关于ZAKER 融媒体解决方案 合作 加入

spring-mvc – 使用 kerberos / spnego 身份验证的 s.

CocoaChina 11-11

我已经使用 kerberos 身份验证成功运行了spring security. 但是看起来 spring 框架正在调用 KerberosServiceAuthenticationProvider.userDetailsS??ervice 来获取角色 , 我认为它只会获得角色一次 , 直到会话失效 . 我的配置看起来像

<?xml version="1.0" encoding="UTF-8"?><beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util" xmlns:beans="http://www.springframework.org/schema/beans" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"> <http entry-point-ref="spnegoEntryPoint" auto-config="false"> <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> <intercept-url pattern="/j_spring_security_check*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" /> <custom-filter ref="spnegoAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" /> <form-login login-page="/login.html" default-target-url="/" always-use-default-target="true"/> </http> <authentication-manager alias="authenticationManager"> <authentication-provider ref="kerberosServiceAuthenticationProvider" /> <authentication-provider ref="kerberosAuthenticationProvider"/> </authentication-manager> <beans:bean id="spnegoEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" /> <beans:bean id="spnegoAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter"> <beans:property name="failureHandler"> <beans:bean class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"> <beans:property name="defaultFailureUrl" value="/login.html" /> <beans:property name="allowSessionCreation" value="true"/> </beans:bean> </beans:property> <beans:property name="authenticationManager" ref="authenticationManager" /> </beans:bean> <beans:bean id="kerberosServiceAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosServiceAuthenticationProvider"> <beans:property name="ticketValidator"> <beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator"> <beans:property name="servicePrincipal" value="HTTP/mywebserver.corpza.corp.co.za"/> <beans:property name="keyTabLocation" value="classpath:mywebserver.keytab" /> <beans:property name="debug" value="true"/> </beans:bean> </beans:property> <beans:property name="userDetailsService" ref="dummyUserDetailsService" /> </beans:bean> <beans:bean id="kerberosAuthenticationProvider" class="org.springframework.security.extensions.kerberos.KerberosAuthenticationProvider"> <beans:property name="kerberosClient"> <beans:bean class="org.springframework.security.extensions.kerberos.SunJaasKerberosClient"> <beans:property name="debug" value="true" /> </beans:bean> </beans:property> <beans:property name="userDetailsService" ref="dummyUserDetailsService" /> </beans:bean> <beans:bean class="org.springframework.security.extensions.kerberos.GlobalSunJaasKerberosConfig"> <beans:property name="debug" value="true" /> <beans:property name="krbConfLocation" value="/etc/krb5.conf" /> </beans:bean> <beans:bean id="dummyUserDetailsService" class="main.server.DummyUserDetailsService"/> </beans:beans>

所以每次请求安全页面时都会调用我的 DummyUserDetailsS??ervice.loadUserByUsername ( Styring 用户名 ) , 我从数据库加载用户角色 , 并且不希望每次发出请求时都运行查询 , 是否有我需要的任何配置要防止这种情况吗?

最佳答案

感谢 Michael, 我通过扩展 Sp??negoAuthenticationProcessingFilter 类并覆盖 doFilter 来实现它

public void doFilter ( ServletRequest req, ServletResponse res, FilterChain chain ) throws IOException, ServletException { HttpServletRequest request = ( HttpServletRequest ) req; HttpServletResponse response = ( HttpServletResponse ) res; if ( skipIfAlreadyAuthenticated ) { Authentication existingAuth = SecurityContextHolder.getContext ( ) .getAuthentication ( ) ; if ( existingAuth != null && existingAuth.isAuthenticated ( ) && ( existingAuth instanceof AnonymousAuthenticationToken ) == false ) { chain.doFilter ( request, response ) ; return; } } super.doFilter ( req, res, chain ) ; }

以上内容由"CocoaChina"上传发布 查看原文
相关标签 身份