1

我有一个使用摘要身份验证的应用程序。除了 Digest 方法之外,我还想通过检查自定义 HTTP 标头来自定义身份验证过程。如果请求中存在标头,则应像以前一样进行身份验证,否则应拒绝用户。我试图通过定义一个自定义的预身份验证过滤器来做到这一点,但不知何故它不能与 Digest 过滤器一起使用。

<security:http entry-point-ref="digestEntryPoint">
    <security:custom-filter ref="customPreauthFilter" position="PRE_AUTH_FILTER"/>
    <security:custom-filter ref="digestFilter" before="BASIC_AUTH_FILTER"/>
    <security:anonymous enabled="false"/>
</security:http>


<bean id="customPreauthFilter" class="com.myapp.messaging.security.SoundianRequestHeaderAuthenticationFilter">
    <property name="authenticationManager" ref="appControlAuthenticationManager" />
</bean>

<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
        <bean id="userDetailsServiceWrapper"  class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
            <property name="userDetailsService" ref="customUserDetailsService"/>
        </bean>
    </property>
</bean>

<security:authentication-manager alias="appControlAuthenticationManager">
    <security:authentication-provider ref="preauthAuthProvider" />
    <security:authentication-provider ref="daoAuthenticationProvider"/>
</security:authentication-manager>

<bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="customUserDetailsService"/>
</bean>

<!-- Digest authentication -->
<bean id="digestFilter" class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
    <security:authentication-provider ref="preauthAuthProvider" />
    <!-- <security:authentication-provider ref="daoAuthenticationProvider"/>-->
</bean>

<bean id="digestEntryPoint" class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
    <property name="realmName" value="myvalue"/>
    <property name="key" value="acegi"/>
    <property name="nonceValiditySeconds" value="10"/>
</bean>

Preauthentication 过滤器成功,但我仍然得到 401 结果。

如果我取消注释

<!-- <security:authentication-provider ref="daoAuthenticationProvider"/>-->

那么预认证过滤器被忽略。

4

0 回答 0