spring-boot - 如何使用 Atlassian Crowd Integration 与 Spring boot + Spring security 使用 Java Beans

Question

我们使用许多构建在 spring security 之上的 spring boot 项目来提供用于多种目的的小型 web 应用程序。我们强烈考虑转向使用 Crowd 作为中央身份验证提供程序，但是我在将 spring boot 配置为使用 java 样式的 bean 而不是提供的 XML 配置时遇到了很多麻烦，因为这不再是推荐的配置(参见 http://docs.spring.io/spring-boot/docs/current-SNAPSHOT/reference/htmlsingle/#using-boot-configuration-classes 验证 java-bean 样式配置是首选方式)。

我的基本安全测试应用程序的安全配置设置如下:

WebSecurityConfig.java

package hello;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

我真的很困惑如何修改它以适应 Crowd 内置的 springsecurity 集成。 (特别是 com.atlassian.crowd:crowd-integration-springsecurity:2.8.3)。我试图通过标准配置注释类尝试和引导功能的 XML 如下:

applicationContext-security.xml

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd
                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

<!--
    <debug />
    <beans:alias name="springSecurityFilterChain" alias="org.springframework.security.filterChainProxy"/>   
-->

    <!-- Added for Integrating Crowd with Spring Security -->

    <!-- 3.1 Configuring Centralised User Management -->

    <!-- 3.1.1 -->
    <beans:bean id="crowdUserDetailsService" class="com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl">
        <beans:property name="groupMembershipManager" ref="crowdGroupMembershipManager"/>
        <beans:property name="userManager" ref="crowdUserManager"/>
        <beans:property name="authorityPrefix" value="ROLE_"/>

<!--
        <beans:property name="groupToAuthorityMappings">
            <beans:bean factory-bean="groupToAuthorityMappings" factory-method="entrySet" />
        </beans:property>
-->
    </beans:bean>

<!--
    <util:map id="groupToAuthorityMappings">
        <beans:entry key="crowd-administrators" value="ROLE_crowd-administrators" />
        <beans:entry key="some-other-group" value="specific-authority-for-other-group" />
    </util:map>
-->

    <!-- 3.1.2 -->
    <beans:bean id="crowdAuthenticationProvider" class="com.atlassian.crowd.integration.springsecurity.RemoteCrowdAuthenticationProvider">
        <beans:constructor-arg ref="crowdAuthenticationManager"/>
        <beans:constructor-arg ref="httpAuthenticator"/>
        <beans:constructor-arg ref="crowdUserDetailsService"/>
    </beans:bean>

    <!-- 3.2 -->

    <http pattern="/console/static/session-context"
          entry-point-ref="crowdAuthenticationProcessingFilterEntryPoint">
    </http>

    <http pattern='/console/static/**' security='none'/>

    <http auto-config="false"
          entry-point-ref="crowdAuthenticationProcessingFilterEntryPoint"
          access-denied-page="/denied.html">
        <custom-filter position="FORM_LOGIN_FILTER" ref='authenticationProcessingFilter'/>
        <custom-filter position="LOGOUT_FILTER" ref='logoutFilter'/>

        <intercept-url pattern="/console/secure/**" access="ROLE_crowd-administrators"/>
        <intercept-url pattern="/console/user/**" access="IS_AUTHENTICATED_FULLY"/>

        <intercept-url pattern="/console/resource-with-own-check/**" access='IS_AUTHENTICATED_ANONYMOUSLY'/>
    </http>


    <authentication-manager alias='authenticationManager'>
        <authentication-provider ref='crowdAuthenticationProvider'/>
    </authentication-manager>

    <beans:bean id="crowdAuthenticationProcessingFilterEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.html"/>
    </beans:bean>

    <beans:bean id="authenticationProcessingFilter" class="com.atlassian.crowd.integration.springsecurity.CrowdSSOAuthenticationProcessingFilter">
        <beans:property name="httpAuthenticator" ref="httpAuthenticator"/>
        <beans:property name="authenticationManager" ref="authenticationManager"/>
        <beans:property name="filterProcessesUrl" value="/j_security_check"/>
        <beans:property name="authenticationFailureHandler">
            <beans:bean class="com.atlassian.crowd.integration.springsecurity.UsernameStoringAuthenticationFailureHandler">
                <beans:property name="defaultFailureUrl" value="/console/login.action?error=true"/>
            </beans:bean>
        </beans:property>

        <beans:property name="authenticationSuccessHandler">
            <beans:bean class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
                <beans:property name="defaultTargetUrl" value="/console/defaultstartpage.action"/>
            </beans:bean>
        </beans:property>
    </beans:bean>

     <beans:bean id="crowdLogoutHandler" class="com.atlassian.crowd.integration.springsecurity.CrowdLogoutHandler">
        <beans:property name="httpAuthenticator" ref="httpAuthenticator"/>
    </beans:bean>

     <beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
        <beans:constructor-arg value="/login.html"/>
        <beans:constructor-arg>
            <beans:list>
                <beans:ref bean="crowdLogoutHandler"/>
                <beans:bean class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler"/>
            </beans:list>
        </beans:constructor-arg>
        <beans:property name="filterProcessesUrl" value="/console/logoff.action"/>
    </beans:bean>

以上是我在任何地方都能找到的最新的 XML 安全文件的综合示例，它与 spring security 4.0 不兼容(如果你增加版本，你会到处都是 xml 违规)。我不知道 httpAuthenticator 在哪里/如何解决，因为我没有看到任何具有该 ID 的 bean，这使它非常麻烦。

任何帮助将不胜感激，我已经投入了好几天了，但收效甚微。

额外信息:

