spring-security:无需身份验证的授权 [英] spring-security: authorization without authentication

问题描述

我正在尝试将 Spring Security 集成到我的 Web 应用程序中.只要将认证和授权的整个过程整合起来，这似乎很容易做到.

I'm trying to integrate Spring Security in my web application. It seems pretty easy to do as long as you integrate the whole process of authentication and authorization.

但是，身份验证和授权似乎如此耦合，以至于我要了解如何拆分这些过程并独立于授权获得身份验证非常耗时.

However, both authentication and authorization seem so coupled that it's being very time-consuming for me to understand how I could split these processes, and get authentication independently of authorization.

身份验证过程在我们的系统之外(基于单点登录)，并且无法修改.然而，一旦用户成功完成此过程，它就会加载到会话中，包括角色.

The authentication process is external to our system (based on single sign-on) and this cannot be modified. Nevertheless, once the user succeeds this process, it's loaded in the session, including roles.

我们想要实现的是利用这些信息进行Spring Security的授权过程，也就是说，强制它从用户会话中获取角色，而不是通过身份验证提供者获取.

What we are trying to achieve is to make use of this information for the authorization process of Spring Security, that's to say, to force it to get the roles from the user session instead of picking it up through the authentication-provider.

有什么办法可以做到这一点吗?

Is there any way to achieve this?

推荐答案

如果您的身份验证已经使用 SSO 服务完成，那么您应该使用 Spring Security 的 预认证过滤器.然后您可以指定一个 UserDetails 服务(可能是自定义的)，该服务将使用预先验证的用户原则来填充 GrantedAuthority 的

If your authentication is already done using an SSO service, then you should use one of spring security's pre-authentication filters. Then you can specify a UserDetails service (possibly custom) that will use the pre-authenticated user principle to populate the GrantedAuthority's

SpringSecurity 包括几个预认证过滤器，包括 J2eePreAuthenticatedProcessingFilter 和 RequestHeaderPreAuthenticatedProcessingFilter.如果您找不到适合您的方法，那么也可以编写自己的方法，而且编写自己的方法并不难，前提是您知道 SSO 实现在请求中的何处填充数据.(这当然取决于实现.)

SpringSecurity includes several pre-authentication filters including J2eePreAuthenticatedProcessingFilter and RequestHeaderPreAuthenticatedProcessingFilter. If you can't find one that works for you, its also possible, and not that hard to write your own, provided you know where in the request your SSO implementation stuffs the data. (That depends on the implementation of course.)

只需实现 Filter 接口和在 doFilter 方法中做这样的事情:

Just implement the Filter interface and do something like this in the doFilter method:

public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

    // principal is set in here as a header or parameter. you need to find out 
    // what it's named to extract it
    HttpServletRequest req = (HttpServletRequest) request; 

    if (SecurityContextHolder.getContext().getAuthentication() == null) {
        // in here, get your principal, and populate the auth object with 
        // the right authorities
        Authentication auth = doAuthentication(req); 
        SecurityContextHolder.getContext().setAuthentication(auth);
    }

    chain.doFilter(request, response);
}

这篇关于spring-security:无需身份验证的授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！