Spring Security JAAS身份validation授权问题
在Spring Security中,使用DefaultJaasAuthenticationProvider配置进行Linux用户名/密码的登录validation。 JpamLoginModule用于身份validation。 我成功通过身份validation,但我在授权方面遇到问题(ROLE_USER,ROLE_ADMIN),我正在获取HTTP状态403 – 访问被拒绝错误。
以下配置我在spring-security.xml中使用
RoleGranter.java代码
public class RoleGranter implements AuthorityGranter { public RoleGranter() { System.out.print("=== Creating My Authority Granter ==="); } @Override public Set grant(Principal principal) { return Collections.singleton("ROLE_ADMIN"); }
}
建议会非常有帮助
基于: http : //jpam.sourceforge.net/xref/net/sf/jpam/jaas/JpamLoginModule.html和https://github.com/spring-projects/spring-security/blob/master/core/src /main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
看起来你需要扩展JpamLoginModule来改变commit的行为。 需要在扩展的JpamLoginModule中为主题分配主体。 然后,AbstractJaasAuthenticationProvider(DefaultJaasAuthenticationProvider)将遍历这些主体并将它们发送到您的authorityGranters(RoleGranter)。
package blah; import javax.security.auth.Subject; import javax.security.auth.login.LoginException; import net.sf.jpam.jaas.JpamLoginModule; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; public class RoleGrantingJpamLoginModule extends JpamLoginModule { private Subject subject; @Override public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) { super.initialize(subject, callbackHandler, sharedState, options); this.subject = subject; } @Override public boolean commit() throws LoginException { UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null); subject.getPrincipals().add(token); return super.commit(); } } package blah; import static java.util.Arrays.asList; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; public class UserDetailsServiceImpl implements UserDetailsService { @Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { return new User(username, "password", asList(new SimpleGrantedAuthority("ROLE_ADMIN"))); } }
尝试返回“ADMIN”而不是“ROLE_ADMIN”。 Spring自动添加“ROLE”。