问题
In Spring Security am using DefaultJaasAuthenticationProvider Configuration for login authentication with linux username/password. JpamLoginModule is used for authentication. I am successfull with authentication but i had problem in authoriztion(ROLE_USER,ROLE_ADMIN), am getting HTTP Status 403 - Access is denied Error.
Following Configuration i used in spring-security.xml
<security:authentication-manager>
<security:authentication-provider ref="jaasAuthProvider" />
</security:authentication-manager>
<bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<property name="configuration">
<bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<constructor-arg>
<map>
<entry key="SPRINGSECURITY">
<array>
<bean class="javax.security.auth.login.AppConfigurationEntry">
<constructor-arg value="net.sf.jpam.jaas.JpamLoginModule" />
<constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</constructor-arg>
<constructor-arg>
<map></map>
</constructor-arg>
</bean>
</array>
</entry>
</map>
</constructor-arg>
</bean>
</property>
<property name="authorityGranters">
<list>
<bean class="it.webapps.pam.RoleGranter" />
</list>
</property>
</bean>
<bean id="userDetailsService" class="it.webapps.pam.UserDetailsServiceImpl">
</bean>
RoleGranter.java code
public class RoleGranter implements AuthorityGranter {
public RoleGranter() {
System.out.print("=== Creating My Authority Granter ===");
}
@Override
public Set<String> grant(Principal principal) {
return Collections.singleton("ROLE_ADMIN");
}
}
suggestion would be very helpful
回答1:
Based on: http://jpam.sourceforge.net/xref/net/sf/jpam/jaas/JpamLoginModule.html and https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java
Looks like you need to extend JpamLoginModule to change commit's behaviour. There needs to be principals assigned into the subject in your extended JpamLoginModule. Then AbstractJaasAuthenticationProvider (DefaultJaasAuthenticationProvider) will loop through these principals and send them to your authorityGranters (RoleGranter).
<authentication-manager>
<authentication-provider ref="jaasAuthProvider" />
</authentication-manager>
<beans:bean id="userService" class="blah.UserDetailsServiceImpl" />
<beans:bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider">
<beans:property name="configuration">
<beans:bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration">
<beans:constructor-arg>
<beans:map>
<beans:entry key="SPRINGSECURITY">
<beans:array>
<beans:bean class="javax.security.auth.login.AppConfigurationEntry">
<beans:constructor-arg value="blah.RoleGrantingJpamLoginModule" />
<beans:constructor-arg>
<util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" />
</beans:constructor-arg>
<beans:constructor-arg>
<beans:map></beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:array>
</beans:entry>
</beans:map>
</beans:constructor-arg>
</beans:bean>
</beans:property>
<beans:property name="authorityGranters">
<beans:list>
<beans:bean class="blah.RoleGranter" />
</beans:list>
</beans:property>
</beans:bean>
package blah;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import net.sf.jpam.jaas.JpamLoginModule;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
public class RoleGrantingJpamLoginModule extends JpamLoginModule {
private Subject subject;
@Override
public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) {
super.initialize(subject, callbackHandler, sharedState, options);
this.subject = subject;
}
@Override
public boolean commit() throws LoginException {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null);
subject.getPrincipals().add(token);
return super.commit();
}
}
package blah;
import static java.util.Arrays.asList;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
public class UserDetailsServiceImpl implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new User(username, "password", asList(new SimpleGrantedAuthority("ROLE_ADMIN")));
}
}
回答2:
Try to return "ADMIN" instead of "ROLE_ADMIN". Spring add "ROLE" automatically.
来源:https://stackoverflow.com/questions/22778188/spring-security-jaas-authentication-authorization-issue