对于n因子认证使用Java配置 [英] using java configuration for n-factor authentication
问题描述
在 Spring MVC的使用应用程序的春季安全后,我想用一个自定义的的AuthenticationProvider 来检查<强>正数超出了默认的附加字段用户名和 密码。我试图用Java配置。我应该如何设置?
In a spring mvc app using spring security, I want to use a custom AuthenticationProvider to check n-number of additional fields beyond the default username and password. I am trying to use Java configuration. How should I set it up?
推荐答案
用java配置为正的因素身份验证的最简单方法是启动与使用Java的配置单因素认证(用户名和密码)的工作示例。然后你只需要做一些非常小的改动:假设你使用Java配置有一个工作的单一因素身份验证的应用程序,该措施是:
The easiest way to use java config for n-factor authentication is to start with a working example of single-factor authentication (username and password) that uses java config. Then you only have to make a few very minor changes: Assuming that you have a working single factor authentication app using java configuration, the steps are simply:
首先,定义分层的角色,为每个因子一个角色。如果你只有两个因素身份验证,请在数据库现有的一个角色,但后来创建拥有完全访问权限,你只能分配在运行时第二个角色。因此,当用户登录时,他们登录到存储在数据库中的作用很小,而最小的角色只授予一种观点认为,这是允许他们输入PIN码code的形式,你的控制器访问只是通过短信或电子邮件或其他方法打发他们。这些分层的角色获得 SecurityConfig.java 定义如下:
First, define layered roles, with one role for each factor. If you only have two factor authentication, keep your existing one role in the database, but then create a second role with full-access that you only assign at runtime. Thus, when the user logs in, they are logged in to the minimal role stored in the database, and that minimal role is only given access to one view, which is a form allowing them to enter a pin code that your controller just sent them via text or email or some other method. These layered roles get defined in SecurityConfig.java, as follows:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/getpin")
.usernameParameter("j_username")
.passwordParameter("j_password")
.loginProcessingUrl("/j_spring_security_check")
.failureUrl("/login")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/login")
.and()
.authorizeRequests()
.antMatchers("/getpin").hasAuthority("get_pin")
.antMatchers("/securemain/**").hasAuthority("full_access")
.antMatchers("/j_spring_security_check").permitAll()
.and()
.userDetailsService(userDetailsService);
}
}
二,添加code是升级用户的角色后,给控制器code处理该引脚code参赛表格<$ C正确的PIN码code的成功进入完全访问$ C> POST 。在code手动分配控制器中的完全访问权限是:
Second, add code that upgrades the user's role to full-access upon successful entry of the correct pin code to the controller code that handles the pin code entry form POST. The code to manually assign full access in the controller is:
Role rl2 = new Role();rl2.setRole("full-access");//Don't save this one because we will manually assign it on login.
Set<Role> rls = new HashSet<Role>();
rls.add(rl2);
CustomUserDetailsService user = new CustomUserDetailsService(appService);
Authentication authentication = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities(rls));
SecurityContextHolder.getContext().setAuthentication(authentication);
return "redirect:/securemain";
只要你想在 / getpin 您可以添加多种层次。您还可以支持多个授权角色,让你想要它一样复杂。但这个答案给了得到它与Java运行配置最简单的方法。
You can add as many layers as you want to after /getpin. You can also support multiple authorization roles and make it as complicated as you want to. But this answer gives the simplest way to get it running with java config.
这篇关于对于n因子认证使用Java配置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
