Spring Security JAAS身份验证授权问题

本文介绍了Spring Security JAAS身份验证授权问题的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

在Spring Security中使用DefaultJaasAuthenticationProvider配置进行Linux用户名/密码的登录验证。 JpamLoginModule用于身份验证。我成功通过身份验证，但我在授权方面遇到问题（ROLE_USER，ROLE_ADMIN），正在获取HTTP状态403 - 访问被拒绝错误。

In Spring Security am using DefaultJaasAuthenticationProvider Configuration for login authentication with linux username/password. JpamLoginModule is used for authentication. I am successfull with authentication but i had problem in authoriztion(ROLE_USER,ROLE_ADMIN), am getting HTTP Status 403 - Access is denied Error.

以下配置i在spring-security.xml中使用

Following Configuration i used in spring-security.xml

<security:authentication-manager> <security:authentication-provider ref="jaasAuthProvider" /> </security:authentication-manager> <bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider"> <property name="configuration"> <bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration"> <constructor-arg> <map> <entry key="SPRINGSECURITY"> <array> <bean class="javax.security.auth.login.AppConfigurationEntry"> <constructor-arg value="net.sf.jpam.jaas.JpamLoginModule" /> <constructor-arg> <util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" /> </constructor-arg> <constructor-arg> <map></map> </constructor-arg> </bean> </array> </entry> </map> </constructor-arg> </bean> </property> <property name="authorityGranters"> <list> <bean class="it.webapps.pam.RoleGranter" /> </list> </property> </bean> <bean id="userDetailsService" class="it.webapps.pam.UserDetailsServiceImpl"> </bean>

RoleGranter.java代码

RoleGranter.java code

public class RoleGranter implements AuthorityGranter { public RoleGranter() { System.out.print("=== Creating My Authority Granter ==="); } @Override public Set<String> grant(Principal principal) { return Collections.singleton("ROLE_ADMIN"); }

}

建议会非常有用

推荐答案

基于： jpam.sourceforge/xref/net/sf/jpam/jaas/JpamLoginModule.html 和 https ：//github/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java

看起来你需要扩展JpamLoginModule来改变commit的行为。需要在扩展的JpamLoginModule中为主题分配主体。然后，AbstractJaasAuthenticationProvider（DefaultJaasAuthenticationProvider）将遍历这些主体并将它们发送到您的authorityGranters（RoleGranter）。

Looks like you need to extend JpamLoginModule to change commit's behaviour. There needs to be principals assigned into the subject in your extended JpamLoginModule. Then AbstractJaasAuthenticationProvider (DefaultJaasAuthenticationProvider) will loop through these principals and send them to your authorityGranters (RoleGranter).

<authentication-manager> <authentication-provider ref="jaasAuthProvider" /> </authentication-manager> <beans:bean id="userService" class="blah.UserDetailsServiceImpl" /> <beans:bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider"> <beans:property name="configuration"> <beans:bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration"> <beans:constructor-arg> <beans:map> <beans:entry key="SPRINGSECURITY"> <beans:array> <beans:bean class="javax.security.auth.login.AppConfigurationEntry"> <beans:constructor-arg value="blah.RoleGrantingJpamLoginModule" /> <beans:constructor-arg> <util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" /> </beans:constructor-arg> <beans:constructor-arg> <beans:map></beans:map> </beans:constructor-arg> </beans:bean> </beans:array> </beans:entry> </beans:map> </beans:constructor-arg> </beans:bean> </beans:property> <beans:property name="authorityGranters"> <beans:list> <beans:bean class="blah.RoleGranter" /> </beans:list> </beans:property> </beans:bean> package blah; import javax.security.auth.Subject; import javax.security.auth.login.LoginException; import net.sf.jpam.jaas.JpamLoginModule; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; public class RoleGrantingJpamLoginModule extends JpamLoginModule { private Subject subject; @Override public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) { super.initialize(subject, callbackHandler, sharedState, options); this.subject = subject; } @Override public boolean commit() throws LoginException { UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null); subject.getPrincipals().add(token); return supermit(); } } package blah; import static java.util.Arrays.asList; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; public class UserDetailsServiceImpl implements UserDetailsService { @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { return new User(username, "password", asList(new SimpleGrantedAuthority("ROLE_ADMIN"))); } }