我一直到处都在寻找如何基于容器管理的安全模型实现Spring Security的方法。在我的测试用例中,我使用的是Tomcat及其对应的tomcat-users.xml文件。问题是,我无法让Spring Security正常运行(意味着将身份验证传递给Tomcat),以使应用服务器执行身份验证,并在某人通过身份验证后让Spring管理基于角色的安全性。我使用的是最新的Spring版本,因此全部是Java配置,因为我对基于XML的配置还不够熟悉。我已经阅读了很多有关使用PreAuthenticatedAuthenticationProvider的示例,但是这些示例很糟糕,更不用说Spring文档使IMHO感到困惑了。我什至从Spring Security GIT中心下载了示例预身份验证代码,但仍然看不到示例代码如何与Tomcat正在执行的身份验证绑定在一起。当我运行Spring示例代码以进行预认证时,当我将代码部署到Tomcat 8时,它不会与tomcat-users XML文件中的任何用户进行身份验证。想知道是否有人对我可以看到的位置有任何想法理解Spring Security和由Tomcat(由容器托管)执行的身份验证如何发生?
I have been looking everywhere on how I can implement Spring Security based on a Container Managed Security Model. In my test case, I am using Tomcat and it's corresponding tomcat-users.xml file. The issue is, I cannot get Spring Security to play well (meaning pass authentication over to Tomcat) to let the app server perform the Authentication and have Spring manage the role based security once someone is authenticated. I am using the latest Spring versions, so it's all Java config as I am just not familiar enough with XML based config. I have read many examples that talk about using a PreAuthenticatedAuthenticationProvider but the examples are poor not to mention the Spring documentation is quite confusing IMHO. I even downloaded the sample preauth code from the Spring Security GIT hub but I still cannot see how the example code is tied to the authentication that Tomcat is performing. When I run the Spring sample code for preauth, it doesn't authenticate with any of the users in my tomcat-users XML file as I deployed my code to Tomcat 8. Wondering if anyone has any ideas on where I can look in order to understand how Spring Security and the authentication performed by Tomcat (container managed) happens?
更新: 看来我必须开始从头开始,只需获得身份验证即可与在我的IDE中创建的一个非常简单的应用一起使用。基本上,我有一个名为安全的文件夹,一个名为不安全的文件夹,我根据Servlet 3规范映射了路径,以确保所需的内容安全和不安全。我必须使用web.xml才能包含安全约束。在Tomcat 7和Tomcat 8中都进行了测试之后,我试图输入安全的URL,因此我被要求输入ID和密码。请注意,您必须定义登录页面的路径,我的是一个简单的JSP。我还必须提交j_security_check,并确保使用j_username和j_password字段名称。一旦知道可以访问安全页面,便开始介绍Spring组件。这涉及Spring Security,Spring Boot等。密钥位于WebSecurityConfigurerAdapter中。通常在启用了基本身份验证或基于表单的安全性的地方,我删除了这些内容,而是基于用于配置安全性设置的相同fluent构建器API使用了jee()设置。我将所有antmatcher设置都留在了web.xml中,所以我的WebSecurityConfigurerAdapter非常基础。在调试控制器时,可以直接在方法中注入HttpServletRequest,并且该请求包含一个userPrincipal请求值,该值包含诸如用户ID和角色之类的内容。祝您好运,希望这对其他人有所帮助,因为我想出这么简单的解决方案已经很痛苦了。
UPDATE: It appears I had to start from scratch and simply get the authentication to work with a very simply app created in my IDE. Basically I had a folder that was called secure, one folder that was called unsecure and I mapped the paths according to the Servlet 3 spec to secure and unsecure what I needed. I had to use a web.xml in order to contain the security constraints. Once I tested in both Tomcat 7 and 8, where I tried to hit a secure URL, I was challenged to enter an ID and password. Please note you have to define the path to a login page, mine was a simple JSP. I also had to submit to the j_security_check and also make sure to use the j_username and j_password field names. Once I knew I could hit a secure page, I then started introducing the Spring components. This involved Spring Security, Spring Boot etc. The key was in the WebSecurityConfigurerAdapter. Where I normally would have basic auth or form based security enabled, I removed those and instead used the jee() setting based on the same fluent builder API used to configure your security settings. I left all antmatcher settings in the web.xml, so my WebSecurityConfigurerAdapter was very basic. When you are debugging controllers, you can inject the HttpServletRequest directly in the method and that request contains a userPrincipal request value containing things such as the user ID, and roles. Good luck, hope this helps others because it was painfully long for me to figure out such a simple solution.
推荐答案有关我的解决方案的详细说明,请参见更新。
See the update for a detailed explanation on my solution.
更多推荐
容器管理的安全性,Spring安全性和身份验证
发布评论