如何在没有HTTP标签的情况下在Spring Security中设置基本身份验证?
[英]How to set up basic auth in spring security without the HTTP tag?
问题描述
I'm setting up REST services that requires simple Basic Auth on top of an existing application. 
我正在设置REST服务,该服务需要在现有应用程序之上进行简单的基本身份验证。 The thing is that the security context already has a http tag from the actual application so as simple as it is to set up Basic Auth using the tag, I can't use it because there is already one there with totally different config (see why: https://jira.springsource.org/browse/SEC-1171 I'm using 3.0.4, waiting until 3.1 is released is a possibility but undesired). 事实是,安全上下文已经从实际应用程序中获取了一个http标记,就像使用该标记设置基本身份验证一样简单,我无法使用它,因为那里已经有了一个完全不同的配置(请参阅为什么: https : //jira.springsource.org/browse/SEC-1171我正在使用3.0.4,有可能等到3.1发布为止,但这是不希望的。
How could I exclude my REST services from the pre-existing config and give them Basic Auth? 如何才能将REST服务从预先存在的配置中排除,并为其提供基本身份验证?
This is the aplicationContext-security.xml I've been playing around on top of the tutorial sample application. 这是我在教程示例应用程序顶部一直在玩的aplicationContext-security.xml。 As it is, it has never prompted me to enter my credentials and I don't know what to add. 实际上,它从未提示我输入凭据,也不知道要添加什么。
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<global-method-security pre-post-annotations="enabled">
</global-method-security>
<beans:bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<filter-chain-map path-type="ant">
<filter-chain pattern="/**" filters="basicAuthenticationFilter" />
</filter-chain-map>
</beans:bean>
<beans:bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<beans:property name="authenticationManager" ref="authManager" />
<beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</beans:bean>
<beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<beans:property name="realmName" value="ems" />
</beans:bean>
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="authenticationManager" ref="authManager"/>
<beans:property name="accessDecisionManager" ref="accessDecisionManager"/>
<beans:property name="securityMetadataSource">
<filter-security-metadata-source>
<intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/secure/**" access="ROLE_USER" />
<intercept-url pattern="/**" access="" />
</filter-security-metadata-source>
</beans:property>
</beans:bean>
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.access.vote.RoleVoter" />
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="exceptionTranslationFilter"
class="org.springframework.security.web.access.ExceptionTranslationFilter">
<beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint"/>
<beans:property name="accessDeniedHandler" ref="accessDeniedHandler"/>
</beans:bean>
<beans:bean id="accessDeniedHandler" class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
</beans:bean>
<beans:bean id="securityContextPersistenceFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter"/>
<!--
Usernames/Passwords are
rod/koala
dianne/emu
scott/wombat
peter/opal
-->
<authentication-manager alias="authManager">
<authentication-provider>
<password-encoder hash="md5"/>
<user-service>
<user name="rod" password="a564de63c2d0da68cf47586ee05984d7" authorities="ROLE_SUPERVISOR, ROLE_USER, ROLE_TELLER" />
<user name="dianne" password="65d15fe9156f9c4bbffd98085992a44e" authorities="ROLE_USER,ROLE_TELLER" />
<user name="scott" password="2b58af6dddbd072ed27ffc86725d7d3a" authorities="ROLE_USER" />
<user name="peter" password="22b5c9accc6e1ba628cedc63a72d57f8" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>
1 个解决方案
解决方案1
1 已采纳 2011-06-16 18:54:26
I managed to do it by creating a second dispatcherServlet and filterChainProxy on the web.xml, and then creating a second security-context.xml specified on the of the servlets, where I could use the tag again as it was a new context. 通过在web.xml上创建第二个dispatcherServlet和filterChainProxy,然后在Servlet的上创建了第二个security-context.xml,我设法做到了这一点,在这里我可以再次使用标记,因为它是新上下文。 The gotcha was to set the servletContext attribute of the filters on the web.xml so that they belonged to the appropriate spring context. 棘手的是在web.xml上设置过滤器的servletContext属性,以便它们属于适当的spring上下文。 This is an example of one of the filters and it corresponding servlet. 这是过滤器之一及其对应的servlet的示例。
<filter>
<filter-name>filterChainProxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>contextAttribute</param-name>
<param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.servletName</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>filterChainProxy</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>servletName</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>
pathTo/servletName-servlet.xml,
pathTo/spring-security.xml
</param-value>
</init-param>
</servlet>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.