问题
I'm using Spring Security (v3.1.3) for X.509 authentication in my web-application. Users and roles are stored in the Database, but I don't actually need to do it, as CNs of client certificates conform to "[ROLE] - [USERNAME]" schema, which means I already have username and role from the certificate itself. So how to eliminate the database without too much effort? Should I write my own implementation of user-service, which will populate UserDetails, or is there more graceful method?
回答1:
Yes, the simplest option is probably to write a custom AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken>
. The implementations would be something like this:
UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken token) {
X509Certificate certificate = (X509Certificate[)token.getCredentials();
// Extract what you want from the certificate
...
// Create the user information
UserDetails user = ...
return user;
}
You should be able to use a reference to this bean directly in the user-service-ref
namespace attribute <x509 user-service-ref='yourUserServiceBean' />
.
来源:https://stackoverflow.com/questions/14563397/spring-security-x-509-authentication-without-user-service