问题
I'm adding Spring security to an internal website. I've been asked to have the authentication be tied to tomcat-users.xml, so that we can cut down on the number of passwords to change/remember.
From what I've been able to Google up, this isn't very straighforward, if at all possible.
Things are working fine, for now, with a user + role hardcoded in springSecurity.xml.
回答1:
You can treat container security as a pre-authenticated scenario.
There's a sample app in the codebase which uses this approach. It uses explicit bean configuration, but there is also a <jee> namespace element available.
回答2:
This could be done as a pre-authenticate scenario as Luke indicates but I do not suggest that option. When you are using tomcat xml file you are using MemoryRealm but you could switch to JDBCRealm and have both users (Spring and Tomcat) stored in the database. I suggest this for maintenance, consistency and security. If you change your servlet container you will have to migrate your security users and roles.
https://tomcat.apache.org/tomcat-8.0-doc/realm-howto.html#MemoryRealm
来源:https://stackoverflow.com/questions/15139481/spring-security-tied-to-apache-tomcat-tomcat-users-xml-userdatabaserealm