stackoom
  简体   繁体   中英

Differents authentication ways on same URLs with spring-boot

 原文  2015-01-21 08:31:21       java/ spring/ authentication/ spring-security/ spring-boot

Question

I'm working on a spring boot web app project configured by annotations. I successfully configured spring-security to add basic authentication on some URLs and sso on some others. But actually I have to modify that behavior to achieve this :

All my URLs are secured by the both authentication methods, to identify the way to use I have to read the request's headers : if there is a ppauth token, I gonna try sso authentication, and if I have a Authoriation: Basic header I gonna try Basic auth. In the other case the authentication fails.

In the spring boot documentation the exemple is really simple, it shows the usage of WebSecurityConfigurerAdapter, actually we can determine authentication method by different URLs patterns but not by other predicate like headers.

Has somebody an idea ?

2 answers

solution1
 0  2015-01-21 08:57:56

There's always more than one way to do something. In this case the easiest is probably to write your sso filter in such a way that it continues with the chain if there is no custom header, and put it before the basic auth filter. Then if your custom filter skips the request it will be handled by the basic auth.

solution2
 0 ACCPTED  2015-04-27 09:57:12

Finally I got a solution to this problem so I will briefly share it :

So we have multiple Authentication ways, described in several classes extending AbstractPreAuthenticatedProcessingFilter . (all those will not be added to the filter chain)

In top of that we got a MultiAuthModeSecurityFilter , this class will be added to the filter chain of the application :

Inside the configure method of the WebSecurityConfigurerAdapter 

http.addFilterBefore(new MultiAuthModeSecurityFilter(
                FirstSecurityFilter(),
                SecondSecurityFilter(),
                ThirdSecurityFilter()), RequestCacheAwareFilter.class);

So MultiAuthModeSecurityFilter knows all ours security strategies and will dispatch the request to the correct filter by doing : 

    @Override
        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
            /*some actions to define the right authMethod to use*/
            switch (authMethod) {
                case FIRST:
                    firstFilter.doFilter(servletRequest, servletResponse, filterChain);
                    break;
                case SECOND:
                    secondFilter.doFilter(servletRequest, servletResponse, filterChain);
                    break;
                case THIRD:
                    thirdFilter.doFilter(servletRequest, servletResponse, filterChain);
                    break;
                default:
                    /* throws exception */ break;
            }
        }

Hope this will help you !

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring-boot location variables in urls Wrong Authentication-Object in Controller [Spring-Boot] Spring-boot configuration Spring-boot parameterizing SpringInputGeneralFieldAttrProcessor in Spring-boot Spring-boot and appengine Spring-Boot autoconfigure Is it possible to instantiate same spring-boot app twice with different ports? Unable to figure out the object in same identifier value in Spring-boot Spring-boot HttpMediaTypeNotAcceptableException is not getting caught by @ExceptionHandler in same controller
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM