Spring Security + Tomcat SSO

2回答

萧十郎

每个 APP 使用 Tomcat JDBCRealm 进行认证 (Authentication)，但使用 Spring Security 进行授权。两者基于相同的用户信息数据库。在 Tomcat 中打开 SSO -- 这个很重要，否则访问同一个域中其它 webapp 时，不会带上 Cookie，也就无法认证了在每个 webapp 中，配置 Web.xml 使用 Tomcat 进行认证 -- 如果用 Spring 进行认证，则 Tomcat 的 SSO 不起作用在每个 webapp 中，配置 spring，使用 J2eePreAuthenticatedProcessingFilter，进行权限控制 (Authorization)spring.xml 中的配置&nbsp; &nbsp; <bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">&nbsp; &nbsp; &nbsp; &nbsp; <constructor-arg name="strength" value="11" />&nbsp; &nbsp; </bean>&nbsp; &nbsp; &nbsp; &nbsp;<bean id="forbiddenEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>&nbsp; &nbsp; <security:http auto-config="false" use-expressions="true" entry-point-ref="forbiddenEntryPoint">&nbsp; &nbsp; &nbsp; &nbsp; <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter"/>&nbsp; &nbsp; &nbsp; &nbsp; <security:intercept-url pattern="/index/**" access="hasAnyRole('ROLE_SUPER')" />&nbsp; &nbsp; &nbsp; &nbsp; <security:session-management session-fixation-protection="none"/>&nbsp; &nbsp; &nbsp; &nbsp; <security:csrf disabled="true"/>&nbsp; &nbsp; </security:http>&nbsp;&nbsp; &nbsp; <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">&nbsp; &nbsp; &nbsp; &nbsp; <property name="throwExceptionWhenTokenRejected" value="true"/>&nbsp; &nbsp; &nbsp; &nbsp; <property name="preAuthenticatedUserDetailsService">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<bean id="userDetailsServiceWrapper" class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <property name="userDetailsService" ref="nosUserDetailsService" />&nbsp; &nbsp; &nbsp; &nbsp; </bean>&nbsp; &nbsp; &nbsp; &nbsp; </property>&nbsp; &nbsp; </bean>&nbsp; &nbsp;&nbsp;&nbsp; &nbsp; <bean id="preAuthenticatedProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint"/>&nbsp; &nbsp; <bean id="webXmlMappableAttributesRetriever" class="org.springframework.security.web.authentication.preauth.j2ee.WebXmlMappableAttributesRetriever"/>&nbsp; &nbsp;&nbsp;&nbsp; &nbsp; <bean id="simpleAttributes2GrantedAuthoritiesMapper" class="org.springframework.security.core.authority.mapping.SimpleAttributes2GrantedAuthoritiesMapper">&nbsp; &nbsp; &nbsp; &nbsp; <property name="attributePrefix" value=""/>&nbsp; &nbsp; </bean>&nbsp; &nbsp; <bean id="j2eeBasedPreAuthenticatedWebAuthenticationDetailsSource" class="org.springframework.security.web.authentication.preauth.j2ee.J2eeBasedPreAuthenticatedWebAuthenticationDetailsSource">&nbsp; &nbsp; &nbsp; &nbsp; <property name="mappableRolesRetriever" ref="webXmlMappableAttributesRetriever"/>&nbsp; &nbsp; &nbsp; &nbsp; <property name="userRoles2GrantedAuthoritiesMapper" ref="simpleAttributes2GrantedAuthoritiesMapper"/>&nbsp; &nbsp; </bean>&nbsp; &nbsp;&nbsp;&nbsp; &nbsp; <bean id="preAuthFilter" class="org.springframework.security.web.authentication.preauth.j2ee.J2eePreAuthenticatedProcessingFilter">&nbsp; &nbsp; &nbsp; &nbsp; <property name="authenticationManager" ref="authenticationManager"/>&nbsp; &nbsp; &nbsp; &nbsp; <property name="authenticationDetailsSource" ref="j2eeBasedPreAuthenticatedWebAuthenticationDetailsSource"/>&nbsp; &nbsp; </bean>&nbsp; &nbsp; <security:authentication-manager alias="authenticationManager">&nbsp; &nbsp; &nbsp; &nbsp; <security:authentication-provider ref="preauthAuthProvider"/>&nbsp; &nbsp; </security:authentication-manager>

0

0

0