0

我正在我的网络应用程序过滤器中运行,该过滤器从有关用户的外部源信息中接收,无论他是否登录。这是我的过滤器:

@Override
public void doFilter( ServletRequest request, ServletResponse response,
                      FilterChain chain ) throws IOException, ServletException
{
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpServletResponse httpResponse = (HttpServletResponse) response;

    String loginBean = httpRequest.getHeader( CommonVariables.LOGIN_BEAN );
    if ( loginBean == null )
    {
        System.out.println( "FILTER-----------" );
        try
        {
            String login;
            String domain;
            //Here i'm getting login and domain string
            loginBean = domain + "\\" + login;
            httpResponse.addHeader( "LoginBean", loginBean );
            System.out.println( login + " " + domain );
        } catch ( Exception e )
        {
            e.printStackTrace();
            //redirect to login page
            httpResponse.sendRedirect( "..." );
            return;
        }
    }
    chain.doFilter( request, response );
}

不是我认为这些标题将被传递到下一个过滤器中。因此我实现了 Spring Security PRE_AUTH_FILTER:

Spring 安全上下文

<http use-expressions="true" auto-config="false" entry-point-ref="http403EntryPoint">
    <!-- Additional http configuration omitted -->
    <custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</http>

<beans:bean id="siteminderFilter" class=
        "org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
    <beans:property name="principalRequestHeader" value="LoginBean"/>
    <beans:property name="authenticationManager" ref="authenticationManager" />
</beans:bean>

<beans:bean id="preauthAuthProvider"
      class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <beans:property name="preAuthenticatedUserDetailsService">
        <beans:bean id="userDetailsServiceWrapper"
              class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <beans:property name="userDetailsService" ref="userDetailsService"/>
        </beans:bean>
    </beans:property>
</beans:bean>

<beans:bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
<beans:bean id="userDetailsService" class="com.execon.security.CustomUserDetailsService"/>

<authentication-manager alias="authenticationManager">
    <authentication-provider ref="preauthAuthProvider" />
</authentication-manager>

然后我尝试在我的 CustoUserDetailsS​​ervice 中解析 loginBean 字符串并接收实际的用户对象。但它没有被解雇,应用程序因此失败:

org.springframework.security.web.authentication.preauth.PreAuthenticatedCredentialsNotFoundException: LoginBean header not found in request.

所以这意味着标题设置错误?还是根本没有设置?可能有什么问题?

过滤器设置 LoginBean 是第一个被触发的,然后是 Spring SEcurity。标准输出可以正常工作,因为我有:

17:12:15,669 INFO  [stdout] (http--127.0.0.1-8080-2) FILTER-----------
17:12:15,669 INFO  [stdout] (http--127.0.0.1-8080-2) LOGIN DOMAIN
4

1 回答 1

2

response正在request.

您可以修改传入的唯一方法HttpServletRequest是装饰它。您应该首先定义一个类,如下所示:

public class AuthHttpServletRequest extends HttpServletRequestWrapper
{
    private String loginBean;

    public AuthHttpServletRequest(HttpServletRequest aRequest, String loginBean)
    {
        super(aRequest);
        this.loginBean = loginBean;
    }

    @Override
    public String getHeader(String headerName)
    {
        if(CommonVariables.LOGIN_BEAN.equals(headerName)) {
            return this.loginBean;
        }
        return super.getHeader(headerName);
    }
}

然后,替换过滤器中的以下行:

httpResponse.addHeader( "LoginBean", loginBean );

有了这个:

request = new AuthHttpServletequest(httpRequest, loginBean);

然后,您chain.doFilter将获得可以按照您的预期将 loginBean 返回到 Spring 的身份验证过滤器类的请求,该请求位于过滤器链中。

于 2012-09-23T15:24:28.300 回答