将Spring Security与SiteMinder集成

如何将Spring Security与SiteMinder集成以接收用户和角色?

我有一个Spring Security’in-memory’的项目设置,我想用它来转换它以接受带有User和Roles的SiteMinder标题。 如果SiteMinder将发送用户角色(ROLE_READ,ROLE_WRITE)并具有服务层授予访问权限。 如何转换内存以使用SiteMinder?

内存中用户角色

内存中的用户和角色列表

        

服务层保护

这里的服务方法受特定角色的保护

       

此源( 用于Siteminder的Spring Security Java Config )看起来很有前景,但它始终分配了角色RoleEmployee。

SiteMinder的Spring Security仅用于接收用户。 但是,要接收角色,您需要创建扩展身份validation过程。 这将使用角色对用户进行身份validation。

root-security.xml

                  

SiteMinderUserDetailsS​​ervice

 public class SiteMinderUserDetailsService extends PreAuthenticatedGrantedAuthoritiesUserDetailsService implements UserDetailsService { @Override public UserDetails loadUserByUsername(String arg0) throws UsernameNotFoundException { SiteMinderUserDetails userDetails = new SiteMinderUserDetails(); userDetails.setUsername(arg0); return userDetails; } @Override protected UserDetails createuserDetails(Authentication token, Collection authorities) { return super.createuserDetails(token, authorities); } } 

SiteMinderUserDetails

 public class SiteMinderUserDetails implements UserDetails { // implement all methods } 

SiteMinderFilter

 public class SiteMinderFilter extends RequestHeaderAuthenticationFilter { private String rolesRequestHeader; private String rolesDelimiter; @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException, NullPointerException { String roles = (String) ((HttpServletRequest)request).getHeader(getRolesRequestHeader()); String[] rolesArray = roles.split(rolesDelimiter); Collection auth = new ArrayList(); for (String s : rolesArray) { auth.add(new SimpleGrantedAuthority(s)); } SiteMinderUserDetails userDetails = new SiteMinderUserDetails(); userDetails.setUsername((String) super.getPreAuthenticatedPrincipal(((HttpServletRequest)request))); userDetails.setAuthorities(auth); AuthenticationImpl authentication = new AuthenticationImpl(); authentication.setAuthenticated(true); authentication.setAuthorities(auth); authentication.setPrincipal(userDetails); authentication.setCredentials(super.getPreAuthenticatedCredentials(((HttpServletRequest)request))); SecurityContextHolder.getContext().setAuthentication(authentication); super.doFilter(request, response, chain); } public SiteMinderFilter() { super(); } @Override public void setPrincipalRequestHeader(String principalRequestHeader) { super.setPrincipalRequestHeader(principalRequestHeader); } public void setRolesRequestHeader(String rolesRequestHeader) { this.rolesRequestHeader = rolesRequestHeader; } public String getRolesRequestHeader() { return rolesRequestHeader; } public void setRolesDelimiter(String rolesDelimiter) { this.rolesDelimiter = rolesDelimiter; } public String getRolesDelimiter() { return rolesDelimiter; } } 

AuthenticationImpl

 public class AuthenticationImpl implements Authentication { // implement all methods }