分享程序员开发的那些事...
更新时间:2021-12-01 23:49:37
您需要设置 Spring Security Kerberos扩展 - 这是您在Spring Security 3中执行操作的唯一方法。这支持SPNEGO协商,但需要在服务器上进行一些设置(以及SPNEGO和Kerberos如何工作的知识)。
You need to set up the Spring Security Kerberos extension - this is the only out of the box way to do what you're describing in Spring Security 3. This supports SPNEGO negotiation, but requires some amount of setup on the server (and knowledge of how SPNEGO and Kerberos works).
目前没有太多文档 - 但Mike提供的1.0M2示例应用程序非常棒,涵盖了大多数常见场景,包括自动SPNEGO身份验证。
There's not much documentation - but Mike's sample applications that he ships with 1.0M2 are great, and cover most of the common scenarios, including automated SPNEGO authentication.
SPNEGO的关键是设置自定义 AuthenticationEntryPoint - 你需要使用自定义的spring bean来做这件事如下:
The key thing for SPNEGO is to set up a custom AuthenticationEntryPoint - you'll need to do this with a custom spring bean as follows:
<bean id="kerbEntryPoint" class="org.springframework.security.extensions.kerberos.web.SpnegoEntryPoint" />
<bean id="kerbAuthenticationProcessingFilter" class="org.springframework.security.extensions.kerberos.web.SpnegoAuthenticationProcessingFilter">
<property name="authenticationManager" ref="authenticationManager" />
</bean>
...除此之外还需要更多的豆子(再次参考样本w / Kerberos扩展)。如果你进一步使用Spring Security或者如果你想要确切的细节(因为涉及到许多bean / config位,请回复一些知识,例如你是否使用< http> 命名空间样式与否。)
... there are more beans that'll be required besides these (again, refer to the samples w/the Kerberos extension). Post back if you get further along with Spring Security or if you want exact details (since there are a number of beans / config bits involved, some knowledge of your configuration would be helpful, such as whether you are using the <http> namespace style or not).
除此选项外,您还必须设置类似的SPNEGO身份验证(如你所建议的那样使用WAFFLE) - 其他SO问题很好地说明了这一点。
Other than this option, you would have to set up a similar type of SPNEGO auth (such as using WAFFLE, as you suggest) - other SO questions cover this pretty well.
最后,您可以将Tomcat与另一个支持SPNEGO或NTLM的Web服务器结合使用,例如Microsoft IIS或Apache Web Server mod_spnego 。
Finally, you could possibly front Tomcat with another web server which supports SPNEGO or NTLM better, such as Microsoft IIS or Apache Web Server with mod_spnego.
希望其中一个想法可行为你服务!
Hopefully one of these ideas would work for you!