运行spring boot version 1.3.1-Release，spring security version 4.0

Answer 1

所以，我想我实际上已经弄明白了，它至少给了我一个进一步定制 spring boot 集成的起点。主要的魔法是 WebSecurityConfig 类，现在看起来如下所示:

WebSecurityConfig.java:

package hello;
import com.atlassian.crowd.integration.http.HttpAuthenticator;
import com.atlassian.crowd.integration.http.HttpAuthenticatorImpl;
import com.atlassian.crowd.integration.springsecurity.RemoteCrowdAuthenticationProvider;
import com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsService;
import com.atlassian.crowd.integration.springsecurity.user.CrowdUserDetailsServiceImpl;
import com.atlassian.crowd.service.AuthenticationManager;
import com.atlassian.crowd.service.GroupManager;
import com.atlassian.crowd.service.UserManager;
import com.atlassian.crowd.service.cache.BasicCache;
import com.atlassian.crowd.service.cache.CacheImpl;
import com.atlassian.crowd.service.cache.CachingGroupManager;
import com.atlassian.crowd.service.cache.CachingGroupMembershipManager;
import com.atlassian.crowd.service.cache.CachingUserManager;
import com.atlassian.crowd.service.cache.SimpleAuthenticationManager;
import com.atlassian.crowd.service.soap.client.SecurityServerClient;
import com.atlassian.crowd.service.soap.client.SecurityServerClientImpl;
import com.atlassian.crowd.service.soap.client.SoapClientPropertiesImpl;
import java.io.IOException;
import java.io.InputStream;
import java.util.Properties;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
        .csrf().disable()
            .authorizeRequests()
                .antMatchers("/", "/home").permitAll()
                .anyRequest().authenticated()
                .and()
            .formLogin()
                .loginPage("/login")
                .permitAll()
                .and()
            .logout()
                .permitAll();
    }
    public static Properties getProps() throws IOException{
     Properties prop = new Properties();
    try(InputStream in = Thread.currentThread().getContextClassLoader().getResourceAsStream("crowd.properties")){
        prop.load(in);
    }
    return prop;
    }
    @Bean
    public SecurityServerClient securityServerClient() throws IOException{
    return new SecurityServerClientImpl(SoapClientPropertiesImpl.newInstanceFromProperties(getProps()));
    }
   private final BasicCache cache = new CacheImpl(Thread.currentThread().getContextClassLoader().getResource("crowd-ehcache.xml"));

    @Bean
    public AuthenticationManager crowdAuthenticationManager() throws IOException{

        return new SimpleAuthenticationManager(securityServerClient());
    }
    @Bean
    public HttpAuthenticator httpAuthenticator() throws IOException{
    return new HttpAuthenticatorImpl(crowdAuthenticationManager());
    }
    @Bean
    public UserManager userManager() throws IOException{
    return new CachingUserManager(securityServerClient(), cache);
    }
    @Bean
    public GroupManager groupManager() throws IOException{
    return new CachingGroupManager(securityServerClient(), cache);
    }
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(crowdAuthenticationProvider());
    }
    @Bean
    public CrowdUserDetailsService crowdUserDetailsService() throws IOException{
    CrowdUserDetailsServiceImpl cusd = new CrowdUserDetailsServiceImpl();
    cusd.setUserManager(userManager());
    cusd.setGroupMembershipManager(new CachingGroupMembershipManager(securityServerClient(), userManager(),groupManager(),cache));
    cusd.setAuthorityPrefix("ROLE_");
    return cusd;
    }
    @Bean
    RemoteCrowdAuthenticationProvider crowdAuthenticationProvider() throws IOException{
    return new RemoteCrowdAuthenticationProvider(crowdAuthenticationManager(), httpAuthenticator(), crowdUserDetailsService());
    }
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("ROLE_USER");
    }
}

最困难的部分是弄清楚如何设置 bean，这根本没有文档记录，因为之前都是 XML 魔术。现在，假设您有正确的 crowd.properties 文件和正确的 EhCache 文件设置(也可以用 java bean 删除，但这不太严重)，您可以以纯 java 方式使用人群集成。

完成这项工作的 build.gradle，如下所示:

build.gradle:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath("org.springframework.boot:spring-boot-gradle-plugin:1.3.1.RELEASE")
    }
}
if (!hasProperty('mainClass')) {
    ext.mainClass = 'hello.Application'
}
apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'idea'
apply plugin: 'spring-boot'
jar {
    baseName = 'gs-securing-web'
    version =  '0.1.0'
}
repositories {
    maven {
    url = 'https://m2proxy.atlassian.com/repository/public'
    }
    mavenCentral()
}
sourceCompatibility = 1.8
targetCompatibility = 1.8
dependencies {
    compile "commons-codec:commons-codec:1.10"
    compile "org.springframework.boot:spring-boot-starter-web"
    compile "org.springframework.boot:spring-boot-starter"
    compile "org.springframework:spring-tx"
    compile 'org.springframework.boot:spring-boot-starter-security'
    compile 'org.springframework.boot:spring-boot-starter-thymeleaf'
    compile (group: "com.atlassian.crowd", name: "crowd-integration-springsecurity", version: "2.8.+"){
    exclude (group: 'org.apache.ws.commons');
    }
    compile 'org.slf4j:slf4j-api'
    compile "org.codehaus.groovy:groovy"
    compile "org.codehaus.groovy:groovy-json:2.3.8"
}
task wrapper(type: Wrapper) {
    gradleVersion = '2.10'
}

就是这样!然后正确引导身份验证以使用 crowds springsecurity 接口(interface)。现在，值得一提的是，我还没有玩过它如何让我返回各种角色等。但这应该让我继续前进。此外，这不包括 SSO 代码，我还没有完全弄清楚。所以一旦我明白了，我会在某个地方发布更详尽的操作方法。