스프링 보안 JAAS 인증 권한 문제

Question

스프링 보안에서는 DefaultJaasAuthenticationProvider를 사용하고 있습니다. linux 사용자 이름/비밀번호로 로그인 인증을 구성하십시오. JpamLoginModule은 인증에 사용됩니다. 나는 인증에 성공했지만 권한 (ROLE_USER, ROLE_ADMIN)에 문제가있어 HTTP 상태 403이 발생합니다 - 액세스가 거부되었습니다. 오류.

다음과 같은 구성이 나는 봄-security.xml에 사용

<security:authentication-manager> 
    <security:authentication-provider ref="jaasAuthProvider" /> 
</security:authentication-manager> 

<bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider"> 
    <property name="configuration"> 
     <bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration"> 
      <constructor-arg> 
       <map> 
        <entry key="SPRINGSECURITY"> 
         <array> 
          <bean class="javax.security.auth.login.AppConfigurationEntry"> 
           <constructor-arg value="net.sf.jpam.jaas.JpamLoginModule" /> 
           <constructor-arg> 
            <util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" /> 
           </constructor-arg> 
           <constructor-arg> 
            <map></map> 
           </constructor-arg> 
          </bean> 
         </array> 
        </entry> 
       </map> 
      </constructor-arg> 
     </bean> 
    </property> 
    <property name="authorityGranters"> 
     <list> 
      <bean class="it.webapps.pam.RoleGranter" /> 
     </list> 
    </property> 
</bean> 
    <bean id="userDetailsService" class="it.webapps.pam.UserDetailsServiceImpl"> 
</bean> 

RoleGranter.java 코드

public class RoleGranter implements AuthorityGranter { 

public RoleGranter() { 
    System.out.print("=== Creating My Authority Granter ==="); 
} 

@Override 
public Set<String> grant(Principal principal) { 

     return Collections.singleton("ROLE_ADMIN"); 
} 

}

제안 반환하는 매우 도움이

Answer 1

시도 될 것 " "ROLE_ADMIN"대신 "ADMIN"을 입력하십시오. Spring은 "ROLE"을 자동으로 추가합니다. 을 바탕으로

Answer 2

: 당신은 행동의 커밋 변경 JpamLoginModule을 확장 할 필요가 같은 http://jpam.sourceforge.net/xref/net/sf/jpam/jaas/JpamLoginModule.html 및 https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/jaas/AbstractJaasAuthenticationProvider.java

보인다. 확장 된 JpamLoginModule에서 주체가 주체로 할당되어야합니다. 그런 다음 AbstractJaasAuthenticationProvider (DefaultJaasAuthenticationProvider)가 이러한 주체를 반복하여 사용자의 authorityGranters (RoleGranter)로 보냅니다.

<authentication-manager> 
    <authentication-provider ref="jaasAuthProvider" /> 
</authentication-manager> 

<beans:bean id="userService" class="blah.UserDetailsServiceImpl" /> 

<beans:bean id="jaasAuthProvider" class="org.springframework.security.authentication.jaas.DefaultJaasAuthenticationProvider"> 
    <beans:property name="configuration"> 
     <beans:bean class="org.springframework.security.authentication.jaas.memory.InMemoryConfiguration"> 
      <beans:constructor-arg> 
       <beans:map> 
        <beans:entry key="SPRINGSECURITY"> 
         <beans:array> 
          <beans:bean class="javax.security.auth.login.AppConfigurationEntry"> 
           <beans:constructor-arg value="blah.RoleGrantingJpamLoginModule" /> 
           <beans:constructor-arg> 
            <util:constant static-field="javax.security.auth.login.AppConfigurationEntry$LoginModuleControlFlag.REQUIRED" /> 
           </beans:constructor-arg> 
           <beans:constructor-arg> 
            <beans:map></beans:map> 
           </beans:constructor-arg> 
          </beans:bean> 
         </beans:array> 
        </beans:entry> 
       </beans:map> 
      </beans:constructor-arg> 
     </beans:bean> 
    </beans:property> 
    <beans:property name="authorityGranters"> 
     <beans:list> 
      <beans:bean class="blah.RoleGranter" /> 
     </beans:list> 
    </beans:property> 
</beans:bean> 

package blah; 

import javax.security.auth.Subject; 
import javax.security.auth.login.LoginException; 

import net.sf.jpam.jaas.JpamLoginModule; 

import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; 

public class RoleGrantingJpamLoginModule extends JpamLoginModule { 
    private Subject subject; 

    @Override 
    public void initialize(javax.security.auth.Subject subject, javax.security.auth.callback.CallbackHandler callbackHandler, java.util.Map sharedState, java.util.Map options) { 
     super.initialize(subject, callbackHandler, sharedState, options); 
     this.subject = subject; 
    } 

    @Override 
    public boolean commit() throws LoginException { 
     UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, null); 
     subject.getPrincipals().add(token); 
     return super.commit(); 
    } 
} 


package blah; 

import static java.util.Arrays.asList; 

import org.springframework.security.core.authority.SimpleGrantedAuthority; 
import org.springframework.security.core.userdetails.User; 
import org.springframework.security.core.userdetails.UserDetails; 
import org.springframework.security.core.userdetails.UserDetailsService; 
import org.springframework.security.core.userdetails.UsernameNotFoundException; 

public class UserDetailsServiceImpl implements UserDetailsService { 

    @Override 
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException { 
     return new User(username, "password", asList(new SimpleGrantedAuthority("ROLE_ADMIN"))); 
    } 

}