开发者

circumventing spring security

问答 作者:

In our app spring security uses ldap as a provider.

i am working on a change that will let you flip a flag in dev that will allow you to log in if your user/pass matches a value from database. the ldap server might be down and you can still log in.

What ive realized though is that some urls are secured wit开发者_如何学Goh

@Secured( {"ROLE_USER","ROLE_MERCHANT"})

so i need to still have some dealings with spring security in order for my logins to work. How do i go about doing this?

You can configure 2 providers: one LDAP provider and another DAO provider.

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="yourLdapAuthenticationProvider" />
    <sec:authentication-provider ref="yourDaoAuthenticationProvider" />
</sec:authentication-manager>

If the LDAP fails, it will fall back to DAO authentication provider.

You will need to configure your own authentication filter to inject that flag into yourDaoAuthenticationProvider so that when the authentication falls back to yourDaoAuthenticationProvider, it can check whether to proceed with further authentication (say, in development) or ignore it (say, in production). So, in your authenticationFilter, override setDetails() to store the flag:-

myAuthenticationFilter bean

@Override
protected void setDetails(HttpServletRequest request, UsernamePasswordAuthenticationToken authRequest) {
    YourObject yourObject = new YourObject(request.getParameter("devAuthAgainstDAO"));
    authRequest.setDetails(yourObject);
}

With this, have your yourDaoAuthenticationProvider to check against this flag before proceeding with further authentication.

In the end, your configuration will look something like this:-

<sec:http auto-config="false" entry-point-ref="loginUrlAuthenticationEntryPoint">
    <sec:logout logout-success-url="/login.jsp"/>
    <sec:intercept-url ... />

    <sec:custom-filter position="FORM_LOGIN_FILTER" ref="myAuthenticationFilter"/>
</sec:http>

<bean id="myAuthenticationFilter" class="[YOUR_CUSTOM_AUTHENTICATION_FILTER]">
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="authenticationFailureHandler" ref="failureHandler"/>
    <property name="authenticationSuccessHandler" ref="successHandler"/>
</bean>

<bean id="loginUrlAuthenticationEntryPoint"
      class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <property name="loginFormUrl" value="/login.jsp"/>
</bean>

<bean id="successHandler"
      class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <property name="defaultTargetUrl" value="/welcome.jsp"/>
    <property name="alwaysUseDefaultTargetUrl" value="true"/>
</bean>

<bean id="failureHandler"
      class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
    <property name="defaultFailureUrl" value="/login.jsp?login_error=1"/>
</bean>


<bean id="yourLdapAuthenticationProvider" ... />

<bean id="yourDaoAuthenticationProvider" ... />

<sec:authentication-manager alias="authenticationManager">
    <sec:authentication-provider ref="yourLdapAuthenticationProvider"/>
    <sec:authentication-provider ref="yourDaoAuthenticationProvider"/>
</sec:authentication-manager>

继续阅读:spring-security

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9