[英]How do I authenticate a preauthenticated LDAP user using spring security using ping access and username passed in the header?
I was previously using basic auth but I need to switch to federated auth using Ping Access. 我以前使用的是基本身份验证,但我需要使用Ping Access切换到联合身份验证。 The user is already authenticated and the username along with the token are sent in the request header.
用户已经通过身份验证,并且用户名和令牌一起在请求标头中发送。 How do I link the username to an ldap user principal using spring security?
如何使用Spring Security将用户名链接到ldap用户主体?
So, there are a number of things to consider as you are considering your implementation. 因此,在考虑实现时,需要考虑很多事情。 Here is a very basic rundown of the pieces in play.
这是正在播放的曲目的非常基本的摘要。
The filter chain is typically for differentiating between servlets and the rest of the app. 过滤器链通常用于区分Servlet和应用程序的其余部分。 If you have extended
OncePerRequestFilter
then you are likely already on the right path. 如果扩展了
OncePerRequestFilter
那么您可能已经在正确的路径上了。
If you intend to follow the typical Spring Security model, this filter would prepare an Authentication
object that can then be authenticated in an AuthenticationManager
. 如果您打算遵循典型的Spring Security模型,则此过滤器将准备一个
Authentication
对象,然后可以在AuthenticationManager
中进行AuthenticationManager
。 You might try and use an existing Authentication
implementation like PreAuthenticatedAuthenticationToken
, or you might create your own and call it JwtAuthenticationToken
. 您可以尝试使用现有的
Authentication
实现,例如PreAuthenticatedAuthenticationToken
,或者可以创建自己的实现并将其JwtAuthenticationToken
。
AuthenticationManager
is essentially a collection of providers that can authenticate a token, like your Jwt token. AuthenticationManager
本质上是可以对令牌(例如Jwt令牌)进行身份验证的提供程序的集合。 Their contract is separate from servlets and are therefore a bit more flexible. 他们的合同与servlet是分开的,因此更加灵活。
You would probably create a JwtAuthenticationProvider
that would validate the token and then invoke a UserDetailsService
to get the underlying user. 您可能会创建一个
JwtAuthenticationProvider
来验证令牌,然后调用UserDetailsService
来获取基础用户。
Spring Security doesn't have dedicated support for JWTs, but they do have some libraries that use Nimbus. Spring Security没有对JWT的专用支持,但是它们确实有一些使用Nimbus的库。 You could check out the code in spring-security-oauth2-resource-server to see how they are verifying JWTs using a JWK Set Uri.
您可以在spring-security-oauth2-resource-server中检查代码,以了解他们如何使用JWK Set Uri验证JWT。 You wouldn't want to depend on that library since it is focused on OAuth, but it might give you some ideas.
您不想依赖该库,因为它专注于OAuth,但它可能会给您一些想法。
A UserDetailsService
implementation is responsible for querying a backend and retrieving from it a user. UserDetailsService
实现负责查询后端并从中检索用户。 For example, there is LdapUserDetailsService
that you could possibly use. 例如,您可能会使用
LdapUserDetailsService
。
So, with all of that said, here is a summary of what I would probably do: 综上所述,以下是我可能会做的摘要:
Create a JwtAuthenticationToken
object that can house the jwt token and possibly represent a successful authentication when Spring Security completes the verification process. 创建一个
JwtAuthenticationToken
对象,该对象可以容纳jwt令牌,并在Spring Security完成验证过程时可能表示成功的身份验证。
Create a JwtAuthenticationFilter
that reads the token from the request and populates JwtAuthenticationToken
, sending it to an AuthenticationManager
. 创建一个
JwtAuthenticationFilter
,从请求中读取令牌并填充JwtAuthenticationToken
,然后将其发送到AuthenticationManager
。
Create a JwtAuthenticationProvider
that reads a JwtAuthenticationToken
and sends it to Nimbus (or Auth0 or some other jwt library) for validation. 创建一个
JwtAuthenticationProvider
,它读取一个JwtAuthenticationToken
并将其发送到Nimbus(或Auth0或其他jwt库)进行验证。 You will need to decide how you trust that token--Nimbus is capable of checking remotely via a JWK Set Uri or locally via a pre-configured set of public or symmetric keys. 您将需要决定如何信任该令牌-Nimbus能够通过JWK Set Uri进行远程检查,或者通过预先配置的一组公共或对称密钥在本地进行检查。 (Lots to think about here, too!)
(也想在这里考虑!)
Use the LdapUserDetailsService
, passing it the name of the parsed subject. 使用
LdapUserDetailsService
,将解析后的主题的名称传递给它。 The UserDetails
that comes back can be supplied as the principal for the Authentication
object that your provider returns. 可以将返回的
UserDetails
作为提供程序返回的Authentication
对象的主体提供。
So, let's say that you don't want/need to follow the Spring Security development model, but just want to get something working asap. 因此,假设您不想/不需要遵循Spring Security开发模型,而只是想尽快获得一些成果。
The two things that you ultimately need to accomplish are 您最终需要完成的两件事是
LdapUserDetailsService
. LdapUserDetailsService
。 From the UserDetails
this gives you, you can build an Authentication
object that you can set on the SecurityContextHolder
. UserDetails
,您可以构建可以在SecurityContextHolder
上设置的Authentication
对象。 Such would be not as flexible over time, but it might get you started a bit faster. 随着时间的推移,这种灵活性将变得不那么灵活,但是它可能会使您入门更快。
You didn't ask about this, but I wonder what you are planning on doing if the token is somehow invalid. 您没有问这个问题,但是我想知道如果令牌无效,您打算做什么。 For those cases, you may want to look at
AuthenticationEntryPoint
s and AccessDeniedHandler
s. 对于这些情况,您可能需要查看
AuthenticationEntryPoint
和AccessDeniedHandler
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.