程序化使用Spring Security [英] Programmatic use of Spring Security
问题描述
我正在使用 Wicket 和Wicket Auth Project作为我的表示层,因此我将它与Spring集成在一起安全。这是Wicket为我进行身份验证调用的方法:
I am using Wicket with the Wicket Auth Project for my presentation layer and I have therefore integrated it with Spring Security. This is the method which is called by Wicket for authentication for me:
@Override
public boolean authenticate(String username, String password) {
try {
Authentication request = new UsernamePasswordAuthenticationToken(
username, password);
Authentication result = authenticationManager.authenticate(request);
SecurityContextHolder.getContext().setAuthentication(result);
} catch (AuthenticationException e) {
return false;
}
return true;
}
我的Spring Security XML配置的内容(内部)是:
The contents (inside ) of my Spring Security XML configuration are:
<http path-type="regex">
<form-login login-page="/signin"/>
<logout logout-url="/logout" />
</http>
<global-method-security secured-annotations="enabled" />
<authentication-manager alias="authenticationManager"/>
<authentication-provider user-service-ref="userService">
<password-encoder ref="bcryptpasswordencoder" />
</authentication-provider>
会话固定攻击是一个潜在的风险,可能是
。恶意攻击者通过访问网站创建
会话,然后
说服其他用户使用
登录同一会话(通过向他们发送包含会话的
链接标识符
作为参数,例如)。 Spring
安全性通过在用户登录时创建新的
会话来自动防止此
。如果
不需要此保护,或者
与之冲突其他一些要求,
你可以使用
来控制行为 - session-fixation-protection
属性,它有三个
选项:
Session fixation attacks are a potential risk where it is possible for a malicious attacker to create a session by accessing a site, then persuade another user to log in with the same session (by sending them a link containing the session identifier as a parameter, for example). Spring Security protects against this automatically by creating a new session when a user logs in. If you don't require this protection, or it conflicts with some other requirement, you can control the behaviour using the session-fixation-protection attribute on , which has three options:
- migrateSession - 创建新会话并将现有
会话属性复制到新会话。这是默认值。 - none - 不做任何事情。原始会话将被保留。
- newSession - 创建一个新的干净会话,而不复制
现有会话数据。
身份验证有效,但我对Spring Security还不熟悉我还有一些问题需要解答:
- 通常,对于登录,我会将身份验证信息发布到
j_spring_security_check并且让Spring Security执行实际的身份验证代码。我希望能够防止会话固定攻击,当我像我一样执行程序化登录时,我会得到它吗?如果没有,我需要做些什么才能得到它? - 如何执行程序化注销?
- 因为我将使用程序化登录和注销,如何禁止Spring拦截这些URL?
- Normally for login, I would POST the authentication information to
j_spring_security_checkand let Spring Security perform the actual authentication code. I would like to have protection against session fixation attacks, will I get it when I perform a programmatic login as I do? And if not, what would I have to do to get it? - How do I perform programmatic logout?
- As I will use programmatic login and logout, how do I disable Spring from intercepting those URL's?
更新:
对于会话固定攻击保护似乎我需要使用签名 startNewSessionIfRequired(HttpServletRequest request,boolean migrateAttributes,SessionRegistry sessionRegistry)调用SessionUtils类中的方法。
Update:
For session fixation attack protection it seems that I need to call the method in the SessionUtils class with the signature startNewSessionIfRequired(HttpServletRequest request, boolean migrateAttributes, SessionRegistry sessionRegistry).
如何获取我需要传递的SessionRegistry实例?我找不到任何方法为它创建别名ID,或者如何获取它的ID或名称。
How do I get the SessionRegistry instance which I need to pass in? I can't find any way to create an alias ID for it, or how to get it's ID or name.
推荐答案
也许它不是你的问题的完整答案,但也许它可能对你有帮助。
Maybe it's not a full answer to your questions, but maybe it might help you.
当你不使用程序化登录时调用的代码,但标准的是在这里找到:
The code being called when you do NOT use programmatic login, but a standard one is to be found here:
org.springframework.security.ui.webapp.AuthenticationProcessingFilter
我猜你在代码中受到了启发。它看起来非常相似。
I guess you were inspired by this in your code. It looks quite similar.
同样,在标准方法中访问 / j_spring_security_logout 时执行的代码是在这里找到:
Similarly the code executed when you access the /j_spring_security_logout in the standard approach, is to be found here:
org.springframework.security.ui.logout.LogoutFilter
LogoutFilter调用多个处理程序。我们使用的处理程序称为:
org.springframework.security.ui.logout.SecurityContextLogoutHandler ,因此您可以在方法中调用相同的代码。
The LogoutFilter calls multiple handlers. The handler we are using is called:
org.springframework.security.ui.logout.SecurityContextLogoutHandler, so you might call the same code in your approach.
这篇关于程序化使用Spring Security的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
