Anshu的答案是通过ip对用户进行身份验证的好主意,但它可能不适用于cas身份验证。我有另一个解决方案,使用过滤器更适合这种情况。
public class IPAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
private AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService;
private static Set<String> ipWhitelist;
@Autowired
private AppProperty appProperty;
@PostConstruct
public void init() {
ipWhitelist = new HashSet<>(Arrays.asList(appProperty.getIpWhitelist()));
setAuthenticationSuccessHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(
HttpServletRequest httpServletRequest,
HttpServletResponse httpServletResponse,
Authentication authentication) throws IOException, ServletException {
// do nothing
}
});
}
public IPAuthenticationFilter() {
super("/");
}
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException, IOException {
String userName = request.getHeader(appProperty.getHeaderCurUser());
Assertion assertion = new AssertionImpl(userName);
CasAssertionAuthenticationToken token = new CasAssertionAuthenticationToken(assertion, "");
UserDetails userDetails = authenticationUserDetailsService.loadUserDetails(token);
CasAuthenticationToken result = new CasAuthenticationToken(
"an-id-for-ip-auth",
userDetails,
request.getRemoteAddr(),
userDetails.getAuthorities(),
userDetails,
assertion
);
return result;
}
protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) {
String userName = request.getHeader(appProperty.getHeaderCurUser());
return ipWhitelist.contains(request.getRemoteAddr()) && !StringUtils.isEmpty(userName);
}
protected void successfulAuthentication(
HttpServletRequest request,
HttpServletResponse response,
FilterChain chain,
Authentication authResult) throws IOException, ServletException {
super.successfulAuthentication(request, response, chain, authResult);
chain.doFilter(request, response);
}
public AuthenticationUserDetailsService<CasAssertionAuthenticationToken> getAuthenticationUserDetailsService() {
return authenticationUserDetailsService;
}
public void setAuthenticationUserDetailsService(
AuthenticationUserDetailsService<CasAssertionAuthenticationToken> authenticationUserDetailsService) {
this.authenticationUserDetailsService = authenticationUserDetailsService;
}
}
您可以在 cas 之前添加此过滤器,如下所示:
http.addFilterBefore(ipAuthenticationFilter(), CasAuthenticationFilter.class)