Spring Security JAAS Authentication Authorization Issue
在 Spring Security 中,我使用 DefaultJaasAuthenticationProvider 配置使用 linux 用户名/密码进行登录身份验证。JpamLoginModule 用于身份验证。我通过身份验证成功,但我在授权(ROLE_USER,ROLE_ADMIN)中遇到问题,我收到 HTTP 状态 403 - 访问被拒绝错误。
我在 spring-security.xml 中使用的以下配置
12345678910111213141516171819202122232425262728293031323334
RoleGranter.java 代码
1234567891011public class RoleGranter implements AuthorityGranter {public RoleGranter() { System.out.print("=== Creating My Authority Granter ==="); }
@Overridepublic Set grant(Principal principal) {
return Collections.singleton("ROLE_ADMIN");}
}
建议会很有帮助
基于:http://jpam.sourceforge.net/xref/net/sf/jpam/jaas/JpamLoginModule.html 和 https://github.com/spring-projects/spring-security/blob/master/核心/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
看起来你需要扩展 JpamLoginModule 来改变提交的行为。需要在扩展的 JpamLoginModule 中为主题分配主体。然后 AbstractJaasAuthenticationProvider (DefaultJaasAuthenticationProvider) 将遍历这些主体并将它们发送给您的 authorityGranters (RoleGranter)。
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778
package blah;
import javax.security.auth.Subject;import javax.security.auth.login.LoginException;
import net.sf.jpam.jaas.JpamLoginModule;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
public class RoleGrantingJpamLoginModule extends JpamLoginModule { private Subject subject;
@Override public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) { super.initialize(subject, callbackHandler, sharedState, options); this.subject = subject; }
@Override public boolean commit() throws LoginException { UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null); subject.getPrincipals().add(token); return super.commit(); }}
package blah;
import static java.util.Arrays.asList;
import org.springframework.security.core.authority.SimpleGrantedAuthority;import org.springframework.security.core.userdetails.User;import org.springframework.security.core.userdetails.UserDetails;import org.springframework.security.core.userdetails.UserDetailsService;import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class UserDetailsServiceImpl implements UserDetailsService {
@Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { return new User(username,"password", asList(new SimpleGrantedAuthority("ROLE_ADMIN"))); }
}
尝试返回"ADMIN"而不是"ROLE_ADMIN"。 Spring 自动添加"ROLE"。
相关讨论
- 我也试过这个"return Collections.singleton("ADMIN")",但 HTTP 状态 403 - 访问被拒绝。我正在使用 spring-security-core-3.1.0.RC3 jar。还有其他调试方法吗?