stackoom
  简体   繁体   中英

Spring security with multiple providers

 原文  2021-03-03 01:38:26       java/ spring-security/ cas

Question

I am setting up an app with 2 differents users:

  • one from my ldap that can connect with cas authentication
  • one external, hard coded with a simple formlogin

I created 2 Security configurations:

External User Configuration:

@EnableWebSecurity
@Configuration
@RequiredArgsConstructor
@Order(1)
public class SecurityVanuatuConfiguration extends WebSecurityConfigurerAdapter {

@Bean
@Override
public UserDetailsService userDetailsService() {
    UserDetails user =
        User.withUsername("user")
            .password("{noop}user")
            .roles("USER")
            .build();

    return new InMemoryUserDetailsManager(user);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable().antMatcher("/user/**")
        .authorizeRequests()
        .requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
        .anyRequest().authenticated()
        .and()
        .formLogin()
        .loginPage(LOGIN_URL).permitAll()
        .loginProcessingUrl(LOGIN_PROCESSING_URL)
        .failureUrl(LOGIN_FAILURE_URL)
        .successHandler(successHandler)
        .failureHandler(successHandler)
        .and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL);
}

Cas Configuration: 

@EnableWebSecurity
@Configuration
@RequiredArgsConstructor
@Order(2)
public class SecurityCasConfiguration extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.csrf().disable().antMatcher("/admin/**")
        .authorizeRequests()
        .requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
        .anyRequest().authenticated()
        .and()
        .httpBasic()
        .authenticationEntryPoint(authenticationEntryPoint())
        .and()
        .addFilter(casAuthenticationFilter())
        .addFilterBefore(casLogoutFilter(), CasAuthenticationFilter.class);
}

@Bean
public SingleSignOutFilter casLogoutFilter() {
    SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
    return singleSignOutFilter;
}

// if I remove this bean, external configuration works
@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
    CasAuthenticationProvider provider = new CasAuthenticationProvider();
    provider.setServiceProperties(serviceProperties());
    provider.setTicketValidator(new Cas30ServiceTicketValidator("https://sso.unc.nc/cas"));
    provider.setKey("cas");
    provider.setAuthenticationUserDetailsService(successHandler);
    return provider;
}

Each configuration work when it's alone, but when there is both, the external doesn't work.

It seems that the CasAuthenticationProvider bean prevent the formLogin to work and I endup in the FailureHandler.

Here is the error:

org.springframework.security.authentication.ProviderNotFoundException: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

How can I make these 2 configuration work together?

1 answers

solution1
 1  2021-03-04 01:13:13

when you mark something as @Bean you are putting it in the pool of beans that spring can use to inject into classes if they need it.

you have registered

@Bean
public CasAuthenticationProvider casAuthenticationProvider() {
    ...
}

as a @Bean which is an AuthenticationProvider . When you register this using @Bean it will get picked up by everyone that needs it, meaning that both your WebSecurityConfigurerAdapter will use it.

Spring has no way of knowing that you only want this is in one of your security configurations and not the other.

you have to explicitly define that you want it in one and not the other by removing @Bean and setting it manually.

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(casAuthenticationProvider());
}

public CasAuthenticationProvider casAuthenticationProvider() {
    ...
}

You have to always decied if you want to set something manually, or use @Bean and let spring inject it for you.

So for instance, you are registering a filter (casLogoutFilter) setting it manually but also defining it as @Bean telling spring to inject it into the filter chain, which sort of doesn't make sense.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring security with multiple authentication providers - UsernameNotFoundException Spring Security - multiple authentication-providers Spring Security many providers Spring security - remember-me authentication with multiple authentication providers Spring security - How to configure multiple authentication providers using java config Multiple authentication providers: /j_spring_security_check and social login Understanding authentication providers in Spring security Spring Boot/Spring Security Choose Between Multiple Authentication Providers Based On Path Multiple resource providers in same transaction Spring Multiple SSO providers in Spring Boot Auth server
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM