我可以使用Spring安全性的多个安全上下文吗? [英] Can I have multiple security contexts with spring security?
问题描述
我有一个安全上下文定义,它使用PreAuthenticatedProcessingFilterEntryPoint作为我的应用程序的flex部分。如何在我的应用程序的另一部分中使用标准表单登录和html表单的另一个定义?以下是我目前所拥有的:
I have one security context definition that uses PreAuthenticatedProcessingFilterEntryPoint for the flex part of my application. How can I have another definition that will use standard form login with html forms for another part of my application? Here's what I currently have:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.1.xsd">
<http auto-config="true" access-denied-page="/admin/access-denied">
<intercept-url pattern="/admin/login*" filters="none"/>
<intercept-url pattern="/admin/access-denied" filters="none"/>
<intercept-url pattern="/admin/**/*" access="ROLE_ADMIN" />
<form-login login-page="/admin/login" authentication-failure-url="/admin/login?login_error=1"
default-target-url="/admin/index" login-processing-url="/admin/login-process"/>
<logout logout-success-url="/admin/login"/>
</http>
<global-method-security jsr250-annotations="enabled" />
<beans:bean id="preAuthenticatedEntryPoint" class="org.springframework.security.ui.preauth.PreAuthenticatedProcessingFilterEntryPoint" >
</beans:bean>
<beans:bean id="userAccountManager" class="com.mycomp.service.managers.jpa.UserAccountJpaManager" />
<beans:bean id="userService" class="com.mycomp.auth.DefaultUserDetailsService" />
<beans:bean id="defaultPasswordEncoder" class="com.mycomp.auth.DefaultPasswordEncoder" />
<authentication-provider user-service-ref="userService">
<password-encoder ref="defaultPasswordEncoder"/>
</authentication-provider>
</beans:beans>
我想做的是为管理站点中的网址使用另一个身份验证提供程序,我目前拥有的是flex应用程序。所以我希望管理网址的安全性使用另一个userDetailsService bean。
What I'd like to do is use another authentication provider for the urls that are in the admin site, the one I currently have is for the flex application. So I want the security for the admin urls to use another userDetailsService bean.
推荐答案
直到最近这一直很棘手,但是现在很容易!
It has been tricky to do until recently, but now it is easy!
Spring Security增加了对3.1版场景的支持。它目前作为候选版本提供,由 SEC-1171 实施。语法的详细信息在3.1附带的手册中。
Spring Security has added support for the scenario in version 3.1. It is currently available as a Release Candidate, implemented by SEC-1171. Details of the syntax are in the manual included with 3.1.
使用起来非常简单。基本上,您只需在Spring Security配置中定义多个 http 元素,每个上下文一个元素。我们这样使用它:
It's pretty simple to use. Basically you just define multiple http elements in your Spring Security configuration, one for each context. We're using it like this:
<!-- Configure realm for system administration users -->
<security:http pattern="/admin/**" create-session="stateless">
<security:intercept-url pattern='/**' access='ROLE_ADMIN' requires-channel="https" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
</security:http>
<!-- Configure realm for standard users -->
<security:http auto-config="true" access-denied-page="/error/noaccess" use-expressions="true" create-session="ifRequired">
<security:form-login
...
...
</security:http>
需要注意的关键是 pattern =/ admin / **第一个。这告诉Spring, http 元素上的 / admin 下的所有URL都受该上下文而不是默认上下文的影响 - 因此 / admin 改为使用预授权过滤器。
The key thing to note is the pattern="/admin/**" on the first http element. This tells Spring that all URLs under /admin are subject to that context instead of the default context — and thus URLs under /admin use your preauthorisation filter instead.
这篇关于我可以使用Spring安全性的多个安全上下文吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
