允许 Spring Security + Cas Auth + 静态用户列表

【问题标题】:Spring Security + Cas Auth + Static User List allowed允许 Spring Security + Cas Auth + 静态用户列表
【发布时间】:2019-03-10 10:16:01
【问题描述】:

我的应用带有 spring 安全配置,连接到 cas 服务器(工作):

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Value("${cas.service-url}")
    private String serviceUrl;

    @Value("${cas.cas-url}")
    private String casUrl;

    @Autowired
    private AuthenticationProvider authenticationProvider;

    @Autowired
    private AuthenticationEntryPoint authenticationEntryPoint;

    @Autowired
    private SingleSignOutFilter singleSignOutFilter;

    @Autowired
    private LogoutFilter logoutFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf()
                .disable()
                .authorizeRequests()
                .regexMatchers("/secured.*")
                .authenticated()
                .and()
                .authorizeRequests()
                .regexMatchers("/")
                .permitAll()
                .and()
                .httpBasic()
                .authenticationEntryPoint(authenticationEntryPoint)
                .and()
                .addFilterBefore(singleSignOutFilter, CasAuthenticationFilter.class)
                .addFilterBefore(logoutFilter, LogoutFilter.class);
    }

    @Override
    protected AuthenticationManager authenticationManager() throws Exception {
        return new ProviderManager(Arrays.asList(authenticationProvider));
    }

    @Bean
    public CasAuthenticationFilter casAuthenticationFilter(ServiceProperties sP) throws Exception {
        CasAuthenticationFilter filter = new CasAuthenticationFilter();
        filter.setServiceProperties(sP);
        filter.setAuthenticationManager(authenticationManager());
        return filter;
    }

    @Bean
    public ServiceProperties serviceProperties() {
        ServiceProperties serviceProperties = new ServiceProperties();
        serviceProperties.setService(serviceUrl);
        serviceProperties.setSendRenew(false);
        return serviceProperties;
    }

    @Bean
    @Primary
    public AuthenticationEntryPoint authenticationEntryPoint(ServiceProperties sP) {
        CasAuthenticationEntryPoint entryPoint = new CasAuthenticationEntryPoint();
        entryPoint.setLoginUrl(casUrl + "/login");
        entryPoint.setServiceProperties(sP);
        return entryPoint;
    }

    @Bean
    public TicketValidator ticketValidator() {
        return new Cas30ServiceTicketValidator(casUrl);
    }

    @Bean
    public CasAuthenticationProvider casAuthenticationProvider() {
        CasAuthenticationProvider provider = new CasAuthenticationProvider();
        provider.setServiceProperties(serviceProperties());
        provider.setTicketValidator(ticketValidator());
        provider.setUserDetailsService((s) -> {
            return new User(s, "fakepassword", true, true, true, true, AuthorityUtils.createAuthorityList("ROLE_ADMIN"));
        });
        provider.setKey("CAS_PROVIDER_IMPORT_PARCOURSUP_KEY");
        return provider;
    }

    @Bean
    public SecurityContextLogoutHandler securityContextLogoutHandler() {
        return new SecurityContextLogoutHandler();
    }

    @Bean
    public LogoutFilter logoutFilter() {
        LogoutFilter logoutFilter = new LogoutFilter(casUrl + "/logout", securityContextLogoutHandler());
        logoutFilter.setFilterProcessesUrl("/logout/cas");
        return logoutFilter;
    }

    @Bean
    public SingleSignOutFilter singleSignOutFilter() {
        SingleSignOutFilter singleSignOutFilter = new SingleSignOutFilter();
        singleSignOutFilter.setCasServerUrlPrefix(casUrl);
        singleSignOutFilter.setIgnoreInitConfiguration(true);
        return singleSignOutFilter;
    }

    @EventListener
    public SingleSignOutHttpSessionListener singleSignOutHttpSessionListener(HttpSessionEvent event) {
        return new SingleSignOutHttpSessionListener();
    }

}

现在我想添加一个自动登录列表,他们是唯一可以访问应用程序的人(即:要访问他们必须在 cas 和静态列表中)。

String allowedLogin = List.of ("robert.bob", "john.jon");

我找到了这个链接:Spring security - specific users 但我不知道如何实现“StaticUserProvider”以及在我的配置中配置它的位置。

【问题讨论】:

    标签: java spring-security cas


    【解决方案1】:

    如果用户不在列表中,我认为最简单的方法是在您的 UserDetailsS​​ervice 中抛出 UsernameNotFoundException 。像这样:

        provider.setUserDetailsService((s) -> {
        if(!allowedLogin.contains(s.getAssertion().getPrincipal().getName())) {
            throw new UsernameNotFoundException("user not authorized to use app");
        }
        return new User(s, "fakepassword", true, true, true, true, AuthorityUtils.createAuthorityList("ROLE_ADMIN"));
    });

    【讨论】:

      【解决方案2】:

      您可以使用Spring Security Roles 完成此操作。

      为您的应用创建自定义角色:

      public final class AuthoritiesConstants {

    public static final String APP = "ROLE_APP";

}

      然后添加您希望授予该角色访问权限的所有用户。

      最后使用Ant Matchers 限制对您应用的访问:

      .antMatchers("/**").hasAuthority(AuthoritiesConstants.APP)

      【讨论】:

      • 您将如何/在哪里执行该步骤:“然后添加您希望授予此角色访问权限的所有用户”。
      猜你喜欢
      • 1970-01-01
      • 2013-05-04
      • 2011-11-25
      • 2012-12-02
      • 1970-01-01
      • 2022-10-24
      • 2015-12-28
      • 2014-01-28
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode