堆棧內存溢出
  簡體   English   中英

如何使用Spring Security在運行時切換安全模型?

[英]How to switch security model in runtime with spring security?

 原文  2016-03-01 17:29:42       java/ spring-mvc/ spring-security/ spring-ldap/ spring-oauth2

問題描述

如何在運行時切換安全模型,以便

  1. 現有的spring安全組件可以產生Authentication ,並且
  2. 現有的spring安全組件可以驗證Authentication

我認為我已經解決了(2),但不能完全弄清(1)

Spring Security配置 

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().antMatchers("/**").authenticated().and()
            .addFilterBefore(switchingFilter);
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(switchingAuthenticationProvider);
    }

    @Bean
    public SwitchingAuthenticationProvider switchingAuthenticationProvider() {
        return new SwitchingAuthenticationProvider();
    }

    @Bean
    public SwitchingFilter switchingFilter() {
        return new SwitchingFilter();
    }
}

SwitchingAuthenticationProvider很簡單:只需委托給其他一些AuthenticationProvder (即LDAP / OAUTH2或其他)

(受Spring Security在運行時切換身份驗證方法的啟發)。 

public class SwitchingAuthenticationProvider implements AuthenticationProvider {

    private AuthenticationProvider[] authProviders = // ...

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        return authProvider[i].authenticate(authentication);
    }
}

但是,什么創建了Authentication 據我了解,一種選擇是讓GenericFilterBean創建Authentication ,如下所示。 

public class SwitchingFilter extends GenericFilterBean {

    private AuthProviderService authProviders = // ...

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        Authentication authentication = authProviders.getAuthentication(request);
        SecurityContextHolder.getContext().setAuthentication(authentication);
        filterChain.doFilter(request, response);
        SecurityContextHolder.getContext().setAuthentication(null);
   }
}

... AuthProviderService將委托給創建authentication 但是如何將其插入等效的HttpSecurity#httpBasic()HttpSecurity#openIdLogin()呢?

額外的問題: HttpSecurity#authenticationProvider(..)AuthenticationManagerBuilder.authenticationProvider(..)之間有什么區別?

1 個解決方案

解決方案1
 1 已采納  2016-03-02 10:43:12

它出現的Filter 負責創建Authentication (不知道別的太)。

AnonymousAuthenticationFilter為例 

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {

    if (SecurityContextHolder.getContext().getAuthentication() == null) {
        SecurityContextHolder.getContext().setAuthentication(
                createAuthentication((HttpServletRequest) req));
}

類似,我認為SwitchingFilter應該類似於SwitchingAuthenticationProvider 

public class SwitchingFilter extends GenericFilterBean {

    private Filter[] filters = // ...

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
        filters[i].doFilter(request, response, chain);
        // do filterChain.doFilter(request, response); ??
   }
}

..用於選擇合適索引i某種機制。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 如何在Spring Security中動態切換應用程序上下文? 如何在運行時修改Spring Security過濾器鏈? tomcat webapp如何在沒有spring安全性的情況下切換到https並返回http Spring 引導:如何在運行時更改內容安全策略? Spring集成中的安全模型 JSTL標簽中的Spring安全開關案例 無法關閉Spring Boot安全配置 Spring安全性切換到Ldap身份驗證和數據庫權限 如何配置spring security 如何啟用Spring安全性?
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM