具有X.509证书的Spring Security
[英]Spring Security With X.509 Certificate
问题描述
I am slowly going insane trying to configure Spring Security 3.0.0 to secure an application. 
我正在慢慢地疯狂尝试配置Spring Security 3.0.0以保护应用程序。
I have configured the server (jetty) to require client authentication (using a smart card). 我已将服务器(码头)配置为要求客户端身份验证(使用智能卡)。 However, I cannot seem to get the applicationContext-security.xml and UserDetailsService implementation right. 但是,我似乎无法正确获得applicationContext-security.xml和UserDetailsService实现。
First, from the application context file: 首先,从应用程序上下文文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
<security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="accountService" />
</security:http>
<bean id="accountService" class="com.app.service.AccountServiceImpl"/>
The UserDetailsService looks like this: UserDetailsService看起来像这样:
public class AccountServiceImpl implements AccountService, UserDetailsService {
private static final Log log = LogFactory.getLog(AccountServiceImpl.class);
private AccountDao accountDao;
@Autowired
public void setAccountDao(AccountDao accountDao) {
this.accountDao = accountDao;
}
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException, DataAccessException {
log.debug("called loadUserByUsername()");
System.out.println("called loadByUsername()");
Account result = accountDao.getByEdpi(s);
return result;
}
} }
The application has a "front page" with a Login button, so access to that should not require any sort of authentication. 该应用程序有一个带有“登录”按钮的“首页”,因此访问该页面无需进行任何身份验证。
Any help is appreciated. 任何帮助表示赞赏。
2 个解决方案
解决方案1
5 已采纳 2012-03-14 20:56:16
The application has a "front page" with a Login button, so access to that should not require any sort of authentication.
Something wrong is here. 这里出问题了。 If you setup your servlet container to require client authentication, you cannot have such open-for-all page, in that case auth handshake won't success for users without smartcard and they won't even see container error page - It will be browser error instead. 如果您将Servlet容器设置为需要客户端身份验证,则无法拥有这样的“所有人开放”页面,在这种情况下,没有智能卡的用户无法成功进行身份验证握手,甚至不会看到容器错误页面-这将是浏览器错误。
It can be done making container to allow client auth and making login page open to anonymous users and secure other pages by SpringSec. 可以通过设置容器来允许客户端身份验证,并使登录页面向匿名用户打开并通过SpringSec保护其他页面来完成。 But I won't recommend this for smartcard-PKI app. 但是我不建议将其用于智能卡-PKI应用程序。 Smartcard auth implies security importance and it's more reliable to have non-smartcard users to thrown out early on container handshake. 智能卡身份验证意味着安全性的重要性,让非智能卡用户尽早放弃容器握手更为可靠。 In that case you still can have user-friendly Login page on another port with a "Login" button linked to your app. 在这种情况下,您仍然可以在另一个端口上拥有用户友好的“登录”页面,并带有链接到您的应用程序的“登录”按钮。
If you need help with SpringSecurity setup, please add more info about problems to your post. 如果您需要有关SpringSecurity设置的帮助,请在帖子中添加有关问题的更多信息。
解决方案2
1 2010-02-12 22:03:09
From a configuration perspective, that looks fine. 从配置的角度来看,这看起来不错。 What is the error you're seeing? 您看到的错误是什么? Are you seeing your UserDetailsService get invoked with the CN from X.509 cert? 您是否看到从X.509证书的CN调用了UserDetailsService?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.