0

複数のエンドポイントを持つ SpringBoot ベースのアプリがあります。エンドポイントにアクセスするクライアントが異なるため、それらを保護するさまざまな認証プロバイダーが必要です。一部のエンドポイントは、Kerberos (KerberosServiceAuthenticationProvider -- http://docs.spring.io/autorepo/docs/spring-security-kerberos/1.0.0.RC1/reference/htmlsingle/ ) によって保護されます。一部のエンドポイントは、AD/LDAP (ActiveDirectoryLdapAuthenticationProvider) によって保護されます。

現在、Kerberos または LDAP で動作していますが、両方ではありません。

@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
protected class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {

//For Kerberos
        auth.authenticationProvider(kerberosAuthenticationProvider())
            .authenticationProvider(kerberosServiceAuthenticationProvider());
//For LDAP  
        //auth.authenticationProvider(customAuthenticationProvider());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers(HttpMethod.GET, APPLICATION_ADMIN_ENDPOINTS)
                    .permitAll()
                    .and()
                .authorizeRequests()
                    .antMatchers(HttpMethod.PUT, APPLICATION_ADMIN_ENDPOINTS)
                    .hasAnyAuthority(AUTHENTICATED_APPLICATION_ADMIN_AUTHORITIES)
                    .and()
                .authorizeRequests()
                    .antMatchers(HttpMethod.DELETE, APPLICATION_ADMIN_ENDPOINTS)
                    .hasAnyAuthority(AUTHENTICATED_APPLICATION_ADMIN_AUTHORITIES)
                    .and()
                .authorizeRequests()
                    .antMatchers(CLIENT_ENDPOINTS)
                    .permitAll()
                    .and()
                .authorizeRequests()
                    .antMatchers(SWAGGER_ENDPOINTS)
                    .permitAll()
                    .and()
                .authorizeRequests()
                    .antMatchers(MANAGER_ENDPOINTS)
                    .hasAnyAuthority(AUTHENTICATED_MANAGER_AUTHORITIES)
                    .and()
                .authorizeRequests()
                    .antMatchers(TRUSTED_AGENT_ENDPOINTS)
                    .hasAnyAuthority(AUTHENTICATED_TRUSTED_AGENT_AUTHORITIES)
                    .and()
                .authorizeRequests()
                    .antMatchers("/kerb/**")
                    .hasAnyAuthority(AUTHENTICATED_APPLICATION_ADMIN_AUTHORITIES)
                    .and()
                .addFilterBefore(spnegoAuthenticationProcessingFilter(authenticationManagerBean()), BasicAuthenticationFilter.class)
                .httpBasic()
                    .and()
                .csrf()
                    .disable();
    }
}

@Bean
public AuthenticationProvider customAuthenticationProvider() {
    ActiveDirectoryLdapAuthenticationProvider provider = new ActiveDirectoryLdapAuthenticationProvider(
            ldapDomain, ldapUrl);
    SimpleCaseAndWhitespaceMitigatingAuthoritiesMapper authoritiesMapper = new SimpleCaseAndWhitespaceMitigatingAuthoritiesMapper();
    provider.setAuthoritiesMapper(authoritiesMapper);
    provider.setConvertSubErrorCodesToExceptions(true);
    return provider;
}

@Bean
public KerberosAuthenticationProvider kerberosAuthenticationProvider() {
    KerberosAuthenticationProvider provider = new KerberosAuthenticationProvider();
    SunJaasKerberosClient client = new SunJaasKerberosClient();
    client.setDebug(true);
    provider.setKerberosClient(client);
    provider.setUserDetailsService(kerberosUserService());
    return provider;
}

@Bean
public KerberosServiceAuthenticationProvider kerberosServiceAuthenticationProvider() {
    KerberosServiceAuthenticationProvider provider = new KerberosServiceAuthenticationProvider();
    provider.setTicketValidator(sunJaasKerberosTicketValidator());
    provider.setUserDetailsService(kerberosUserService());
    return provider;
}

@Bean
public SunJaasKerberosTicketValidator sunJaasKerberosTicketValidator() {
    SunJaasKerberosTicketValidator ticketValidator = new SunJaasKerberosTicketValidator();
    ticketValidator.setServicePrincipal(kerberosPrincipal);
    File f = new File(keytabFile);
    try {
        LOG.info(String.format("Absolute: %s, Canonical: %s", f.getAbsolutePath(), f.getCanonicalPath()));
        if(f.exists()){
            LOG.info("File exists.");
        }
        else{
            LOG.info("File DOES NOT exist.");
        }
    } catch (IOException e) {
        e.printStackTrace();
    }
    ticketValidator.setKeyTabLocation(new FileSystemResource(f));
    ticketValidator.setDebug(true);
    return ticketValidator;
}

@Bean
public SpnegoAuthenticationProcessingFilter spnegoAuthenticationProcessingFilter(AuthenticationManager authenticationManager) {
    SpnegoAuthenticationProcessingFilter filter = new SpnegoAuthenticationProcessingFilter();
    filter.setAuthenticationManager(authenticationManager);
    return filter;
}

@Bean
public KerberosUserDetailsService kerberosUserService() {
    return new KerberosUserDetailsService();
}

とにかくこれを両方で機能させるには?リクエストを処理するカスタム認証プロバイダーを作成することを考えていましたが、それが機能するかどうかはわかりませんでした。

4

3 に答える 3