spring-security - SpringSecurity - 「偽ログイン」の実行を無効にする最良の方法

Question

テストおよび開発環境でSpring Securityを有効/無効にするための最良/エレガント/便利な方法を見つけたいと思います。このプロパティが ON に設定されている場合、認証は必須です。それ以外の場合、ユーザーは認証する必要がなく、関連付けられたすべてのロールと偽のユーザー名/プロパティを含むアプリケーションのホームページに直接到達します。

ところで、私のアプリケーションには単純な認証戦略があります。ユーザーは、他の多くの Web アプリにアクセスするためのリンクを提供する別の Web アプリケーションを介して以前にログインしました。このリンクの 1 つは、ユーザー名とロールを含む単純な送信で Web アプリにリダイレクトされます。セキュリティ チェーンはこの情報をキャッチし、自動認証を実行します。

どんな提案でも大歓迎です;）

さよなら！ドルフィス

私のコードのいくつかのスニペット...

SpringSecurityContext.xml:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:security="http://www.springframework.org/schema/security"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <security:http use-expressions="true" auto-config="false" entry-point-ref="preAuthenticatedProcessingFilterEntryPoint">
        <security:intercept-url pattern="/fakeLogin*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/authError*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/VAADIN**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/**" access="isAuthenticated()" />
        <security:logout logout-url="/logout" logout-success-url="http://milan-ias-vs.usersad.everis.int/DMTest/" invalidate-session="true" />
        <security:custom-filter position="PRE_AUTH_FILTER" ref="preAuthenticatedProcessingFilter" />
    </security:http>

    <bean id="preAuthenticatedProcessingFilterEntryPoint" class="it.ram.authentication.LinkForbiddenEntryPoint" />

    <bean id="preAuthenticatedProcessingFilter" class="it.ram.authentication.PreAuthenticatedProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager" />
    </bean>

    <bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
        <property name="preAuthenticatedUserDetailsService">
            <bean class="it.ram.authentication.PreAuthenticatedUserDetailsService" />
        </property>
    </bean>

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="preauthAuthProvider" />
    </security:authentication-manager>

</beans>

PreAuthenticatedProcessingFilter.java:

public class PreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {

    private final static Log log = LogFactory.getLog(PreAuthenticatedProcessingFilter.class);

    public PreAuthenticatedProcessingFilter() {
        super();
        log.debug("PreAuthenticatedProcessingFilter default constructor");
        setAuthenticationDetailsSource(new CustomAuthenticationDetailsSource());
    }

    public PreAuthenticatedProcessingFilter(AuthenticationManager authenticationManager) {
        log.debug("PreAuthenticatedProcessingFilter constructor with AuthMan arg");
        setAuthenticationDetailsSource(new CustomAuthenticationDetailsSource());
    }

    @Override
    protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
        String userName = request.getParameter(Constants.REQUEST_USER_PARAM);
        log.debug("getPreAuthenticatedPrincipal - Returning " +userName);
        return userName;
    }

    @Override
    protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
        log.debug("getPreAuthenticatedCredentials - Returning N/A");
        return "N/A";
    }

    public static class CustomAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, SessionUserDetails> {

        @Override
        public SessionUserDetails buildDetails(HttpServletRequest request) {
            log.debug("buildDetails");
            // create container for pre-auth data
            String role = request.getParameter(Constants.REQUEST_ROLE_PARAM);
            return new SessionUserDetails(role);
        }
    }
}

PreAuthenticatedUserDetailsS​​ervice.xml:

public class PreAuthenticatedUserDetailsService implements AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> {

    private final static Log log = LogFactory.getLog(PreAuthenticatedUserDetailsService.class);

    @Override
    public UserDetails loadUserDetails(PreAuthenticatedAuthenticationToken  token) throws UsernameNotFoundException {
        log.debug("loadUserDetails - token.getName(): " +token.getName());

        SessionUserDetails sessionUserDetails = (SessionUserDetails) token.getDetails();
        List<SimpleGrantedAuthority> authorities = sessionUserDetails.getAuthorities();            
        return new User(token.getName(), "N/A", true, true, true, true, authorities);
    }

}

Answer 1

を見てみましょう：

org.springframework.security.web.authentication.RememberMeServices#autoLogin(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)

実装については、ここを調べてください。

http://git.springsource.org/spring-security/spring-security/trees/c12c43da9eb59b664bc995a38859c6acac621390/web/src/main/java/org/springframework/security/web/authentication/rememberme

SecurityContextHolder は、既存の資格情報があるかどうかを確認し、それらを変更または置換する場所です。

SecurityContext securityContext = SecurityContextHolder.getContext();
Authentication authentication = securityContext.getAuthentication();
// authentication contains existing (if set and non-null) maybe it is anonymous
// so then you might have a better set of credentials to replace it with
WebappUserDetails webappUserDetails = userContextService.getPrincipal(WebappUserDetails.class);
// The above constructs my custom type that implement spring UserDetails interface
// this is the identity of the user
// You should check things are valid (account enable and valid, etc..)
// Then you make a fake Authentication and attach it to the session context
// There are many token kinds in spring representing different ways to auth
//  this token is the kind that might be used for a HTML form based login with
//  username and password. 
String principal = "myusername";  // username
String credentials = "mypassword";  // password
// Note you should probably not want to hardwire passwords into code and the correct
//  way is to setup a new Token type and configure main security XML to allow it
//  to the secure URLs (or secured subjects)
Authentication authRequest = new UsernamePasswordAuthenticationToken(principal, credentials);
Authentication authResult = authenticationManager.authenticate(authRequest);
// Check the authResult then attach it to the context
SecurityContextHolder.getContext().setAuthentication(authResult);