在Spring Security中,我使用DefaultJaasAuthenticationProvider Configuration使用linux用户名/密码进行登录身份验证。JpamLoginModule 用于身份验证。我成功进行身份验证,但在授权(ROLE_USER,ROLE_ADMIN)方面遇到问题,正在获取 HTTP 状态 403 - 访问被拒绝错误。
以下配置我在弹簧安全中使用的.xml
<security:authentication-manager>
<security:authentication-provider ref="jaasAuthProvider" />
</security:authentication-manager>
<bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<property name="configuration">
<bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<constructor-arg>
<map>
<entry key="SPRINGSECURITY">
<array>
<bean class="javax.security.auth.login.AppConfigurationEntry">
<constructor-arg value="net.sf.jpam.jaas.JpamLoginModule" />
<constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</constructor-arg>
<constructor-arg>
<map></map>
</constructor-arg>
</bean>
</array>
</entry>
</map>
</constructor-arg>
</bean>
</property>
<property name="authorityGranters">
<list>
<bean class="it.webapps.pam.RoleGranter" />
</list>
</property>
</bean>
<bean id="userDetailsService" class="it.webapps.pam.UserDetailsServiceImpl">
</bean>
角色授予者.java代码
public class RoleGranter implements AuthorityGranter {
public RoleGranter() {
System.out.print("=== Creating My Authority Granter ===");
}
@Override
public Set<String> grant(Principal principal) {
return Collections.singleton("ROLE_ADMIN");
}
}
建议会很有帮助
基于:http://jpam.sourceforge.net/xref/net/sf/jpam/jaas/JpamLoginModule.html 和 https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
看起来您需要扩展 JpamLoginModule 来更改提交的行为。需要在扩展的 JpamLoginModule 中为主题分配主体。然后 AbstractJaasAuthenticationProvider (DefaultJaasAuthenticationProvider) 将遍历这些委托人并将它们发送给您的 authorityGranters (RoleGranter)。
<authentication-manager>
<authentication-provider ref="jaasAuthProvider" />
</authentication-manager>
<beans:bean id="userService" class="blah.UserDetailsServiceImpl" />
<beans:bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<beans:property name="configuration">
<beans:bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<beans:constructor-arg>
<beans:map>
<beans:entry key="SPRINGSECURITY">
<beans:array>
<beans:bean class="javax.security.auth.login.AppConfigurationEntry">
<beans:constructor-arg value="blah.RoleGrantingJpamLoginModule" />
<beans:constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</beans:constructor-arg>
<beans:constructor-arg>
<beans:map></beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:array>
</beans:entry>
</beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:property>
<beans:property name="authorityGranters">
<beans:list>
<beans:bean class="blah.RoleGranter" />
</beans:list>
</beans:property>
</beans:bean>
package blah;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import net.sf.jpam.jaas.JpamLoginModule;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
public class RoleGrantingJpamLoginModule extends JpamLoginModule {
private Subject subject;
@Override
public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) {
super.initialize(subject, callbackHandler, sharedState, options);
this.subject = subject;
}
@Override
public boolean commit() throws LoginException {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null);
subject.getPrincipals().add(token);
return super.commit();
}
}
package blah;
import static java.util.Arrays.asList;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new User(username, "password", asList(new SimpleGrantedAuthority("ROLE_ADMIN")));
}
}
尝试返回"ADMIN"而不是"ROLE_ADMIN"。弹簧自动添加"角色"。