使用Spring Security的IPfilter
我想知道如何使用Spring Security过滤用户对我的网络应用的访问权限。 我应该扩展AbstractAuthenticationProcessingFilter或类似的东西,并以我自己的方式覆盖它的方法? 如果是这样,您能举例说明web.xml的这种扩展和filter描述示例吗? 提前致谢。
PS在我的应用程序中我也有Spring Security支持(使用默认的org.springframework.web.filter.DelegatingFilterProxy ),但我希望它不仅可以检查用户凭据,还可以检查它们的IP。
一种方法是使用Spring Security的Web安全表达式 。 例如:
检查此自定义AuthenticationProvider实现以通过IP地址进行身份validation
// Authentication Provider To Authenticate By IP Address With Allowed IPs // Stored in a db table package acme.com.controller.security; //import acme.com.controller.security.CustomUserInfoHolder; import org.springframework.security.authentication.AuthenticationProvider; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.web.authentication.WebAuthenticationDetails; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; import org.springframework.security.core.authority.mapping.NullAuthoritiesMapper; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.userdetails.UserDetails; import org.apache.log4j.Logger; public class CustomIPAddressAuthenticationProvider implements AuthenticationProvider { private static final Logger logger = Logger.getLogger(CustomIPAddressAuthenticationProvider.class); private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper(); @Override public Authentication authenticate(Authentication authentication) throws AuthenticationException { WebAuthenticationDetails wad = null; String userIPAddress = null; boolean isAuthenticatedByIP = false; // Get the IP address of the user tyring to use the site wad = (WebAuthenticationDetails) authentication.getDetails(); userIPAddress = wad.getRemoteAddress(); logger.debug("userIPAddress == " + userIPAddress); // Compare the user's IP Address with the IP address in the database // stored in the USERS_AUTHENTICATED_BY_IP table & joined to the // USERS tabe to make sure the IP Address has a current user //isAuthenticatedByIP = someDataObject.hasIPAddress(userIPAddress); isAuthenticatedByIP = true; // Authenticated, the user's IP address matches one in the database if (isAuthenticatedByIP) { logger.debug("isAuthenticatedByIP is true, IP Addresses match"); UserDetails user = null; UsernamePasswordAuthenticationToken result = null; result = new UsernamePasswordAuthenticationToken("John Principal", "PlaceholderPWE"); result.setDetails(authentication.getDetails()); return result; } // Authentication didn't happen, return null to signal that the // AuthenticationManager should move on to the next Authentication provider return null; } @Override public boolean supports(Class authentication) { // copied it from AbstractUserDetailsAuthenticationProvider return(UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication)); } }
安全-web.xml中
该方法取自现有问题在Spring 3.1中通过IP地址进行身份validation:最明智的方法吗? ,这可能有助于开始。
Anshu的回答是通过ipvalidation用户的好主意,但它可能不适用于cas身份validation。 我有另一种解决方案,使用filter更适合这种情况。
public class IPAuthenticationFilter extends AbstractAuthenticationProcessingFilter { private AuthenticationUserDetailsService authenticationUserDetailsService; private static Set ipWhitelist; @Autowired private AppProperty appProperty; @PostConstruct public void init() { ipWhitelist = new HashSet<>(Arrays.asList(appProperty.getIpWhitelist())); setAuthenticationSuccessHandler(new AuthenticationSuccessHandler() { @Override public void onAuthenticationSuccess( HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException, ServletException { // do nothing } }); } public IPAuthenticationFilter() { super("/"); } public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException { String userName = request.getHeader(appProperty.getHeaderCurUser()); Assertion assertion = new AssertionImpl(userName); CasAssertionAuthenticationToken token = new CasAssertionAuthenticationToken(assertion, ""); UserDetails userDetails = authenticationUserDetailsService.loadUserDetails(token); CasAuthenticationToken result = new CasAuthenticationToken( "an-id-for-ip-auth", userDetails, request.getRemoteAddr(), userDetails.getAuthorities(), userDetails, assertion ); return result; } protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) { String userName = request.getHeader(appProperty.getHeaderCurUser()); return ipWhitelist.contains(request.getRemoteAddr()) && !StringUtils.isEmpty(userName); } protected void successfulAuthentication( HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException { super.successfulAuthentication(request, response, chain, authResult); chain.doFilter(request, response); } public AuthenticationUserDetailsService getAuthenticationUserDetailsService() { return authenticationUserDetailsService; } public void setAuthenticationUserDetailsService( AuthenticationUserDetailsService authenticationUserDetailsService) { this.authenticationUserDetailsService = authenticationUserDetailsService; } }
您可以在cas之前添加此filter,如下所示:
http.addFilterBefore(ipAuthenticationFilter(), CasAuthenticationFilter.class)