春天的安全性：授权无需验证 [英] spring-security: authorization without authentication

问题描述

我想通过Spring Security在我的web应用程序集成。看来pretty容易，只要你集成身份验证和授权的整个过程做。

I'm trying to integrate Spring Security in my web application. It seems pretty easy to do as long as you integrate the whole process of authentication and authorization.

不过，身份验证和授权显得如此加上它的是非常耗时的，我明白我怎么能拆分这些流程，并独立地得到授权认证。

However, both authentication and authorization seem so coupled that it's being very time-consuming for me to understand how I could split these processes, and get authentication independently of authorization.

认证过程是外部对我们的系统（基于单点登录），这不能被修改。然而，一旦用户成功这个过程中，它的加载在会话，包括作用。

The authentication process is external to our system (based on single sign-on) and this cannot be modified. Nevertheless, once the user succeeds this process, it's loaded in the session, including roles.

我们正在努力实现的目标是要利用这些信息进行春季安全的授权过程，这是说，迫使它从用户会话获取的角色，而不是采摘它通过认证供应商。

What we are trying to achieve is to make use of this information for the authorization process of Spring Security, that's to say, to force it to get the roles from the user session instead of picking it up through the authentication-provider.

有什么办法来实现这一目标？

Is there any way to achieve this?

推荐答案

如果您的身份验证使用SSO服务已经完成，那么你应该使用Spring Security的有一个<一个href=\"http://static.springsource.org/spring-security/site/docs/3.0.x/reference/$p$pauth.html\">$p$p-authentication过滤器。然后，你可以指定一个UserDetails服务（可能为自定义），将使用pre认证的用户原则来填充的GrantedAuthority的

If your authentication is already done using an SSO service, then you should use one of spring security's pre-authentication filters. Then you can specify a UserDetails service (possibly custom) that will use the pre-authenticated user principle to populate the GrantedAuthority's

SpringSecurity包括几个pre-认证过滤器包括J2EE preAuthenticatedProcessingFilter和RequestHeader preAuthenticatedProcessingFilter。如果你不能找到一个适合你，它也有可能，而且并不难写自己的，只要你知道在请求您的SSO实现充塞的数据。 （这取决于课程的实施。）

SpringSecurity includes several pre-authentication filters including J2eePreAuthenticatedProcessingFilter and RequestHeaderPreAuthenticatedProcessingFilter. If you can't find one that works for you, its also possible, and not that hard to write your own, provided you know where in the request your SSO implementation stuffs the data. (That depends on the implementation of course.)

只需实现过滤器接口做这样的事情在doFilter方法​​：

Just implement the Filter interface and do something like this in the doFilter method:

public void doFilter(ServletRequest request, ServletResponse response,
            FilterChain chain) throws IOException, ServletException {

    // principal is set in here as a header or parameter. you need to find out 
    // what it's named to extract it
    HttpServletRequest req = (HttpServletRequest) request; 

    if (SecurityContextHolder.getContext().getAuthentication() == null) {
        // in here, get your principal, and populate the auth object with 
        // the right authorities
        Authentication auth = doAuthentication(req); 
        SecurityContextHolder.getContext().setAuthentication(auth);
    }

    chain.doFilter(request, response);
}

这篇关于春天的安全性：授权无需验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！