1. Overview
1.概述
This tutorial shows how to set up, configure and customize Digest Authentication with Spring. Similar to the previous article covering Basic Authentication, we’re going to built on top of the Spring MVC tutorial, and secure the application with the Digest Auth mechanism provided by Spring Security.
本教程展示了如何使用 Spring 设置、配置和自定义摘要验证。与之前的涵盖基本认证的文章类似,我们将在Spring MVC教程的基础上,使用Spring Security提供的Digest Auth机制来保护应用程序。
2. The Security XML Configuration
2.安全XML配置
First thing to understand about the configuration is that, while Spring Security does have full out of the box support for the Digest authentication mechanism, this support is not as well integrated into the namespace as Basic Authentication was.
关于配置,首先要了解的是,虽然Spring Security确实对Digest认证机制有完全的开箱即用的支持,但这种支持并不像Basic Authentication那样被很好地整合到命名空间。
In this case, we need to manually define the raw beans that are going to make up the security configuration – the DigestAuthenticationFilter and the DigestAuthenticationEntryPoint:
在这种情况下,我们需要手动定义构成安全配置的原始bean—DigestAuthenticationFilter和DigestAuthenticationEntryPoint。
<beans:bean id="digestFilter"
class="org.springframework.security.web.authentication.www.DigestAuthenticationFilter">
<beans:property name="userDetailsService" ref="userService" />
<beans:property name="authenticationEntryPoint" ref="digestEntryPoint" />
</beans:bean>
<beans:bean id="digestEntryPoint"
class="org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint">
<beans:property name="realmName" value="Contacts Realm via Digest Authentication" />
<beans:property name="key" value="acegi" />
</beans:bean>
<!-- the security namespace configuration -->
<http use-expressions="true" entry-point-ref="digestEntryPoint">
<intercept-url pattern="/**" access="isAuthenticated()" />
<custom-filter ref="digestFilter" after="BASIC_AUTH_FILTER" />
</http>
<authentication-manager>
<authentication-provider>
<user-service id="userService">
<user name="user1" password="user1Pass" authorities="ROLE_USER" />
</user-service>
</authentication-provider>
</authentication-manager>Next, we need to integrate these beans into the overall security configuration – and in this case, the namespace is still flexible enough to allow us to do that.
接下来,我们需要将这些Bean整合到整个安全配置中–在这种情况下,命名空间仍然足够灵活,允许我们这样做。
The first part of this is pointing to the custom entry point bean, via the entry-point-ref attribute of the main <http> element.
第一部分是通过主<http>元素的entry-point-ref属性,指向自定义入口点bean。
The second part is adding the newly defined digest filter into the security filter chain. Since this filter is functionally equivalent to the BasicAuthenticationFilter, we are using the same relative position in the chain – this is specified by the BASIC_AUTH_FILTER alias in the overall Spring Security Standard Filters.
第二部分是将新定义的摘要过滤器添加到安全过滤器链中。由于该过滤器在功能上等同于BasicAuthenticationFilter,因此我们在链中使用相同的相对位置 – 这是由BASIC_AUTH_FILTER别名在整个Spring Security Standard Filters中指定。
Finally, notice that the Digest Filter is configured to point to the user service bean – and here, the namespace is again very useful as it allows us to specify a bean name for the default user service created by the <user-service> element:
最后,注意到Digest Filter被配置为指向用户服务Bean–在这里,命名空间再次非常有用,因为它允许我们为<user-service>元素创建的默认用户服务指定一个Bean名称。
<user-service id="userService">3. Consuming the Secured Application
3.消耗安全的应用程序
We’re going to be using the curl command to consume the secured application and understand how a client can interact with it.
