Spring Security JAAS身份验证授权问题 [英] Spring Security JAAS Authentication Authorization Issue
问题描述
在Spring Security中使用DefaultJaasAuthenticationProvider配置进行Linux用户名/密码的登录验证。
JpamLoginModule用于身份验证。我成功通过身份验证,但我在授权方面遇到问题(ROLE_USER,ROLE_ADMIN),
正在获取HTTP状态403 - 访问被拒绝错误。
In Spring Security am using DefaultJaasAuthenticationProvider Configuration for login authentication with linux username/password. JpamLoginModule is used for authentication. I am successfull with authentication but i had problem in authoriztion(ROLE_USER,ROLE_ADMIN), am getting HTTP Status 403 - Access is denied Error.
以下配置i在spring-security.xml中使用
Following Configuration i used in spring-security.xml
<security:authentication-manager>
<security:authentication-provider ref="jaasAuthProvider" />
</security:authentication-manager>
<bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<property name="configuration">
<bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<constructor-arg>
<map>
<entry key="SPRINGSECURITY">
<array>
<bean class="javax.security.auth.login.AppConfigurationEntry">
<constructor-arg value="net.sf.jpam.jaas.JpamLoginModule" />
<constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</constructor-arg>
<constructor-arg>
<map></map>
</constructor-arg>
</bean>
</array>
</entry>
</map>
</constructor-arg>
</bean>
</property>
<property name="authorityGranters">
<list>
<bean class="it.webapps.pam.RoleGranter" />
</list>
</property>
</bean>
<bean id="userDetailsService" class="it.webapps.pam.UserDetailsServiceImpl">
</bean>
RoleGranter.java代码
RoleGranter.java code
public class RoleGranter implements AuthorityGranter {
public RoleGranter() {
System.out.print("=== Creating My Authority Granter ===");
}
@Override
public Set<String> grant(Principal principal) {
return Collections.singleton("ROLE_ADMIN");
}
}
建议会非常有用
推荐答案
基于: http://jpam.sourceforge.net/xref/net/sf/jpam/jaas/JpamLoginModule.html 和 https ://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
看起来你需要扩展JpamLoginModule来改变commit的行为。需要在扩展的JpamLoginModule中为主题分配主体。然后,AbstractJaasAuthenticationProvider(DefaultJaasAuthenticationProvider)将遍历这些主体并将它们发送到您的authorityGranters(RoleGranter)。
Looks like you need to extend JpamLoginModule to change commit's behaviour. There needs to be principals assigned into the subject in your extended JpamLoginModule. Then AbstractJaasAuthenticationProvider (DefaultJaasAuthenticationProvider) will loop through these principals and send them to your authorityGranters (RoleGranter).
<authentication-manager>
<authentication-provider ref="jaasAuthProvider" />
</authentication-manager>
<beans:bean id="userService" class="blah.UserDetailsServiceImpl" />
<beans:bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<beans:property name="configuration">
<beans:bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<beans:constructor-arg>
<beans:map>
<beans:entry key="SPRINGSECURITY">
<beans:array>
<beans:bean class="javax.security.auth.login.AppConfigurationEntry">
<beans:constructor-arg value="blah.RoleGrantingJpamLoginModule" />
<beans:constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</beans:constructor-arg>
<beans:constructor-arg>
<beans:map></beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:array>
</beans:entry>
</beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:property>
<beans:property name="authorityGranters">
<beans:list>
<beans:bean class="blah.RoleGranter" />
</beans:list>
</beans:property>
</beans:bean>
package blah;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import net.sf.jpam.jaas.JpamLoginModule;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
public class RoleGrantingJpamLoginModule extends JpamLoginModule {
private Subject subject;
@Override
public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) {
super.initialize(subject, callbackHandler, sharedState, options);
this.subject = subject;
}
@Override
public boolean commit() throws LoginException {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null);
subject.getPrincipals().add(token);
return super.commit();
}
}
package blah;
import static java.util.Arrays.asList;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new User(username, "password", asList(new SimpleGrantedAuthority("ROLE_ADMIN")));
}
}
这篇关于Spring Security JAAS身份验证授权问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
