与Spring Security在同一应用程序中的两个领域? [英] Two realms in same application with Spring Security?
问题描述
我们正在构建一个可供经过身份验证的用户和匿名用户使用的Web应用程序。如果您决定不注册/登录,则只有一组有限的功能。使用Spring Security通过OpenID完成用户身份验证。这很好。
We're building a web application that is available to both authenticated and anonymous users. If you decide not to register/login you only have a limited set of features. User authentication is done over OpenID with Spring Security. That works fine.
但是,该应用程序还附带一个管理UI,部署在< host> /< context-root> /管理
。我们可以在Spring Security中有两个独立的领域(例如 / admin / **
的基本身份验证)?如何配置?
However, the application also comes with an admin UI that is deployed at <host>/<context-root>/admin
. Can we have two separate realms with Spring Security (e.g. basic auth for /admin/**
)? How does that have to be configured?
推荐答案
Spring Security在版本3.1中添加了对此场景的支持,该版本目前可用作发布候选人。它由 SEC-1171 实施,语法的详细信息在3.1附带的手册中。 。
Spring Security has added support for this scenario in version 3.1, which is currently available as a Release Candidate. It was implemented by SEC-1171 and details of the syntax are in the manual included with 3.1.
然而它的使用非常简单。基本上,您只需在Spring Security配置中定义多个 http
元素,每个领域一个。我们这样使用它:
However it's pretty simple to use. Basically you just define multiple http
elements in your Spring Security configuration, one for each realm. We're using it like this:
<!-- Configure realm for system administration users -->
<security:http pattern="/admin/**" create-session="stateless">
<security:intercept-url pattern='/**' access='ROLE_ADMIN' requires-channel="https" />
<security:http-basic/>
</security:http>
<!-- Configure realm for standard users -->
<security:http auto-config="true" access-denied-page="/error/noaccess" use-expressions="true" create-session="ifRequired">
<security:form-login login-page="/login"
...
...
</security:http>
需要注意的关键是 pattern =/ admin / **第一个
。这告诉Spring, http
元素上的 / admin
下的所有URL都受该领域的限制而不是默认领域 - 因此在 / admin $ c $下的URL c>改为使用基本身份验证。
The key thing to note is the pattern="/admin/**"
on the first http
element. This tells Spring that all URLs under /admin
are subject to that realm instead of the default realm — and thus URLs under /admin
use basic authentication instead.
这篇关于与Spring Security在同一应用程序中的两个领域?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!