堆棧內存溢出
  簡體   English   中英

Spring Security + Cas Auth +靜態用戶列表

[英]Spring Security + Cas Auth + Static User List allowed

 原文  2018-10-04 23:58:12       java/ spring-security/ cas

問題描述

我的應用程序具有spring安全配置,可連接到cas服務器(正在運行): 

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${cas.service-url}")
    private String serviceUrl;

    @Value("${cas.cas-url}")
    private String casUrl;

    @Autowired
    private AuthenticationProvider authenticationProvider;

    @Autowired
    private AuthenticationEntryPoint authenticationEntryPoint;

    @Autowired
    private SingleSignOutFilter singleSignOutFilter;

    @Autowired
    private LogoutFilter logoutFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf()
                .disable()
                .authorizeRequests()
                .regexMatchers("/secured.*")
                .authenticated()
                .and()
                .authorizeRequests()
                .regexMatchers("/")
                .permitAll()
                .and()
                .httpBasic()
                .authenticationEntryPoint(authenticationEntryPoint)
                .and()
                .addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class)
                .addFilterBefore(logoutFilter, LogoutFilter.class);
    }

    @Override
    protected AuthenticationManager authenticationManager() throws Exception {
        return new ProviderManager(Arrays.asList(authenticationProvider));
    }

    @Bean
    public CasAuthenticationFilter casAuthenticationFilter(ServiceProperties sP) throws Exception {
        CasAuthenticationFilter filter = new CasAuthenticationFilter();
        filter.setServiceProperties(sP);
        filter.setAuthenticationManager(authenticationManager());
        return filter;
    }

    @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties = new ServiceProperties();
        serviceProperties.setService(serviceUrl);
        serviceProperties.setSendRenew(false);
        return serviceProperties;
    }

    @Bean
    @Primary
    public AuthenticationEntryPoint authenticationEntryPoint(ServiceProperties sP) {
        CasAuthenticationEntryPoint entryPoint = new CasAuthenticationEntryPoint();
        entryPoint.setLoginUrl(casUrl + "/login");
        entryPoint.setServiceProperties(sP);
        return entryPoint;
    }

    @Bean
    public TicketValidator ticketValidator() {
        return new Cas30ServiceTicketValidator(casUrl);
    }

    @Bean
    public CasAuthenticationProvider casAuthenticationProvider() {
        CasAuthenticationProvider provider = new CasAuthenticationProvider();
        provider.setServiceProperties(serviceProperties());
        provider.setTicketValidator(ticketValidator());
        provider.setUserDetailsService((s) -> {
            return new User(s, "fakepassword", true, true, true, true, AuthorityUtils.createAuthorityList("ROLE_ADMIN"));
        });
        provider.setKey("CAS_PROVIDER_IMPORT_PARCOURSUP_KEY");
        return provider;
    }

    @Bean
    public SecurityContextLogoutHandler securityContextLogoutHandler() {
        return new SecurityContextLogoutHandler();
    }

    @Bean
    public LogoutFilter logoutFilter() {
        LogoutFilter logoutFilter = new LogoutFilter(casUrl + "/logout", securityContextLogoutHandler());
        logoutFilter.setFilterProcessesUrl("/logout/cas");
        return logoutFilter;
    }

    @Bean
    public SingleSignOutFilter singleSignOutFilter() {
        SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
        singleSignOutFilter.setCasServerUrlPrefix(casUrl);
        singleSignOutFilter.setIgnoreInitConfiguration(true);
        return singleSignOutFilter;
    }

    @EventListener
    public SingleSignOutHttpSessionListener singleSignOutHttpSessionListener(HttpSessionEvent event) {
        return new SingleSignOutHttpSessionListener();
    }

}

現在,我想添加一個自動登錄的列表,他們是唯一可以訪問該應用程序的用戶(即:要訪問它們,必須在cas AND靜態列表中)。 

String allowedLogin = List.of ("robert.bob", "john.jon");

我找到此鏈接: Spring安全性-特定用戶,但我不知道如何實現“ StaticUserProvider”以及在我的配置中的配置位置。

2 個解決方案

解決方案1
 1 已采納  2018-10-11 15:36:02

我認為最簡單的方法是,如果用戶不在列表中,則在UserDetailsS​​ervice中拋出UsernameNotFoundException。 像那樣: 

    provider.setUserDetailsService((s) -> {
        if(!allowedLogin.contains(s.getAssertion().getPrincipal().getName())) {
            throw new UsernameNotFoundException("user not authorized to use app");
        }
        return new User(s, "fakepassword", true, true, true, true, AuthorityUtils.createAuthorityList("ROLE_ADMIN"));
    });

解決方案2
 0  2018-10-10 03:43:40

您可以使用Spring Security Roles完成此任務。

為您的應用創建自定義角色: 

public final class AuthoritiesConstants {

    public static final String APP = "ROLE_APP";

}

然后添加您希望授予該角色訪問權限的所有用戶。

最后使用Ant Matchers限制對您的應用程序的訪問: 

.antMatchers("/**").hasAuthority(AuthoritiesConstants.APP)

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 使用Spring Security 3實施CAS CAS + Spring安全性 Spring Security和CAS集成 cas + spring安全 CAS Spring Security Java-未授權用戶詳細信息服務未加載角色 CAS,Spring Security和不受保護的頁面 Spring Security + CAS SSO AuthenticationManager CAS + Spring Security Detect本地主機 wicket-auth-roles和spring-security-cas-client之間的身份驗證集成問題 Spring 工作會話注冊表不使用 CAS 身份驗證
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM