使用不同来源处理表单和 HTTP 基本身份验证 [英] Handling both form and HTTP basic authentication with different sources
问题描述
我已经在 DelegatingAuthenticationEntryPoint.
我想要做的是让用户通过登录表单根据条件A"进行身份验证,让用户通过基本身份验证请求根据条件B"进行身份验证.
What I'm trying to do is have users coming thru the login form to be authenticated against criteria "A", and have users coming thru the Basic auth requests to be authenticated against criteria "B".
应用程序的某些资源通过 RESTful 服务(可通过基本身份验证访问)公开.无需让用户输入自己的凭据来进行 REST 服务调用,他们可以输入生成的键/值对,专供 REST 服务使用,以后可由用户或应用管理员撤销.
Some of the application's resources are exposed thru a RESTful service (accessible via Basic auth). Instead of having users enter their own credentials to make a REST service call, they can enter generated key/value pairs for use exclusively with the REST service that can later be revoked by the user or by the app administrator.
我更愿意在两种身份验证方法之间共享尽可能多的特定于安全的 bean.我知道我需要单独的 UserDetailsServices 作为表单登录查询我的 users 表,Basic auth 将查询我的 service_credentials 表.
I would prefer to share as much of my security-specific beans as possible between the two methods of authentication. I know I will need separate UserDetailsServices as the form login queries my users table, and Basic auth will query my service_credentials table.
在 Spring Security 中实现这种配置的正确方法是什么?
What is the correct way to achieve this kind of configuration in Spring Security?
推荐答案
根据您的应用程序以及您是否使用 Spring Security 3.1,您最好将配置拆分为多个过滤器链,每个过滤器链都有一个单独的身份验证管理器定义:
Depending on your app and whether you're using Spring Security 3.1, you might be best to split the configuration into multiple filter chains, each with a separate authentication manager defined:
<http pattern="/rest_api/**" create-session="stateless"
authentication-manager-ref="serviceCredsAuthMgr">
<http-basic />
</http>
<http authentication-manager-ref="mainAuthMgr">
<form-login />
</http>
<authentication-manager id="serviceCredsAuthMgr">
<authentication-provider user-service-ref="serviceCredsUserDetailsSvc" />
</authentication-manager>
<authentication-manager id="mainAuthMgr">
<!-- whatever -->
</authentication-manager>
除了 pattern 属性,您还可以使用 request-matcher-ref 属性来指定 RequestMatcher 实例,它将用于将传入请求映射到特定的过滤器链.这有一个非常简单的界面,但可以允许您根据 URL 路径以外的其他内容进行匹配,例如 Accept 标头.
Instead of the pattern attribute you can also use the request-matcher-ref attribute to specify a RequestMatcher instance which will be used to map incoming requests to a particular filter chain. This has a very simple interface, but can allow you to match based on something other than the URL path, such as the Accept header.
这篇关于使用不同来源处理表单和 HTTP 基本身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
