Java spring security - 拦截不同登录的子域url? [英] Java spring security - intercept subdomain url for different login?
问题描述
我有一个安装了 Spring Security 并且运行良好的应用程序 -- 它目前正在用完 www.exampledomain.com
.
I have an application with spring security installed and working well -- it is currently running out of www.exampledomain.com
.
我现在想扩展运行在子域之外的应用程序.例如 newapp.exampledomain.com
.
I now want to expand the application running out of a subdomain. For example newapp.exampledomain.com
.
唯一的问题是这个新应用需要用户登录.在 spring 中很容易通过 <intercept-url pattern="/Admin/*" access="ROLE_GENERAL" 拦截 url/>
The only problem is that for this new app a user needs to log in. In spring it is very easy to intercept urls via <intercept-url pattern="/Admin/*" access="ROLE_GENERAL"/>
但是当您想拦截子域进行登录时,您会怎么做?例如以下对我不起作用:
but what do you do when you want to intercept a subdomain for login? For example the following doesnt work for me:
<intercept-url pattern="http://newapp.exampledomain.com/*" access="ROLE_GENERAL"/>
对如何解决这个问题有任何想法吗?
Any thoughts on how to get around this?
推荐答案
一种选择是编写您自己的 AccessDecisionVoter,它扩展了 RoleVoter 并添加了基于主机名的额外检查.像这样:
One option would be to write your own AccessDecisionVoter which extends RoleVoter and adds an additional check based on the hostname. Something like this:
public class MyVoter extends RoleVoter {
public int vote(Authentication authentication,
java.lang.Object object,
java.util.Collection<ConfigAttribute> attributes) {
FilterInvocation filterInvocation = (FilterInvocation) object;
HttpRequest request = filterInvocation.getHttpRequest();
// get subdomain from request
String subdomain = getSubdomain(request);
if ("free".equals(subdomain)) {
return ACCESS_GRANTED;
}
else {
super.vote(authentication, object, attributes);
}
}
}
然后联系您的选民:
<security:http auto-config="true"
use-expressions="true"
access-decision-manager-ref="accessDecisionManager">
...
</security:http>
<bean id="accessDecisionManager"
class="org.springframework.security.access.vote.UnanimousBased">
<property name="decisionVoters">
<list>
<bean class="com.acme.MyVoter" />
</list>
</property>
</bean>
如果你想更进一步,你也可以编写自己的 配置属性 这将允许您删除选民中的硬编码主机名检查并执行以下操作:
If you wanted to take it a step further you could also write your own configuration attributes which would allow you remove the hardcoded hostname checks in the voter and do something like:
<intercept-url pattern="/Admin/*" access="ROLE_GENERAL" domain="free.acme.com" />
这篇关于Java spring security - 拦截不同登录的子域url?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!