使用 Spring Security 的同一应用程序中的两个领域? [英] Two realms in same application with Spring Security?
问题描述
我们正在构建一个可供经过身份验证的用户和匿名用户使用的网络应用程序.如果您决定不注册/登录,您只能使用有限的一组功能.用户身份验证是通过 OpenID 使用 Spring Security 完成的.效果很好.
We're building a web application that is available to both authenticated and anonymous users. If you decide not to register/login you only have a limited set of features. User authentication is done over OpenID with Spring Security. That works fine.
但是,该应用程序还带有一个管理 UI,该 UI 部署在
.我们可以使用 Spring Security 拥有两个单独的领域(例如 /admin/**
的基本身份验证)吗?必须如何配置?
However, the application also comes with an admin UI that is deployed at <host>/<context-root>/admin
. Can we have two separate realms with Spring Security (e.g. basic auth for /admin/**
)? How does that have to be configured?
推荐答案
Spring Security 在 3.1 版中添加了对此方案的支持,该版本目前作为候选发布版提供.它由 SEC-1171 实现,语法细节在 3.1 附带的手册中.
Spring Security has added support for this scenario in version 3.1, which is currently available as a Release Candidate. It was implemented by SEC-1171 and details of the syntax are in the manual included with 3.1.
但是它使用起来非常简单.基本上,您只需在 Spring Security 配置中定义多个 http
元素,每个领域一个.我们是这样使用它的:
However it's pretty simple to use. Basically you just define multiple http
elements in your Spring Security configuration, one for each realm. We're using it like this:
<!-- Configure realm for system administration users -->
<security:http pattern="/admin/**" create-session="stateless">
<security:intercept-url pattern='/**' access='ROLE_ADMIN' requires-channel="https" />
<security:http-basic/>
</security:http>
<!-- Configure realm for standard users -->
<security:http auto-config="true" access-denied-page="/error/noaccess" use-expressions="true" create-session="ifRequired">
<security:form-login login-page="/login"
...
...
</security:http>
需要注意的关键是第一个 http
元素上的 pattern="/admin/**"
.这告诉 Spring /admin
下的所有 URL 都受该领域的约束,而不是默认领域 - 因此 /admin
下的 URL 使用基本身份验证.
The key thing to note is the pattern="/admin/**"
on the first http
element. This tells Spring that all URLs under /admin
are subject to that realm instead of the default realm — and thus URLs under /admin
use basic authentication instead.
这篇关于使用 Spring Security 的同一应用程序中的两个领域?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!