Spring Security Java Config para Siteminder
Eu tenho uma configuração inMemoryAuthentication que funciona:
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(
AuthenticationManagerBuilder authenticationManagerBuilder)
throws Exception {
authenticationManagerBuilder //
.inMemoryAuthentication() //
.withUser("employee") //
.password("employee") //
.roles("RoleEmployee")
;
}
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/resources/**");
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
// @formatter:off
httpSecurity
.authorizeRequests()
.antMatchers("/login","/login.request","/logout").permitAll()
.anyRequest().hasRole("RoleEmployee")
.and()
.formLogin()
.loginPage("/login.request")
.loginProcessingUrl("/login")
.failureUrl("/login.request?error")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.permitAll()
.logoutSuccessUrl("/login.request")
;
// @formatter:on
}
}
Quero agora usar a autenticação do Siteminder e alterei isso para:
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
private PreAuthenticatedAuthenticationProvider preAuthenticatedProvider;
public WebSecurityConfiguration() {
super();
userDetailsService = new CustomUserDetailsService();
UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken>(
userDetailsService);
preAuthenticatedProvider = new PreAuthenticatedAuthenticationProvider();
preAuthenticatedProvider.setPreAuthenticatedUserDetailsService(wrapper);
}
@Override
protected void configure(
AuthenticationManagerBuilder authenticationManagerBuilder)
throws Exception {
// @formatter:off
authenticationManagerBuilder //
.authenticationProvider(preAuthenticatedProvider);
// @formatter:on
}
@Override
public void configure(WebSecurity webSecurity) throws Exception {
webSecurity.ignoring().antMatchers("/resources/**");
}
@Override
protected void configure(HttpSecurity httpSecurity) throws Exception {
// @formatter:off
RequestHeaderAuthenticationFilter siteMinderFilter = new RequestHeaderAuthenticationFilter();
siteMinderFilter.setAuthenticationManager(authenticationManager());
httpSecurity
.addFilter(siteMinderFilter)
.authorizeRequests()
.antMatchers("/login","/login.request","/logout").permitAll()
.anyRequest().hasRole("RoleEmployee")
.and()
.formLogin()
.loginPage("/login.request")
.loginProcessingUrl("/login")
.failureUrl("/login.request?error")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.permitAll()
.logoutSuccessUrl("/login.request")
;
// @formatter:on
}
}
Por enquanto, CustomUserDetailsService sempre retorna um usuário com a função de funcionário:
public class CustomUserDetailsService implements
UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
SimpleGrantedAuthority authority = new SimpleGrantedAuthority("RoleEmployee");
authorities.add(authority);
UserDetails user = new User(username, "password", authorities);
return user;
}
}
Quando eu testo isso, o cabeçalho SM_USER é passado corretamente e vejo no depurador que CustomUserDetailsSerice é chamado corretamente, mas um status 403 Proibido é retornado para qualquer página que eu anteriormente conseguia acessar com êxito na configuração antiga.
Há algo de errado com essa configuração?