问题
I'm trying to get spring security roles to work with websphere liberty. I know I've got my liberty setup properly because I wrote a very simple servlet 3 app with role based restrictions and it worked on the same server with the same role restrictions.
Here is the relevant section of my SecurityConfig:
@Override
protected void configure(final HttpSecurity http) throws Exception {
LOGGER.info("adding testing constraint");
http.authorizeRequests()
.anyRequest().authenticated()
.and().httpBasic();
if (appProperties.isContainerManaged()) {
LOGGER.info("using container managed");
http.jee().mappableRoles("TESTING", "ADMIN");
}
http.csrf().disable()
.logout()
.permitAll();
}
The above is printing out "using container managed" in the server logs so I know that's working :)
In my controller I am passing in the principal:
public String index(final Model model, final Principal principal, final HttpSession session,
final HttpServletRequest request) {
But when I call:
Authentication authentication = (Authentication) principal;
authentication.getAuthorities()
I get nothing back.
Here is the relevant section of server.xml:
<application type="war" id="security-sample" name="security-test"
location="${server.config.dir}apps/security-sample.war">
<application-bnd>
<security-role name="TESTING">
<user name="myuser" />
</security-role>
</application-bnd>
</application>
I've dug a bit deeper. I converted the app to use the WebSpherePreAuthenticatedProcessingFilter. (I was shocked how little docs there are on this). I got the filter to load but it fails on Liberty with:
javax.naming.NameNotFoundException: UserRegistry
This looks to be a known problem:
https://www.ibm.com/developerworks/community/forums/html/topic?id=62b6761f-1ae4-42c3-847b-485acbd95730
From what I can tell, Liberty is just barely supported in Spring Security if you are using container managed security. You can get the user information, but not the group / role / authority info.
UPDATE:
I got a bit farther, I can now get a user's groups to show up in liberty but NOT the roles that are mapped via security-role.
Here's the trick. I created a LibertyPreAuthenticatedWebAuthenticatedDetailsSource that get's the user's groups. I used the calls here: http://www.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/rwlp_sec_apis.html to figure out how to get the groups for a user.
Now I just need to figure out how to use the mapped security roles....
来源:https://stackoverflow.com/questions/41271467/roles-authorities-not-working-in-websphere-liberty