带有X.509证书的Spring Security [英] Spring Security With X.509 Certificate
问题描述
我正在慢慢地试图配置Spring Security 3.0.0以保护应用程序。
I am slowly going insane trying to configure Spring Security 3.0.0 to secure an application.
我已将服务器(jetty)配置为需要客户端身份验证(使用智能卡)。但是,我似乎无法正确获取applicationContext-security.xml和UserDetailsService实现。
I have configured the server (jetty) to require client authentication (using a smart card). However, I cannot seem to get the applicationContext-security.xml and UserDetailsService implementation right.
首先,从应用程序上下文文件:
First, from the application context file:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">
<security:global-method-security secured-annotations="enabled" />
<security:http auto-config="true">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
<security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="accountService" />
</security:http>
<bean id="accountService" class="com.app.service.AccountServiceImpl"/>
UserDetailsService如下所示:
The UserDetailsService looks like this:
public class AccountServiceImpl implements AccountService, UserDetailsService {
private static final Log log = LogFactory.getLog(AccountServiceImpl.class);
private AccountDao accountDao;
@Autowired
public void setAccountDao(AccountDao accountDao) {
this.accountDao = accountDao;
}
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException, DataAccessException {
log.debug("called loadUserByUsername()");
System.out.println("called loadByUsername()");
Account result = accountDao.getByEdpi(s);
return result;
}
}
该应用程序有一个带有登录按钮的首页,因此访问它不需要任何形式的身份验证。
The application has a "front page" with a Login button, so access to that should not require any sort of authentication.
任何帮助都表示赞赏。
推荐答案
该应用程序有一个带有登录按钮的首页,因此访问该页面不应该需要任何形式的身份验证。
The application has a "front page" with a Login button, so access to that should not require any sort of authentication.
这里有问题。如果您将servlet容器设置为 require 客户端身份验证,则不能拥有这样的open-for-all页面,在这种情况下,对于没有智能卡的用户,auth握手将不会成功他们甚至不会看到容器错误页面 - 它将是浏览器错误。
Something wrong is here. If you setup your servlet container to require client authentication, you cannot have such open-for-all page, in that case auth handshake won't success for users without smartcard and they won't even see container error page - It will be browser error instead.
可以将容器设置为 允许 客户端身份验证并使登录页面对匿名用户开放并保护其他用户SpringSec的页面。但我不建议将此用于smartcard-PKI应用程序。智能卡身份验证意味着安全性的重要性,让非智能卡用户在容器握手时尽早抛出是更可靠的。在这种情况下,您仍然可以在另一个端口上拥有用户友好的登录页面,其中登录按钮链接到您的应用程序。
It can be done making container to allow client auth and making login page open to anonymous users and secure other pages by SpringSec. But I won't recommend this for smartcard-PKI app. Smartcard auth implies security importance and it's more reliable to have non-smartcard users to thrown out early on container handshake. In that case you still can have user-friendly Login page on another port with a "Login" button linked to your app.
如果您需要有关SpringSecurity安装的帮助,请在帖子中添加有关问题的更多信息。
If you need help with SpringSecurity setup, please add more info about problems to your post.
这篇关于带有X.509证书的Spring Security的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
