无需表单登录的 Spring Security [英] Spring security without form login
问题描述
我在我的应用程序 Spring 控制器中实现了 Spring Security Expression:
I have implemented Spring Security Expression in my application Spring controller:
@Controller
@RequestMapping("init")
public class InitController {
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/", method = RequestMethod.GET)
public @ResponseBody String home(){
return "This is the init page";
}
}
使用此安全配置:
<http auto-config="true" create-session="stateless" use-expressions="true">
<intercept-url pattern="/_ah*" access="permitAll" />
<intercept-url pattern="/init/*" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/init*" access="hasRole('ROLE_ADMIN')"/>
</http>
当访问此资源时,会显示默认的 Spring 登录表单 (http://localhost:8888/spring_security_login) 但是我不希望这种情况发生,我只想拥有要插入请求标头中的凭据,如x-authorization-key"或任何适合场景的凭据.
When this resource is accessed the the default Spring login form is displayed (http://localhost:8888/spring_security_login) however I don't want this to happen and that I just want to have the credentials to be inserted in the request header like "x-authorization-key" or whatever that fits the scenario.
对此有什么可能的解决方案?
What is the possible solution for this?
- 在请求中只包含 x-authorization-key 好吗
- 如果是这样,它如何适应 Spring 安全机制,即它如何适应hasRole"表达式
- 重要的是,我的 Web 服务是无状态的,并且每个请求都经过身份验证
- 最后,如何在不处理Spring登录表单的情况下处理Spring安全问题
标题
推荐答案
您可能应该阅读 什么auto-config 做了,然后删除它以禁用form-login.如果你专门配置你想使用的东西,你的配置会更清晰.
You should probably read the description on what auto-config does, then remove it to disable form-login. Your configuration will be clearer if you specifically configure what you want to use.
从您的问题中不清楚您希望在 x-authorization-key 标头中包含什么.如果您只是使用客户端 ID 和共享密钥进行身份验证,那么您不妨使用基本身份验证,因为它已经支持开箱即用,您只需添加 <http-basic/>你的配置.如果您有更多自定义的想法,那么您可能需要实现自定义过滤器和 将其添加到 Spring Security 过滤器链以提取凭据并对其进行处理.
It's not clear from your question what you want to be included in the x-authorization-key header. If you are just authenticating with a client Id and shared secret then you might as well use basic authentication since it is already supported out of the box and you can just add <http-basic /> to your configuration. If you have something more customized in mind, then you will probably have to implement a custom filter and add it to the Spring Security filter chain to extract the credentials and process them.
您的身份验证机制如何适应还取决于它的实际组成.通常,您的用户会分配到角色,这些角色会在他们进行身份验证时加载,通常来自某种数据库.hasRole 表达式只是检查当前用户是否具有指定的角色.通常,您只需要创建一个 UserDetailsService,它以标准格式加载您的用户信息,该格式很容易插入到框架中.这在别处有详细介绍.如果你真的需要更多定制的东西这篇博客文章 GAE 集成包括有关如何与更复杂的系统集成的详细信息.
How your authentication mechanism fits is also dependent on what it actually consists of. Normally your users will have assigned roles which are loaded when they authenticate, usually from a database of some kind. The hasRole expression simply checks whether the current user has the specified role. Often you will only need to create a UserDetailsService which loads your user information in a standard format which is easily plugged into the framework. This is covered at length elsewhere. If you really need something more customized this blog article on GAE integration includes details of how you might go about integrating with a more complicated system.
Spring Security 将 如果您使用 create-session='stateless',则不要创建或使用会话.
Spring Security will not create or use a session if you use create-session='stateless'.
附言您实际上并不需要在 URL 级别和处理相同 URL 的控制器上包含相同的安全属性.
P.S. You don't really need to include the same security attributes both at the URL level and on your controller which handles the same URL.
这篇关于无需表单登录的 Spring Security的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
