Spring security: Adding a new ROLE which supports authentication by IP
I'm a reasonably new user of Spring Security.
I previously configured Spring Security to perform form based authentication for my web app.
I've used Annotations to indication which Controllers/Methods require ROLE_USER vs anonymous, and implemented my own daoAuthenticationProvider to perform the authentication.
I am now implementing REST services which need to authentication on BasicAuthentication + do an IP verification to my DB.
So I have a new role ROLE_IP_AUTH which I开发者_Go百科've defined on the REST services controller.
I'm just a little overwhelmed at this point. Can someone give me a brief description of what next step I should take?
- Do I need to create a new <security:http> element for the new role?
- Should I be switching to this FilterChainProxy? If so what filters should I include?
- Should I just handle this in my existing daoAuthenticationProvider class?
Basically I just need to know what direction I'm going in. I think I know enough to get there, there's just 5 different ways to get anywhere in Spring it seems.
Additional Information My current implementation has the element configured as follows:
<security:http auto-config="false"
entry-point-ref="authenticationEntryPoint" >
<security:logout logout-url="/logout" />
<security:anonymous enabled="false"/>
<security:custom-filter position="FORM_LOGIN_FILTER" ref="usernamePasswordAuthenticationFilter" />
<security:custom-filter position="ANONYMOUS_FILTER" ref="anonymousAuthFilter" />
</security:http>
My remaining question is how I can implement my own IP validation. I can just add the BasicAuth filter using custom-filter and implement my own basic auth filter which checks the IP. But I'm fuzzy on how I make that filter only applicable for the ROLE_IP_AUTH being used by my REST services?
The answer by @Ritesh has been very helpful in re-framing this questing in a different way. Another great post that addresses this question is here:
Spring security - how to mention both form based and basic authentication
Ultimately my understanding is: do it via voters as @Ritesh suggests in 3.0.x, or use multiple <http ... /> elements as is now available in 3.1.0.RC1 (version as of 17mar2011) as discussed in the link above.
You can just add http-basic to your element.
<sec:http-basic/>
Also add create-session="never" cause you do not add a session for a REST service. Mao your services to a special url pattern will auso help.
<sec:intercept-url pattern="/service/**" access="ROLE_IP_AUTH" />
精彩评论