使用j_security_check进行身份验证,但不进行授权(在Websphere中) [英] Using j_security_check for authentication, but not authorization (in Websphere)
问题描述
是否有一种方法可以强制我的Java EE应用程序使用j_security_check进行身份验证,而不是授权?我想通过独立LDAP存储库进行身份验证,但是我想在我的应用程序中进行编程授权.
Is there a way to force my Java EE application to use j_security_check for authentication, but not authorization? I want to do authentication through a Standalone LDAP Repository, but I want to do programmatic authorization in my application.
特别是,我不想在Websphere Application Server管理控制台中进行任何有关授权(用户角色映射到组)的配置.
Specifically, I do not want to do any configuration around Authorization (user role mapping to groups) within the Websphere Application Server admin console.
例如:
- 用户使用正确的'user1'和密码'password1'登录
- Websphere在LDAP中找到此人,知道他们就是他们所说的(身份验证)
- 我从文件系统上的文件中检查该用户是否被授权(授权)
推荐答案
我建议为此使用Spring Security.我们已经在WebSphere中实现了这种确切的模式.诀窍是使用Spring Security提供的预身份验证机制,然后在配置中仅定义授权规则.
I suggest using Spring Security for this. We have implemented this exact pattern in WebSphere. The trick is to use the pre-authentication mechanism that Spring Security provides and then define only the authorization rules in the configuration.
<http>
<session-management session-fixation-protection="none"/>
<custom-filter position="PRE_AUTH_FILTER" ref="preAuthenticationFilter"/>
<intercept-url pattern="/j_security_check" filters="none"/>
<intercept-url pattern="/ibm_security_logout" filters="none"/>
<!-- put authorization intercept-url elements here... -->
</http>
您还必须定义其他一些bean,例如预先认证的过滤器和自定义入口点,但这在此处进行了记录:
You have to define some other beans as well, such as the pre-authenticated filter and a custom entry point, but that's documented here: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/preauth.html
这篇关于使用j_security_check进行身份验证,但不进行授权(在Websphere中)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
