[英]Spring security - How to configure multiple authentication providers using java config
I m trying to configure an application which has multiple authentication mechanisms(DB and LDAP) and which uses spring security as its underlying framework. 我正在尝试配置一个具有多种身份验证机制(DB和LDAP)并且使用spring安全性作为其基础框架的应用程序。 I m using java configuration to set up the web and http security.
我正在使用Java配置来设置Web和http安全性。 I understand that we would need multiple WebSecurityConfigurerAdapter instances for multiple http elements(as used in xml based config);
我知道我们将需要多个WebSecurityConfigurerAdapter实例用于多个http元素(用于基于xml的配置中); but when I do that, the application only picks up the first authentication configured(database auth) and never authenticates with the 2nd authentication(ldap auth).
但是,当我这样做时,应用程序仅获取配置的第一个身份验证(数据库身份验证),而从不使用第二个身份验证(ldap身份验证)进行身份验证。 Any reason why ?
有什么原因吗? Here is the code snippet
这是代码片段
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration{
@Configuration
@Order(1)
public static class DBSecurityConfig extends WebSecurityConfigurerAdapter {
@Inject
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/scripts/**/*.{js,html}")
.antMatchers("/console*");
}
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.formLogin()
.loginProcessingUrl("/api/authentication")
.successHandler(ajaxAuthenticationSuccessHandler)
.failureHandler(ajaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.headers()
.frameOptions()
.disable()
.and()
.authorizeRequests()
.antMatchers("/api/**").permitAll()
.antMatchers("/api*//**").authenticated();
}
}
@Configuration
public static class LDAPSecurityConfig extends WebSecurityConfigurerAdapter {
@Inject
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.ldapAuthentication()
.userDnPatterns("uid={0},ou=people")
.groupSearchBase("ou=groups")
.contextSource()
.ldif("classpath:users.ldif");
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/console*");
}
protected void configure(HttpSecurity http) throws Exception {
http.csrf()
.addFilterAfter(new CsrfCookieGeneratorFilter(), CsrfFilter.class)
.exceptionHandling()
.authenticationEntryPoint(ldapAuthenticationEntryPoint)
.and()
.formLogin()
.loginProcessingUrl("/api/ldapAuthentication")
.successHandler(ldapAjaxAuthenticationSuccessHandler)
.failureHandler(ldapAjaxAuthenticationFailureHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.logout()
.logoutUrl("/api/logout")
.logoutSuccessHandler(ajaxLogoutSuccessHandler)
.deleteCookies("JSESSIONID")
.permitAll()
.and()
.headers()
.frameOptions()
.disable()
.and()
.authorizeRequests()
.antMatchers("/api/**").permitAll()
.antMatchers("/api*//**").authenticated();
}
}
I edited some of the code for brevity. 为了简洁起见,我编辑了一些代码。 Any insight as to why it is not picking up the ldap authentication is appreciated.
感谢您对为何不采用ldap身份验证的任何见解。
Thanks 谢谢
Old posting, but I just discovered the answer myself. 旧的帖子,但是我自己发现了答案。 The builder that is implemented in the
auth
object builds an AuthenticationManager
with what you provider. auth
对象中实现的构建器将使用您提供的内容构建AuthenticationManager
。 Each instance of the configurer you have will attempt to do the same thing, but only one of the resulting AuthenticationManager objects will actually be used by your app. 您拥有的每个配置程序实例都将尝试执行相同的操作,但是您的应用程序实际上只会使用生成的AuthenticationManager对象之一。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.