Spring security 从 httpServletRequest 中删除 RemoteUser [英] Spring security removes RemoteUser from httpServletRequest
问题描述
尝试使用 apache 实现 sso.在 apache 中添加 auth 并通过 ajp 在 spring 启动应用程序 httpServletRequest.getRemoteUser() 中设置用户名.
Trying to implement sso using apache. Added auth in apache and it sets username in spring boot applications httpServletRequest.getRemoteUser() through ajp.
一旦 spring 安全依赖添加到启动项目,就无法从 httpRequest 获取远程用户.
Once spring security dependency added to the boot project not able to get the remote user from httpRequest.
@GetMapping("/sso")
public String test(HttpServletRequest request, @RequestHeader Map<String, String> headers) {
String u1 = request.getRemoteUser();
return "--" + u1 + "--" + headers.toString();
}
u1 在没有添加 spring 安全依赖时提供从 Apache 发送的用户名
u1 gives username sent from Apache when spring security dependency is not added
在 spring 安全配置中允许所有请求
Given permit all for all the request in spring security config
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().permitAll();
}
在 Apache 中,从命令中添加了一个用户,并在虚拟主机中添加了以下行以进行身份验证
In Apache added a user from command and added below lines to auth in the virtual host
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
推荐答案
终于有办法使用 spring security 从 httpRequest.getRemoteUser() 获取用户了.
Finally got a way to get the user from httpRequest.getRemoteUser() with spring security.
在 spring security 初始化之前添加了一个过滤器来调用,并将远程用户保存在请求范围内以供功能使用.
Added a filter to invoke before spring security initialization and saved the remote user in request scope for feature use.
注册过滤器
@Bean
public FilterRegistrationBean registerRequestLogFilter(SSOFilter filter) {
FilterRegistrationBean reg = new FilterRegistrationBean(filter);
reg.setOrder(3);
return reg;
}
并添加属性
security.filter-order=5
从过滤器中保存了请求分数中的用户值,后来使用它进行了身份验证.
From filter saved the user value in request score later did auth using it.
这篇关于Spring security 从 httpServletRequest 中删除 RemoteUser的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!