Spring中的自定义身份验证 [英] Custom authentication in Spring

问题描述

我有一个问题。在Struts中，我有一个处理用户身份验证的Action，即我获取了用户的凭据并使用DAO来验证用户凭据。我想在Spring中保持相同的设置。我正在使用Spring 3.0.3 RELEASE。

I have a question. In Struts, I have an Action that deals with user authentication, i.e., I took the user's credentials and used a DAO to validate user credentials. I want to maintain the same setup in Spring. I'm using Spring 3.0.3 RELEASE.

我的问题是，我读过Spring Security，并在那里指定JDBC后端验证提供程序。我想知道，如果用户点击登录它会将凭据提交给我的控制器以检查有效身份验证，该怎么办？

My question is, I've read Spring Security and in there it specifies JDBC backend "Validation" provider. I want to know, how would, if the user clicked "login" that it submits the credentials to my controller to check for valid authentication?

我想做的原因这就是我有一个处理用户身份验证和授权的服务。

The reason I want to do this that way is that I have a Service that handles user authentication and authorization.

提前致谢。

PS 如何在Spring中使某些控制器安全？

PPS 我是Spring的新手

PS How do I make some controller secure in Spring?
PPS I'm new to Spring

推荐答案

你可以创建一个自定义身份验证提供程序，它实现 org.springframework.security.authentication.AuthenticationProvider 这样的

You can create a custom authentication provider that implements org.springframework.security.authentication.AuthenticationProvider like this

package com.bzone.example;

import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;


public class CustomAuthenticationProvider implements AuthenticationProvider{

    @Override
    public Authentication authenticate(Authentication authentication)
            throws AuthenticationException {
        // TODO call custom service or do whatever you want 
        return null;
    }

    @Override
    public boolean supports(Class<? extends Object> authentication) {
        // copied it from AbstractUserDetailsAuthenticationProvider
        return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
    }

}

再一步是配置弹簧使用此自定义身份验证提供程序的安全性

one more step is to configure spring security to use this custom authentication provider

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- HTTP security configurations -->
    <http auto-config="true" use-expressions="true">
        <form-login login-processing-url="/static/j_spring_security_check" login-page="/login" authentication-failure-url="/login?login_error=t"/>
        <logout logout-url="/static/j_spring_security_logout"/>

        <!-- Configure these elements to secure URIs in your application -->
        <intercept-url pattern="/member/**" access="isAuthenticated()" />
        <intercept-url pattern="/resources/**" access="permitAll" />
        <intercept-url pattern="/static/**" access="permitAll" />
        <intercept-url pattern="/**" access="permitAll" />
    </http>

    <!-- Configure Authentication mechanism -->
    <authentication-manager alias="authenticationManager">
        <authentication-provider ref="com.bzone.example.CustomAuthenticationProvider" />
    </authentication-manager>

</beans:beans>

这篇关于Spring中的自定义身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！