我正在更新旧程序以使用 Spring Security。以前,它使用 Acegi 安全性,并在初始检查 SSO 标头后将凭据缓存到会话 cookie 中;使用 Spring Security 3.1.4,我能够让程序检查 SSO 用户名标头(SM_USER - 不,我们不再使用 Siteminder,但是当我们切换到 OAM 时,为了避免痛苦的软件更新,我们将 OAM 配置为将 SM_USER 标头插入请求中),并在 tomcat(6.0)中使用阀门设置在本地工作;但是,当使用实时 SSO 部署到开发环境时,它仅在 POSTS 上失败,然后,仅在使用相同 URL 但不同 HTTP RequestMethod 的页面上失败。看网络流量,似乎新旧代码的区别在于,新代码在做一个OAM SSO auth request,然后 post auth redirect 丢弃 POST 数据并将 RequestMethod 更改为 GET;所以我想也许将凭证缓存添加回应用程序可以解决问题;但是我很难找到可以添加以启用缓存的配置,这就是我向您求助的地方。
这是按请求进行身份验证的安全配置,在本地工作:
<security:http use-expressions="true" auto-config="true" entry-point-ref="http403EntryPoint">
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:intercept-url pattern="/fastjump/auth/admin/*" access="hasRole('ROLE_ADMINISTRATOR')" />
<security:intercept-url pattern="/fastjump/auth/*" access="permitAll" />
<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="SM_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
<!-- This is the class that handles actually looking up the user from the persistent store and associating their
GrantedAuthority objects. This custom implementation uses a PersonService object to do the lookup. -->
<bean id="userDetailsService" class="corporate.fastjump.security.DefaultUserDetailsService">
<property name="personService" ref="personService"/>
<property name="fastJumpService" ref="fastJumpService"/>
</bean>
<bean id="http403EntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>
我尝试将以下内容添加到安全配置中:
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<security:filter-chain-map>
<security:filter-chain filters="httpSessionContextIntegrationFilter, securityContextHolderAwareRequest, siteminderFilter" pattern="/fastjump/auth/**"/>
</security:filter-chain-map>
</bean>
<bean id="httpSessionContextIntegrationFilter" class="org.springframework.security.web.context.SecurityContextPersistenceFilter">
<property name="securityContextRepository">
<bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository">
<property name="allowSessionCreation" value="false"/>
</bean>
</property>
</bean>
<bean id="securityContextHolderAwareRequest" class="org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter">
</bean>
这对 web.xml:
<!-- This filter is used to implement request level authorization. -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<!-- Note that we only send requests which require authentication and authorization services through the
Spring Security filters -->
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/auth/*</url-pattern>
</filter-mapping>
但这现在为 /auth 上下文请求增加了一个基本的身份验证挑战。我错过了将缓存与预授权联系在一起的部分。有没有人有什么建议?