连接多种身份验证机制Spring Boot Security [英] Connect multiple authentication mechanisms Spring Boot Security
问题描述
我的应用程序具有安全配置,可通过LDAP
对用户进行身份验证.效果很好,但是现在我想添加另一个AuthenticationProvider
,它对尝试进行身份验证的用户进行更多检查.因此,我尝试添加一个DbAuthenticationProvider
,出于测试目的,该DbAuthenticationProvider
始终拒绝访问.因此,当我尝试使用我的域帐户(适用于activeDirectoryLdapAuthenticationProvider
)登录时,由于第二个提供程序的身份验证失败,因此无法访问该页面.
I have a security configuration for my application that authenticates the user via LDAP
. This works out pretty fine, but now I'd like to add another AuthenticationProvider
that does some more checks on the user that tries authenticate. So I tried to add a DbAuthenticationProvider
that (for testing purposes) always denies the access. So when I am trying to log in with my domain account (that works for the activeDirectoryLdapAuthenticationProvider
) I am not able to access the page because the second provider fails the authentication.
为了实现这一目标,我使用了以下代码:
To accomplish this goal, I used the following code:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${ad.domain}")
private String AD_DOMAIN;
@Value("${ad.url}")
private String AD_URL;
@Autowired
UserRoleComponent userRoleComponent;
@Autowired
DbAuthenticationProvider dbAuthenticationProvider;
private final Logger logger = LoggerFactory.getLogger(WebSecurityConfig.class);
@Override
protected void configure(HttpSecurity http) throws Exception {
this.logger.info("Verify logging level");
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin()
.successHandler(new CustomAuthenticationSuccessHandler()).and().httpBasic().and().logout()
.logoutUrl("/logout").invalidateHttpSession(true).deleteCookies("JSESSIONID");
http.formLogin().defaultSuccessUrl("/", true);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(activeDirectoryLdapAuthenticationProvider());
auth.authenticationProvider(dbAuthenticationProvider);
}
@Bean
public AuthenticationManager authenticationManager() {
return new ProviderManager(Arrays.asList(activeDirectoryLdapAuthenticationProvider(), dbAuthenticationProvider));
}
@Bean
public AuthenticationProvider activeDirectoryLdapAuthenticationProvider() {
ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(AD_DOMAIN,
AD_URL);
provider.setConvertSubErrorCodesToExceptions(true);
provider.setUseAuthenticationRequestCredentials(true);
return provider;
}
}
这是我的DbAuthenticationProvider
:
@Component
public class DbAuthenticationProvider implements AuthenticationProvider {
Logger logger = LoggerFactory.getLogger(DbAuthenticationProvider.class);
@Override
public Authentication authenticate(Authentication auth) throws AuthenticationException {
auth.setAuthenticated(false);
this.logger.info("Got initialized");
return auth;
}
@Override
public boolean supports(Class<?> authentication) {
return true;
}
}
可悲的是,我能够登录(访问不被拒绝,正如我期望的那样).我错过了什么吗?
Sadly I am able to log in (the access is not denied as I expected it to be). Did I miss out something?
推荐答案
Spring不会使用多个AuthenticationProvider
来对请求进行身份验证,因此第一个(在ArrayList
中的)AuthenticationProvider
支持Authentication
对象并成功验证请求将是唯一使用的请求.您的情况是activeDirectoryLdapAuthenticationProvider
.
Spring Won't use more than one AuthenticationProvider
to authenticate the request, so the first (in the ArrayList
) AuthenticationProvider
that support the Authentication
object and successfully authenticate the request will be the only one used. in your case it's activeDirectoryLdapAuthenticationProvider
.
代替使用ActiveDirectoryLdapAuthenticationProvider
,您可以使用委托给LDAP并进行其他检查的自定义AuthenticationProvider:
instead of using ActiveDirectoryLdapAuthenticationProvider
, you can use a custom AuthenticationProvider that delegates to LDAP and do additional checks:
CustomerAuthenticationProvider implements AuthenticationProvider{
privtae ActiveDirectoryLdapAuthenticationProvider delegate; // add additional methods to initialize delegate during your configuration
@Override
public Authentication authenticate(Authentication auth) throws
AuthenticationException {
Authentication authentication= delegate.authenticate(auth);
additionalChecks(authentication);
return auth;
}
@Override
public boolean supports(Class<?> authentication) {
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
}
public void additionalCheck(Authentication authentication){
// throw AuthenticationException when it's not allowed
}
}
这篇关于连接多种身份验证机制Spring Boot Security的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!