intercept subdomain url for different login?

2018-06-03 01:01:21

I have an application with spring security installed and working well -- it is currently running out of www.exampledomain.com .

I now want to expand the application running out of a subdomain. For example newapp.exampledomain.com .

The only problem is that for this new app a user needs to log in. In spring it is very easy to intercept urls via <intercept-url pattern="/Admin/*" access="ROLE_GENERAL"/>

but what do you do when you want to intercept a subdomain for login? For example the following doesnt work for me:

<intercept-url pattern="http://newapp.exampledomain.com/*" access="ROLE_GENERAL"/>

Any thoughts on how to get around this?

One option would be to write your own AccessDecisionVoter which extends RoleVoter and adds an additional check based on the hostname. Something like this:

public class MyVoter extends RoleVoter {
  public int vote(Authentication authentication,
                java.lang.Object object,
                java.util.Collection<ConfigAttribute> attributes) {
    FilterInvocation filterInvocation = (FilterInvocation) object;
    HttpRequest request = filterInvocation.getHttpRequest();
    // get subdomain from request
    String subdomain = getSubdomain(request);
    if ("free".equals(subdomain)) {
      return ACCESS_GRANTED;
    }
    else {
      super.vote(authentication, object, attributes);
    }
  }
}

Then wire up your voter:

<security:http auto-config="true" 
               use-expressions="true" 
               access-decision-manager-ref="accessDecisionManager">
...
</security:http>

<bean id="accessDecisionManager"
      class="org.springframework.security.access.vote.UnanimousBased">
    <property name="decisionVoters">
        <list>
            <bean class="com.acme.MyVoter" />
        </list>
    </property>
</bean>

If you wanted to take it a step further you could also write your own configuration attributes which would allow you remove the hardcoded hostname checks in the voter and do something like:

<intercept-url pattern="/Admin/*" access="ROLE_GENERAL" domain="free.acme.com" />

In your session cookie, domain should be explicitly set to exampledomain.com.

Application server is responsible for session cookie creation (JSESSIONID) but not Spring Security.

All you have to do is to inform your app server that you want to always have the same domain in cookie.

Add to your web.xml:

   <session-config>
        <cookie-config>
            <domain>exampledomain.com</domain>
        </cookie-config>
    </session-config>

链接地址: http://www.djcxy.com/p/10604.html

上一篇: 为了学习的目的而阅读好的Java代码？

下一篇: 拦截不同登录的子域url？