Как реализовать предварительную аутентификацию Spring на основе заголовков в iframe?

Я новичок в безопасности весной. У меня есть два разных приложения app1 и app2. Приложение 1 отправляет запрос заголовка (SM_USER) в приложение 2. Который работает нормально с процессом предварительной аутентификации, используя SSO. Но когда я вызываю этот App1 для загрузки URL-адреса App2 в iframe, мы получаем страницу входа в iframe. Наш код выглядит следующим образом

Код приложения -HTML

    <iframe width=100% height=600 frameborder="0" scrolling="yes" src=""
   id="output_iframe_id"> </iframe>
   </div>

<script language="javascript" type="text/javascript">
 $(document).ready(
   function() {        
    function pre-authtest() {    
     $.ajax({
      url : "linkget",
      type : "GET",
      success : function(response) {    
       $("#output_iframe_id").attr('src',
         response);     
      }
     });
    }
    pre-authtest();

</script>

Код приложения-контроллер

 @RequestMapping(value = "/linkget", method = RequestMethod.GET)
 @ResponseStatus(value = HttpStatus.OK)
 public URL sendPost(HttpSession session, ModelMap model) throws Exception {
  JSONObject jsonurl = new JSONObject();
  JSONArray jsonArrayurl = new JSONArray();

  Users user = (Users) session.getAttribute("user");
  String username = user.getUsername();
   List<Users> authkeyval1 = loginService.getauthkey(username);
   System.out.println("sample authkey"+authkeyval1.get(0).getAuthkey());
  String akey=authkeyval1.get(0).getAuthkey();
  System.out.println("authkeyyyy"+akey);
  URL url = new URL("http://localhost:7080/");
  HttpURLConnection httpCon = (HttpURLConnection) url.openConnection();
  httpCon.setDoOutput(true);
  httpCon.setRequestMethod("POST");
  httpCon.setRequestProperty("SM_USER", akey);
  httpCon.setRequestProperty("PASS", "123");
  OutputStreamWriter out = new OutputStreamWriter(
  httpCon.getOutputStream());
  jsonurl.put("url", httpCon);
  jsonArrayurl.add(jsonurl);
  InputStream is = httpCon.getInputStream();
  return httpCon.getURL();    
 }

И моя функция SSO подробно, какпоказано в коде App2

public class SSORequestHeaderAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {

 @Autowired
 private bidservice Bidservice;

    private static final Logger log = LoggerFactory.getLogger(SSORequestHeaderAuthenticationFilter.class);
    private String principalRequestHeader = "SM_USER";
    /**
     * Configure a value in the applicationContext-security for local tests.
     */
    private String testUserId = "admin-admin";
    /**
     * Configure whether a missing SSO header is an exception.
     */
    private boolean exceptionIfHeaderMissing = false;

    /**
     * Read and return header named by <tt>principalRequestHeader</tt> from Request
     *
    * @throws PreAuthenticatedCredentialsNotFoundException if the header is missing and
     *                                                      <tt>exceptionIfHeaderMissing</tt> is set to <tt>true</tt>.
     */

    protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {


        String principal = request.getHeader(principalRequestHeader);

       System.out.println("获得认证信息===" + principal);


        if (principal == null) {
            if (exceptionIfHeaderMissing) {
                throw new PreAuthenticatedCredentialsNotFoundException(principalRequestHeader
                        + " header not found in request.");

           }
            if (request.getSession().getAttribute("session_user") != null) {
             System.out.println("session user"+request.getSession().getAttribute("session_user"));
               // A bit of a hack for testers - allow the principal to be
               // obtained by session. Must be set by a page with no security filters enabled.
               // should remove for production.

               principal = (String) request.getSession().getAttribute("session_user");
           }
            else if (StringUtils.isNotBlank(testUserId)) {
             System.out.println("spring configuration has a test user id " + testUserId);




                principal = testUserId;
            } 
        }
        // also set it into the session, sometimes that's easier for jsp/faces
        // to get at..
        request.getSession().setAttribute("session_user", principal);
       System.out.println("session user1"+request.getSession().getAttribute("session_user"));
        return principal;
    }

    /**
     * Credentials aren't applicable here for OAM WebGate SSO.
     */
    protected Object getPreAuthenticatedCredentials(HttpServletRequest request) {
        return "password_not_applicable";
    }

    public void setPrincipalRequestHeader(String principalRequestHeader) {
        Assert.hasText(principalRequestHeader, "principalRequestHeader must not be empty or null");
        this.principalRequestHeader = principalRequestHeader;
    }

    public void setTestUserId(String testId) {
        if (StringUtils.isNotBlank(testId)) {
            this.testUserId = testId;
        }
    }

    /**
     * Exception if the principal header is missing. Default <tt>false</tt>
    *
     * @param exceptionIfHeaderMissing
     */
    public void setExceptionIfHeaderMissing(boolean exceptionIfHeaderMissing) {
        this.exceptionIfHeaderMissing = exceptionIfHeaderMissing;
    }

}

Код App2 - Контроллер

@CrossOrigin()
 @RequestMapping(value = "/", method = RequestMethod.POST)
 public String getHomePagepost(HttpSession session,ModelMap model) {  

  if(session.getAttribute("messages")!=null)
   session.removeAttribute("messages");
  Authentication auth = SecurityContextHolder.getContext()
    .getAuthentication();
  String uname = auth.getName();
  System.out.println("uname in /"+uname);

  List<Users> users = loginService.checkStatus(uname);
  /*BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
  System.out.println("Obtained pswd:"+users.get(0).getPassword());
  encoder.matches("456", users.get(0).getPassword());*/
  if (!users.isEmpty()) {
   Users userz = users.get(0);
   String Username = userz.getUsername();


   Integer Status = userz.getStatus();

   System.out.println("Here is "+Username);


   String displayname=userz.getDisplayname();
   session.setAttribute("NameofUser",displayname);



    String authority = authoritiesService.getUserAuthority(uname);

    if(authority.equals("ROLE_ADMIN")){


     return "redirect:/trafficsource";
    }
    else{

     return "redirect:/trafficsource";
    }


  } else {

   session.setAttribute("userInvalid", "Invalid username or password. Please try again!");
   return "redirect:/login";
  }
 }

Пожалуйста помоги....

0 ответов

Другие вопросы по тегам