发表新帖
发表新帖

Can I have multiple security contexts with spring security?

前端 未结
关注
3 1112
执念已碎
执念已碎 2020-12-30 09:45

I have one security context definition that uses PreAuthenticatedProcessingFilterEntryPoint for the flex part of my application. How can I have another definition that will

相关标签:
3条回答
  • 礼貌的吻别
    2020-12-30 10:19

    It has been tricky to do until recently, but now it is easy!

    Spring Security has added support for the scenario in version 3.1. It is currently available as a Release Candidate, implemented by SEC-1171. Details of the syntax are in the manual included with 3.1.

    It's pretty simple to use. Basically you just define multiple http elements in your Spring Security configuration, one for each context. We're using it like this:

    <!-- Configure realm for system administration users -->
<security:http pattern="/admin/**" create-session="stateless">
    <security:intercept-url pattern='/**' access='ROLE_ADMIN' requires-channel="https" />
    <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthFilter" />
</security:http>


<!-- Configure realm for standard users -->
<security:http auto-config="true" access-denied-page="/error/noaccess" use-expressions="true" create-session="ifRequired">
    <security:form-login 
            ...
            ...
</security:http>

    The key thing to note is the pattern="/admin/**" on the first http element. This tells Spring that all URLs under /admin are subject to that context instead of the default context — and thus URLs under /admin use your preauthorisation filter instead.

    0 讨论(0)
  • 忘了有多久
    2020-12-30 10:32

    It's all about what parts of your application are intercepted by the Spring Security filter chain. Somewhere in your xml configuration (depending on if you did the simple tag config or not) there is an intercept regex like this : 

    <intercept-url pattern="/**" ...>

    You can have different intercept patterns that use different configurations (aka different parts of the security filter chain). I could give you a more concrete answer if you post your current configuration xml.

    EDIT: Currently you are using the http tag to define your Spring Security configuration. This tag is used as a shortcut/helper and it auto defines a lot of pieces of the Security Filter chain that can also be setup manually. I think your use case does not fit the auto setup paradigm so you will need to manually setup the filter chain for different URL patterns (as seen in the post below mine). You can create your own PreAuthenticationFilter (which will take a custom UserDetailsService) and add that where appropriate to your filter chain intercept mapping.

    0 讨论(0)
  • 清歌不尽
    2020-12-30 10:43

    Map each filter chain to a diferent URL pattern:

    <bean id="myfilterChainProxy"
   class="org.springframework.security.util.FilterChainProxy">
  <security:filter-chain-map pathType="ant">
  <security:filter-chain pattern="/flex" filters="filterF"/>
  <security:filter-chain pattern="/**" filters="filter1,filter2,filter3"/>
  </security:filter-chain-map>
</bean>
    0 讨论(0)
 看不清?
提交回复
热议问题