使用Spring Security的pre-验证未经授权 [英] Pre-Authentication without Authorization using Spring Security

问题描述

我的要求是：

在我的应用程序，该认证由定制的第三方API首次当用户通过登录屏幕登录进行（不使用Spring安全性）。现在，我们得到了在使用REST服务调用一些增强。按要求，从我们的应用程序进行任何其他调用之前，我们需要重新验证对数据库用户。由于用户已经验证，当他在使用登录屏幕和记录这些细节的要求都可以，我打算使用Spring Security重新认证用户（pre-认证方案）。我们不对我们的应用程序的用户定义的任何角色。因此，没有必要担心的角色。我已阅读参考手册，但我没有得到如何进一步进行很多信息。有一件事我知道是我们需要以某种方式告诉Spring上下文有关用户，他是通过定制的第三方API认证之后。连我都用Google搜索了一下四周，但不能找到适合我的要求一个很好的例子。
这将是巨大的，如果任何人都可以指导我如何用一个例子开始。

In my application, the authentication is performed by customized third party API for the first time when the user logs in via login screen(not by using Spring Security). Now, we got few enhancements in which the rest service calls are used. Per the requirement, before making any rest call from our application, we need to reauthenticate the user against the database. Since the user is already validated when he logged in using login screen and those details are available in the request, I am planning to use spring security for reauthenticating the user(Pre-Authentication scenario).We don't have any roles defined for the users in our application. So no need to worry about the roles. I have read the reference manual, but I didn't get much info on how to proceed further. One thing I understood is we need to tell the spring context somehow about the user after he is authenticated by customized third party API. Even I have googled a bit around, but could not get a good example that suits my requirement. It would be great if anybody can guide me on how to start with an example.

我只需要告诉Spring上下文像嘿..！这个用户已经通过身份验证，因此他可以被允许调用用户的凭证后，其余的服务受到了定制的第三方验证API。的

I just need to tell the spring context something like "hey..! this user is already authenticated so he can be permitted to call the rest services after the user's credentials are verified by the customized third party API.

我不应该改变现有的初始认证过程。我应该只使用经过验证的用户信息，并进一步使用Spring Security的重新认证用户。

I am not supposed to change the existing initial authentication process. I should only use the authenticated user info and use the spring security further to reauthenticate the user.

我的问题是什么的一些类似的春天参考手册的 http://docs.spring.io/spring-security/site/docs/3.0.x/reference/$p$pauth.html

My issue is some what similar to the issue mentioned in the spring reference manual http://docs.spring.io/spring-security/site/docs/3.0.x/reference/preauth.html

请不要用单线回答（除非它有一个适当的
  外部链接）。它会是巨大的，如果你能告诉我一个例子或伪code。

Please don't answer with single line (except if it has a proper external link).It would be great if you can show me an example or pseudo code.

在此先感谢。

推荐答案

我建议做一个桥梁，从春天到安全的第三方登录页面。如果你使用Spring的工作，我觉得这是最好的工作方式。

I'd suggest to make a "bridge" from Spring Security to the 3rd party login page. If you work with Spring, I think this is the best way to work.

含义，你有一个登录处理程序，将用户重定向到第三方登录页面。测井后，用户会被重定向到Web的应用程序。

Meaning, you have a login handler that will redirect the user to the 3rd party login page. After logging-in, the user will be redirected back to the web-app.

这是什么意思？听起来是不是好？是否有意义？

Is this what you mean? Does it sound good? Does it make sense?

如果是这样，你可以使用的我的文章得到一些帮助：

If so, you may use my article to get some help:

<security:http entry-point-ref="legacyEntryPoint">

通常情况下，这意味着每当有相关的HTTP调用试图访问你的应用程序，这是入口点处理该请求。在你的情况，legacyEntryPoint是，你将实现将检查用户进行身份验证的类;如果没有，将用户重定向到第三方登录系统，否则它使用著名的令牌，使用您的应用程序。

Generally, it means that whenever a relevant http call tries to access your app, this is the entry-point that handles the request. In your case, legacyEntryPoint is a class that you will implement that will check if the user is authenticated; if not, it redirects the user to the 3rd party login system, otherwise it uses the known "token" to use your app.

希望帮助！

这篇关于使用Spring Security的pre-验证未经授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！