使用 Spring Security 进行外部身份验证
我们有自己的中央会话管理。一般来说,用户可以使用用户名和密码对其进行身份验证,结果他会得到一个 session_id。所有其他操作都是使用该 session_id 完成的。假设会话管理是通过 XML RPC 访问的。
我有两种情况要实现:
- 用 Spring 制作的中央 Web 应用程序,它有登录表单
- 也是用 Spring 制作的外部 Web 应用程序,它依赖于 仅传递session_id。
关于系统的更多通知:
- session_id 存储在 cookie 中(成功登录后,我必须将 cookie 添加到响应中)
- 每个页面请求都必须检查会话管理系统中的session_id有效性
我对Spring很陌生,所以我很难理解在哪里以及如何实现我的自定义逻辑。
我的问题是:
我必须实现系统的哪些部分才能拥有自己的登录名 逻辑(也必须有权访问响应对象 - 设置 cookie)? 我尝试了扩展 UsernamePasswordAuthenticationFilter 并实现我自己的方法 AuthenticationManager,但我不确定我是否走对了 方式。
有没有什么地方/如何实现我的“每个请求会话 以 Spring Security 的方式检查”?
We got our own central session management. Generally user can authenticate over it with an username and password, and as a result he gets an session_id. All other operations are done with that session_id. Let's say that the session management is accessed by a XML RPC.
I have two cases to implement:
- Central web application made in Spring, which has login form
- External web applications also made in Spring, which are relying on
passed session_id only.
Few more notices regarding system:
- session_id is stored in a cookie (after successful login, I have to add cookie to a response)
- every page request has to check session_id validity in session management system
I'm quite new to Spring, so I'm struggling to understand where and how to implement my custom logic.
My questions are:
What parts of a system I have to implement to have my own login
logic (got to have access to a response object too - to set cookie)?
I tryed something with extending UsernamePasswordAuthenticationFilter and implementing my own
AuthenticationManager, but I'm not sure that I'm going the right
way.Is there point where/how can I implement my "every request session
check" in Spring Security manner?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
在配置到
创建一个新的过滤器,在其中检查 session_id cookie。如果 cookie 不存在或者无效,则重定向到中央 Web 应用程序以供用户登录。如果 cookie 存在且有效并且用户尚未经过身份验证,则创建一个新的
身份验证并将其添加到SecurityContextHolder。查看 RememberMeAuthenticationFilter.doFilter() 以获取您想要在过滤器中执行的操作的示例。
使用
Do this in a AuthenticationSuccessHandler that is configured into your
<form-login>element:Create a new filter where you check for the session_id cookie. If the cookie is not present or if it is invalid redirect to the central web application for the user to log in. If the cookie is present and valid and the user isn't already authenticated then create a new
Authenticationand add it to theSecurityContextHolder.Take a look at RememberMeAuthenticationFilter.doFilter() for an example of what you want to do in your filter.
Add this filter to the filter chain using the
<custom-filter>element.