没有表单登录的Spring安全性 [英] Spring security without form login
问题描述
我在我的应用程序Spring控制器中实现了Spring Security Expression:
I have implemented Spring Security Expression in my application Spring controller:
@Controller
@RequestMapping("init")
public class InitController {
@PreAuthorize("hasRole('ROLE_ADMIN')")
@RequestMapping(value = "/", method = RequestMethod.GET)
public @ResponseBody String home(){
return "This is the init page";
}
}
使用此安全配置:
<http auto-config="true" create-session="stateless" use-expressions="true">
<intercept-url pattern="/_ah*" access="permitAll" />
<intercept-url pattern="/init/*" access="hasRole('ROLE_ADMIN')"/>
<intercept-url pattern="/init*" access="hasRole('ROLE_ADMIN')"/>
</http>
访问此资源时,将显示默认的Spring登录表单( http :// localhost:8888 / spring_security_login )但我不希望这种情况发生,我只想将凭据插入请求标头中,如x-authorization-key或适合这种情况的任何东西。
When this resource is accessed the the default Spring login form is displayed (http://localhost:8888/spring_security_login) however I don't want this to happen and that I just want to have the credentials to be inserted in the request header like "x-authorization-key" or whatever that fits the scenario.
这可能是什么解决方案?
What is the possible solution for this?
- 将x-authorization-key放在请求中是否合适
- 如果是这样,它如何适应Spring安全机制,就是它如何适应hasRole表达式
- 重要的是我的Web服务是无状态的,每个请求获得身份验证
- 最后,如何处理Spring安全性而无需处理Spring登录表单
- Is it a good to just have the x-authorization-key to be in the request
- If so, how does it fit with the Spring security mechanism, that is how that it fit with the "hasRole" expression
- It is important the the my web service is stateless, and each request gets authenticated
- Finally, how to do deal with Spring security without having to deal with the Spring login form
header
推荐答案
您应该阅读什么 auto-config 确实,然后将其删除以禁用 form-login 。如果你专门配置你想要使用的东西,你的配置会更清楚。
You should probably read the description on what auto-config does, then remove it to disable form-login. Your configuration will be clearer if you specifically configure what you want to use.
你的问题不清楚你想要包含在中x-authorization-key 标题。如果您只是使用客户端ID和共享密钥进行身份验证,那么您也可以使用基本身份验证,因为它已经开箱即用,您只需添加< http-basic /> 到你的配置。如果您有更多自定义的内容,那么您可能必须实现自定义过滤器和将其添加到Spring Security过滤器链以提取凭据并对其进行处理。
It's not clear from your question what you want to be included in the x-authorization-key header. If you are just authenticating with a client Id and shared secret then you might as well use basic authentication since it is already supported out of the box and you can just add <http-basic /> to your configuration. If you have something more customized in mind, then you will probably have to implement a custom filter and add it to the Spring Security filter chain to extract the credentials and process them.
您的身份验证机制如何适合也取决于它实际包含的内容。通常,您的用户将分配在进行身份验证时加载的角色,通常来自某种类型的数据库。 hasRole 表达式只检查当前用户是否具有指定的角色。通常,您只需创建一个 UserDetailsService ,它以标准格式加载您的用户信息,该格式很容易插入到框架中。这在其他地方详细介绍。如果你真的需要一些更自定义的这篇博客文章关于GAE集成的包括有关如何与更复杂的系统集成的详细信息。
How your authentication mechanism fits is also dependent on what it actually consists of. Normally your users will have assigned roles which are loaded when they authenticate, usually from a database of some kind. The hasRole expression simply checks whether the current user has the specified role. Often you will only need to create a UserDetailsService which loads your user information in a standard format which is easily plugged into the framework. This is covered at length elsewhere. If you really need something more customized this blog article on GAE integration includes details of how you might go about integrating with a more complicated system.
Spring Security将如果您使用 create-session ='stateless',则不会创建或使用会话。
Spring Security will not create or use a session if you use create-session='stateless'.
PS您实际上不需要在URL级别和处理相同URL的控制器上包含相同的安全属性。
P.S. You don't really need to include the same security attributes both at the URL level and on your controller which handles the same URL.
这篇关于没有表单登录的Spring安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
