually doing any session handling. It is managed only by tomcat) (我的意思是我没有手动进行任何会话处理。它仅由tomcat管理)
Now I want to make sure requests to my business layers are from a authenticated client. 现在,我要确保对我的业务层的请求来自经过身份验证的客户端。 One thing I found is to pass the Authentication
object which I get from the web service's security context as SecurityContextHolder.getContext().getAuthentication()
as request parameter to the business layer. 我发现的一件事是,将从Web服务的安全上下文中获得的Authentication
对象作为SecurityContextHolder.getContext().getAuthentication()
作为请求参数传递给业务层。 But there I do not have a way to verify that Authentication
object. 但是我没有办法验证Authentication
对象。 So any idea on a way to achieve security in my business layer? 那么,关于在我的业务层实现安全性的任何想法?
The httpinvoker way of remoting uses a http client, by default it wil use a plain HttpURLConnection
from the JDK. httpinvoker远程处理方式使用http客户端,默认情况下,它将使用JDK中的纯HttpURLConnection
。 Which way of connecting is used is determined by the imlementation of HttpInvokerRequestExecutor
which by default is the SimpleHttpInvokerRequestExecutor
. 使用哪种连接方式取决于HttpInvokerRequestExecutor
实现,默认情况下,该SimpleHttpInvokerRequestExecutor
为SimpleHttpInvokerRequestExecutor
。
Now you could switch to use one of the other implementations which use Apache Commons HttpClient under the hood. 现在,您可以切换到使用其他实现之一,这些实现在后台使用Apache Commons HttpClient。 You could then use BASIC authentication (or digest) to pass the username/password to the service layer (instead of the Authentication
object. 然后,您可以使用BASIC身份验证(或摘要)将用户名/密码传递给服务层(而不是Authentication
对象)。
Spring Security already supplies this custom implementation for you, so basically the only thing you need to do (client side) is to reconfigure your HttpInvokerProxyFactoryBean
. Spring Security已经为您提供了此自定义实现,因此基本上您唯一需要做的(客户端)就是重新配置HttpInvokerProxyFactoryBean
。
<bean id="yourServiceProxy" class="org.springframework.remoting.httpinvoker.HttpInvokerProxyFactoryBean">
<property name="httpInvokerRequestExecutor" ref="requestExecutor" />
</bean>
<bean id="requestExecutor" class="org.springframework.security.remoting.httpinvoker.AuthenticationSimpleHttpInvokerRequestExecutor"/>
See also the javadoc and the Spring Security Reference Guide . 另请参见javadoc和《 Spring Security 参考指南》 。 This class can be found in the spring-security-remoting
dependency. 可以在spring-security-remoting
依赖项中找到此类。 Next to this dependency you need to configure your business layer to use basic authentication. 在此依赖性旁边,您需要配置业务层以使用基本身份验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.