0

<password-encoder>在 AuthenticationManager 中引用了一个和 CustomDetailService。在所有其他安全过滤器(并发、customLogoutFilter 等)之后,我在 spring-security 中添加了以下 bean 和<http auto-config="false" ..>

    <?xml version="1.0" encoding="UTF-8"?>
    <beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org
      /2001/XMLSchema-instance"
xsi:schemaLocation="
    http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.0.xsd">

<!-- Disable annotation-based method security -->
<global-method-security secured-annotations="disabled" />

<beans:bean id="sessionRegistry"
    class="org.springframework.security.core.session.SessionRegistryImpl" />

<!-- Service that provides user credentials for use by the authentication provider -->
<beans:bean id="customDetailService" class="xxx.security.CustomDetailService" />

<!-- Assign the user details service to the default authentication provider -->
<beans:bean class="xxx.security.XyzPasswordEncoder" id="passwordEncoder" />

<!-- Get an alias to the default authentication manager -->
<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="customDetailService">
        <password-encoder ref="passwordEncoder" />
    </authentication-provider>
</authentication-manager>

<!-- Register an exception filter that takes an entry point -->
<beans:bean id="exceptionTranslationFilter"
    class="org.springframework.security.web.access.ExceptionTranslationFilter">
    <beans:property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
    <beans:property name="accessDeniedHandler" ref="accessDeniedHandler" />
</beans:bean>
<beans:bean id="authenticationEntryPoint"
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:property name="loginFormUrl" value="/public/auth/login.htmlx" />
</beans:bean>
<beans:bean id="accessDeniedHandler"
    class="org.springframework.security.web.access.AccessDeniedHandlerImpl">
    <beans:property name="errorPage" value="/error/access-denied.jsp" />
</beans:bean>

<!-- Register a custom authentication filter and register success/failure 
    handlers -->
<beans:bean id="customAuthenticationFilter"
    class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="sessionAuthenticationStrategy"
        ref="concurrentSessionControlStrategy" />
    <beans:property name="authenticationSuccessHandler"
        ref="loginSuccessHandler" />
    <beans:property name="authenticationFailureHandler"
        ref="loginFailureHandler" />
</beans:bean>

<beans:bean id="concurrentSessionControlStrategy"
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    <beans:constructor-arg name="sessionRegistry"
        ref="sessionRegistry" />
</beans:bean>
<beans:bean id="loginSuccessHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/LoginSuccess" />
</beans:bean>
<beans:bean id="loginFailureHandler"
    class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/LoginFailed" />
</beans:bean>

<!-- Register a custom logout filter -->
<beans:bean id="customLogoutFilter" class="xxx.security.LogoutFilterWrapper">
    <beans:property name="logoutSuccessfulUrl" value="/public/auth/login.htmlx" />
    <beans:property name="logoutSuccessfulUrlAdmin" value="/public/auth/admlogin.htmlx" />
    <beans:property name="logoutSuccessfulUrlInactivity"
        value="/public/auth/timedout.htmlx" />
</beans:bean>

<!-- Register a concurrent session filter. This will limit the number of 
    sessions a user can have -->
<beans:bean id="concurrencyFilter"
    class="org.springframework.security.web.session.ConcurrentSessionFilter">
    <beans:property name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="expiredUrl"
        value="/public/error/multi-login-not-supported.htmlx" />
</beans:bean>

<!-- Register a filter to log in as a different user -->    
<beans:bean id="switchUserProcessingFilter" class="org.springframework.security.web.authentication.switchuser.SwitchUserFilter">
    <beans:property name="userDetailsService" ref="customDetailService" />
    <beans:property name="switchUserUrl" value="/j_spring_security_switch_user" />
    <beans:property name="exitUserUrl" value="/j_spring_security_exit_user" />
    <beans:property name="targetUrl" value="/" />
</beans:bean>


<http auto-config="false" entry-point-ref="authenticationEntryPoint">

    <custom-filter position="FORM_LOGIN_FILTER" ref="customAuthenticationFilter" />
    <custom-filter position="LOGOUT_FILTER" ref="customLogoutFilter" />
    <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
        <custom-filter position="SWITCH_USER_FILTER" ref="switchUserProcessingFilter" />

            <session-management session-fixation-protection="none" />

    <!-- Configure the filter security interceptor. URL patterns default to 
        Apache Ant path syntax -->
    <intercept-url pattern="/**/xyz_product*" access="ROLE_XYZ_PRODUCT" />
    <intercept-url pattern="/root/user/index.htmlx" access="ROLE_XYZ_PRODUCT" />

    <!-- Allow unrestrictricted access to assets -->
    <intercept-url pattern="/assets/**" filters="none" />

    <!-- Allow unrestrictricted access to public areas -->
    <intercept-url pattern="/public/**" filters="none" />

    <!-- Allow unrestrictricted access to generated resources -->
    <intercept-url pattern="/faces/**" filters="none" />

    <!-- Enforce role-based access for login success servlet -->
    <intercept-url pattern="/LoginSuccess"
        access="ROLE_RESTRICTED,ROLE_ADMIN,ROLE_ADMIN_APP,ROLE_PHYSICIAN,ROLE_NURSE" />

    <!-- Enforce role-based access for user area -->
    <intercept-url pattern="/root/user/**" access="ROLE_PHYSICIAN,ROLE_NURSE" />

    <!-- Enforce role-based access for admin area -->
    <intercept-url pattern="/root/admin/*" access="ROLE_ADMIN,ROLE_ADMIN_APP" />

    <intercept-url pattern="/root/admin/user/**" access="ROLE_ADMIN,ROLE_ADMIN_APP" />


    // ommitted ...

     </http>

    </beans:beans>

这是我的 facelets 页面:

<h:form>
    <h:inputText id="j_username" value="" styleClass="textInput" size="50"/>    
    <p>Click <h:commandLink value="here" action="/j_spring_security_switch_user"/> to switch to 
        user </p>
</h:form>

日志中的错误:

org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager 没有改变 Authentication 对象

4

1 回答 1

0

我能够解决这个问题。问题是当我将 jsf 操作绑定到“/j_spring_security_switch_user”时,我的 jsf 页面没有将 j_username 发送到 SwitchUserFilter。但是,通过控制器绑定的直通是有效的。

我在这里写了我的经验:

http://www.reverttoconsole.com/blog/spring/switch-user-su-like-behavior-in-spring/

于 2012-10-29T05:40:07.477 回答