如何在Spring Boot中设置基于预身份验证标头的身份验证?
2022-09-03 16:07:34
我的应用从 Oracle Access Manager SSO 获取带有用户名的 AUTH_USER 请求标头。Spring Security“附加主题”2.2.1有一个“PreAuth”的例子,这似乎是我需要的,但不是一个完整的工作例子。
下面的代码段来自文档/示例,不适用于基于注释的配置。
Siteminder 示例配置 - 将 XML 与 RequestHeaderAuthenticationFilter 和 PreAuthenticatedAuthenticationProvider 以及 UserDetailsService 一起使用来查找用户。
这如何映射到基于 Java 的配置?
<security:http>
<!-- Additional http configuration omitted -->
<security:custom-filter position="PRE_AUTH_FILTER" ref="siteminderFilter" />
</security:http>
<bean id="siteminderFilter" class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">
<property name="principalRequestHeader" value="AUTH_USER"/>
<property name="authenticationManager" ref="authenticationManager" />
</bean>
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth. PreAuthenticatedAuthenticationProvider">
<property name="preAuthenticatedUserDetailsService">
<bean id="userDetailsServiceWrapper"
class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
<property name="userDetailsService" ref="userDetailsService"/>
</bean>
</property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="preauthAuthProvider" />
</security:authentication-manager>
Spring Security预授权示例具有完全不同的设置(XML配置更加令人生畏)。未提及预身份验证筛选器或如何设置标头名称。
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login","/resources/**").permitAll()
.anyRequest().authenticated()
.and()
.jee()
.mappableRoles("USER","ADMIN");
}
}
spring-boot-sample-web-secure扩展了WebMvcConfigurerAdapter而不是WebSecurityConfigurerAdapter,并且只执行基本的基于表单的登录,没有关于如何从预身份验证AUTH_USER标头获取userid的信息。
public class SampleWebSecureApplication extends WebMvcConfigurerAdapter {
... omitted...
@Bean
public ApplicationSecurity applicationSecurity() {
return new ApplicationSecurity();
}
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private SecurityProperties security;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().fullyAuthenticated().and().formLogin()
.loginPage("/login").failureUrl("/login?error").permitAll();
}
}
}
我已经阅读了许多参考/文章,但它们似乎与当前代码和Spring-boot无关,因此试图了解如何配置应用程序预身份验证安全性。