我想使用自定义身份验证过滤器:
>捕获加密的标头令牌
>验证后,提取用户的详细信息,并以无状态方式将其添加到当前请求的安全上下文中
我希望能够使用此安全上下文持有者来获取有关当前请求用户正确处理其请求的详细信息.
@RequestMapping(value = "/simple",method = RequestMethod.POST)
@ResponseBody
@Transactional
@Preauthorize(...)
public String simple(){
//collect the user's current details from the getPrinciple() and complete the transaction...
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
return "Simple";
}
我以前用XML做过这样的事情:
ecurity="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
ecurity:global-method-security
secured-annotations="enabled" />
ecurity:http pattern="/**"
auto-config="true" disable-url-rewriting="true" use-expressions="true">
ecurity:custom-filter ref="authenticationTokenProcessingFilter"
position="FORM_LOGIN_FILTER" />
ecurity:intercept-url pattern="/authenticate"
access="permitAll" />
ecurity:intercept-url pattern="/secure/**"
access="isAuthenticated()" />
ecurity:http>
但是,我希望这可以在非xml WebSecurityConfigurerAdapter中使用较新的Spring Boot应用程序,例如Spring Boot文件中的示例:
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Order(Ordered.LOWEST_PRECEDENCE - 8)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// this is obvIoUsly for a simple "login page" not a custom filter!
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin()
.loginPage("/login").failureUrl("/login?error").permitAll();
}
}
有什么建议或类似的例子吗?
最佳答案
我现在正在做类似的事情.有人可能会在将来发现这有用.
对xml进行java配置转换会使它看起来如下所示:
对xml进行java配置转换会使它看起来如下所示:
import javax.servlet.Filter;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@EnableGlobalMethodSecurity(securedEnabled=true) //ecurity:global-method-security secured-annotations="enabled" />
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("authenticationTokenProcessingFilter")
private Filter authenticationTokenProcessingFilter;
@Autowired
private AuthenticationEntryPoint entryPoint;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.exceptionHandling().authenticationEntryPoint(entryPoint);
http //auto-config="true"
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic();
http
.authorizeRequests() // use-expressions="true"
.antMatchers("/authenticate").permitAll() //ecurity:intercept-url pattern="/authenticate" access="permitAll" />
.antMatchers("/secure/**").authenticated() //ecurity:intercept-url pattern="/secure/**" access="isAuthenticated()" />
.and()
.addFilterBefore(authenticationTokenProcessingFilter,UsernamePasswordAuthenticationFilter.class) // ecurity:custom-filter ref="authenticationTokenProcessingFilter" position="FORM_LOGIN_FILTER" /> http://docs.spring.io/spring-security/site/docs/3.0.x/reference/ns-config.html
;
}
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
