如何使用J2eePreAuthenticatedProcessingFilter和自定义身份验证提供程序? [英] How to use J2eePreAuthenticatedProcessingFilter and a custom authentication provider?
问题描述
我希望我的Spring应用程序尝试两种预身份验证方法( Siteminder 和 Java EE容器身份验证).
I want my Spring application to try two pre-authentication methods (Siteminder and Java EE container authentication).
- 如果这些过滤器中的任何一个都找到了用户名-我想对照我的用户数据库检查该用户名,并根据我在数据库中看到的内容分配角色. (我有一个AuthenticationUserDetailsService的实现,该实现为我完成.)
- 如果不是-向用户显示登录页面.根据我的用户数据库检查他们在表单中输入的凭据.
Siteminder集成正在运行.登录表单也可以使用. 我的问题是Java EE的预身份验证.它永远不会踢进来.
The Siteminder integration is working. The login form is working too. My problem is with the Java EE pre-authentication. It never kicks in.
我的applicationContext-security.xml:
My applicationContext-security.xml:
<!-- HTTP security configurations -->
<sec:http auto-config="true" use-expressions="true">
<sec:form-login login-processing-url="/resources/j_spring_security_check" always-use-default-target="true" default-target-url="/" login-page="/login"
authentication-failure-url="/login?login_error=t" />
<sec:logout logout-url="/resources/j_spring_security_logout" />
<sec:access-denied-handler error-page="/accessDenied" />
<sec:remember-me user-service-ref="customUserDetailsService" token-validity-seconds="86400" key="OptiVLM-VaultBalance" />
<sec:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter"/>
<sec:custom-filter after="PRE_AUTH_FILTER" ref="jeePreAuthenticatedFilter"/>
<!-- various intercept-url elements here, skipped for brevity -->
</sec:http>
<!-- Authentication Manager -->
<sec:authentication-manager alias="authenticationManager">
<!-- J2EE container pre-authentication or Siteminder -->
<sec:authentication-provider ref="customPreAuthenticatedAuthenticationProvider" />
<!-- Default provider -->
<sec:authentication-provider user-service-ref="customUserDetailsService" />
</sec:authentication-manager>
<!-- Siteminder pre-authentication -->
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="SM_USER" />
<property name="authenticationManager" ref="authenticationManager" />
<property name="exceptionIfHeaderMissing" value="false" />
</bean>
<!-- J2EE pre-authentication -->
<bean id="jeePreAuthenticatedFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<!-- Custom pre-authentication provider -->
<bean id="customPreAuthenticatedAuthenticationProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService" ref="customAuthenticationUserDetailsService" />
</bean>
我在Websphere中启用了Java 2安全性,并且以"admin5"身份登录. (我的用户数据库中有一个使用该用户名的用户.)但是,当我访问该应用程序时,永远不会调用"customAuthenticationUserDetailsService" bean来验证用户名.我知道这一点,因为'customAuthenticationUserDetailsService'做了大量的日志记录,清楚地表明了它在做什么.当我使用Siteminder预身份验证时-'customAuthenticationUserDetailsService'工作正常,我在日志中得到了一些跟踪输出.但不适用于J2EE身份验证...
I have Java 2 security enabled in Websphere, and I am logged in as 'admin5'. (I have a user with this username in my user database.) But when I access the application, there is never a call to the 'customAuthenticationUserDetailsService' bean to verify the username. I know this, because 'customAuthenticationUserDetailsService' does extensive logging which clearly shows what it is doing. When I am using the Siteminder pre-authentication - the 'customAuthenticationUserDetailsService' works just fine, I get some trace output in the log. But not for the J2EE authentication...
我的猜测是这些事情之一正在发生:
My guess is that one of these things is happening:
a)Java EE预身份验证过滤器未找到用户名,因此它从不调用身份验证管理器
a) Java EE pre-authentication filter is not locating the username, so it never calls the authentication manager
b)Java EE预身份验证过滤器工作正常,但是出于某种原因,身份验证管理器从未调用过我的自定义身份验证提供程序
b) Java EE pre-authentication filter works fine, but my custom authentication provider is never called by the authentication manager for some reason
顺便说一句,使用'customUserDetailsService'的默认身份验证提供程序也不起作用.再说一遍,因为日志中'customUserDetailsService'没有输出.
您能建议这里有什么问题吗?如果不是解决方案,那么对如何解决此问题的建议将不胜感激.
推荐答案
好的,我知道了.问题是,即使我在Websphere中进行了J2EE安全设置并进行了身份验证,我的web.xml也包含没有安全约束.因此,Websphere并未提供我的要求的委托人.这显然是故意的.如果您不访问受保护的URL,则不需要预身份验证信息.
OK, I figured this out. The problem is that even though I had J2EE security setup in Websphere and was authenticated, my web.xml contained no security constraints. Because of this, Websphere was not supplying the principal for my requests. This is apparently an intentional feature. If you are not accessing a protected URL, you should not need the pre-authentication information.
为解决此问题,我在我的web.xml中添加了安全约束,该约束允许所有用户访问资源.实际上,资源没有得到保障,但仍然-现在存在限制.
To overcome this, I added a security constraint to my web.xml, which allowed ALL users to access the resources. Effectively, the resources were not secured, but still - there was a constraint now.
就这样:
<security-constraint>
<web-resource-collection>
<web-resource-name>All areas</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
这会欺骗Websphere在请求中填写用户主体信息.
This tricks the Websphere into filling in the user principal information in the request.
感谢@Ralph对这个问题的评论: request.getUserPrincipal()为空
Thank you @Ralph for his comments on this this question: request.getUserPrincipal() got null
这篇关于如何使用J2eePreAuthenticatedProcessingFilter和自定义身份验证提供程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
