Java spring security - 拦截不同登录的子域url? [英] Java spring security - intercept subdomain url for different login?

问题描述

我有一个安装了 Spring Security 并且运行良好的应用程序 -- 它目前正在用完 www.exampledomain.com.

I have an application with spring security installed and working well -- it is currently running out of www.exampledomain.com.

我现在想扩展运行在子域之外的应用程序.例如 newapp.exampledomain.com.

I now want to expand the application running out of a subdomain. For example newapp.exampledomain.com.

唯一的问题是这个新应用需要用户登录.在 spring 中很容易通过 <intercept-url pattern="/Admin/*" access="ROLE_GENERAL" 拦截 url/>

The only problem is that for this new app a user needs to log in. In spring it is very easy to intercept urls via <intercept-url pattern="/Admin/*" access="ROLE_GENERAL"/>

但是当您想拦截子域进行登录时，您会怎么做?例如以下对我不起作用:

but what do you do when you want to intercept a subdomain for login? For example the following doesnt work for me:

<intercept-url pattern="http://newapp.exampledomain.com/*" access="ROLE_GENERAL"/>

对如何解决这个问题有任何想法吗?

Any thoughts on how to get around this?

推荐答案

一种选择是编写您自己的 AccessDecisionVoter，它扩展了 RoleVoter 并添加了基于主机名的额外检查.像这样:

One option would be to write your own AccessDecisionVoter which extends RoleVoter and adds an additional check based on the hostname. Something like this:

public class MyVoter extends RoleVoter {
  public int vote(Authentication authentication,
                java.lang.Object object,
                java.util.Collection<ConfigAttribute> attributes) {
    FilterInvocation filterInvocation = (FilterInvocation) object;
    HttpRequest request = filterInvocation.getHttpRequest();
    // get subdomain from request
    String subdomain = getSubdomain(request);
    if ("free".equals(subdomain)) {
      return ACCESS_GRANTED;
    }
    else {
      super.vote(authentication, object, attributes);
    }
  }
}

然后联系您的选民:

<security:http auto-config="true" 
               use-expressions="true" 
               access-decision-manager-ref="accessDecisionManager">
...
</security:http>

<bean id="accessDecisionManager"
      class="org.springframework.security.access.vote.UnanimousBased">
    <property name="decisionVoters">
        <list>
            <bean class="com.acme.MyVoter" />
        </list>
    </property>
</bean>

如果你想更进一步，你也可以编写自己的 配置属性 这将允许您删除选民中的硬编码主机名检查并执行以下操作:

If you wanted to take it a step further you could also write your own configuration attributes which would allow you remove the hardcoded hostname checks in the voter and do something like:

<intercept-url pattern="/Admin/*" access="ROLE_GENERAL" domain="free.acme.com" />

这篇关于Java spring security - 拦截不同登录的子域url?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！