我们将使用curl命令来消费安全的应用程序,并理解客户端如何与之交互。
Let’s start by requesting the homepage – without providing security credentials in the request:
让我们从请求主页开始–在请求中不提供安全凭证。
curl -i http://localhost/spring-security-mvc-digest-auth/homepage.htmlAs expected, we get back a response with a 401 Unauthorized status code:
正如预期的那样,我们得到了一个带有401 Unauthorized状态代码的响应。
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=CF0233C...; Path=/spring-security-mvc-digest-auth/; HttpOnly
WWW-Authenticate: Digest realm="Contacts Realm via Digest Authentication", qop="auth",
nonce="MTM3MzYzODE2NTg3OTo3MmYxN2JkOWYxZTc4MzdmMzBiN2Q0YmY0ZTU0N2RkZg=="
Content-Type: text/html;charset=utf-8
Content-Length: 1061
Date: Fri, 12 Jul 2013 14:04:25 GMTIf this request were sent by the browser, the authentication challenge would prompt the user for credentials using a simple user/password dialog.
如果这个请求是由浏览器发送的,认证挑战将使用一个简单的用户/密码对话框来提示用户的证书。
Let’s now provide the correct credentials and send the request again:
现在让我们提供正确的凭证并再次发送请求。
curl -i --digest --user
user1:user1Pass http://localhost/spring-security-mvc-digest-auth/homepage.htmlNotice that we are enabling Digest Authentication for the curl command via the –digest flag.
注意我们正在通过-digest标志为curl命令启用摘要验证。
The first response from the server will be the same – the 401 Unauthorized – but the challenge will now be interpreted and acted upon by a second request – which will succeed with a 200 OK:
服务器的第一个响应将是相同的–401 Unauthorized–但现在挑战将被解释并由第二个请求采取行动–这将以200 OK成功。
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=A961E0D...; Path=/spring-security-mvc-digest-auth/; HttpOnly
WWW-Authenticate: Digest realm="Contacts Realm via Digest Authentication", qop="auth",
nonce="MTM3MzYzODgyOTczMTo3YjM4OWQzMGU0YTgwZDg0YmYwZjRlZWJjMDQzZWZkOA=="
Content-Type: text/html;charset=utf-8
Content-Length: 1061
Date: Fri, 12 Jul 2013 14:15:29 GMT
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=55F996B...; Path=/spring-security-mvc-digest-auth/; HttpOnly
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-US
Content-Length: 90
Date: Fri, 12 Jul 2013 14:15:29 GMT
<html>
<head></head>
<body>
<h1>This is the homepage</h1>
</body>
</html>A final note on this interaction is that a client can preemptively send the correct Authorization header with the first request, and thus entirely avoid the server security challenge and the second request.
关于这种交互的最后说明是,客户可以预先发送正确的Authorization头与第一个请求,从而完全避免服务器安全挑战和第二个请求。
4. The Maven Dependencies
4.Maven的依赖性
The security dependencies are discussed in depth in the Spring Security Maven tutorial. In short, we will need to define spring-security-web and spring-security-config as dependencies in our pom.xml.
Spring Security Maven教程中深入讨论了安全方面的依赖。简而言之,我们需要将spring-security-web和spring-security-config定义为我们pom.xml中的依赖项。
5. Conclusion
5.结论
In this tutorial we introduce security into a simple Spring MVC project by leveraging the Digest Authentication support in the framework.
在本教程中,我们通过利用框架中的Digest认证支持,将安全性引入一个简单的Spring MVC项目。
The implementation of these examples can be found in the Github project – this is an Eclipse-based project, so it should be easy to import and run as it is.
这些示例的实现可以在Github 项目中找到 – 这是一个基于 Eclipse 的项目,因此应该很容易导入并按原样运行。
When the project runs locally, the homepage html can be accessed at (or, with minimal Tomcat configuration, on port 80):
当项目在本地运行时,主页html可以在(或者,在Tomcat的最小配置下,在80端口)被访问。
http://localhost:8080/spring-security-mvc-digest-auth/homepage.html
http://localhost:8080/spring-security-mvc-digest-auth/homepage.html
Finally, there is no reason an application needs to choose between Basic and Digest authentication – both can be set up simultaneously on the same URI structure, in such a way that the client can pick between the two mechanisms when consuming the web application.
最后,应用程序没有理由需要在基本和摘要验证之间做出选择 – 两者可以同时设置在同一个URI结构上,这样客户端就可以在消费Web应用程序时选择这两种机制。