Spring Security Pre-authentication without authorization_问答_开发者

I am trying to implement pre-authentication scenario and I am running into few issues.. This is my security context file..

<sec:global-method-security secured-annotations="enabled" pre-post-annotations="disabled"/>
<sec:http pattern="/static/**" security="none" />
<bean id="preauthAuthProvider" class="org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider">
    <property name="preAuthenticatedUserDetailsService">
        <bean id="userDetailsServiceWrapper"
            class="org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper">
                <property name="userDetailsService" ref="userDetailsService"/>
        </bean>
    </property>
</bean>

<bean id="userDetailsService"
    class="com.myapp.UserDetailsServiceImpl"/>

<sec:authentication-manager alias="authenticationManager">
  <sec:authentication-provider ref="preauthAuthProvider" />
</sec:authentication-manager>

<sec:http auto-config="false" use-expressions="true">
    <sec:intercept-url pattern="/index.htm" access="permitAll"/>
    <sec:intercept-url pattern="/logoff.html" access="permitAll"/>
    <sec:intercept-url pattern="/profile/**" access="hasAnyRole('ROLE_PROFILEUSER', 'ROLE_ADMIN')"/>
    <sec:intercept-url pattern="/admin/**" access="hasRole('ROLE_ADMIN')"/>
    <sec:intercept-url pattern="/**" access="isAuthenticated()"/>
    <!-- <sec:form-login login-page="/login.html"  default-target-url="/home.html" authentication-failure-url="/login.html"/> -->
    <sec:logout logout-url="/logoff.html"/> 
    <sec:custom-filter position="PRE_AUTH_FILTER" ref="channelSecureFilter" />
</sec:http>

<bean id="channelSecureFilter"
    class="org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter">

    <property name="principalRequestHeader" value="SM_UNIVERSAL_ID"/>   
    <property name="authenticationManager" ref="authenticationManager"/>
    <property name="invalidateSessionOnPrincipalChange" value="true"/>
</bean>


<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <property name="decisionVoters">
        <list>
            <ref local="roleVoter"/>
            <ref local="authenticatedVoter"/>
        </list>
    </property>

</bean>

<bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <property name="rolePrefix" value="ROLE_"/>
</bean>开发者_开发百科;

<bean id="authenticatedVoter" class="org.springframework.security.access.vote.AuthenticatedVoter"/>

and this is the custom UserDetailsServiceImpl

@Component
public class UserDetailsServiceImpl extends PreAuthenticatedGrantedAuthoritiesUserDetailsService implements UserDetailsService{
   @Autowired PersonService personService;


@Override
public UserDetails loadUserByUsername(String arg0) throws UsernameNotFoundException {
           //I dont think anything is needed here... right?
    return null;
}

@Override
protected UserDetails createuserDetails(Authentication token,
        Collection<? extends GrantedAuthority> role){

    Person lp = PersonService.findPersonByNetId(token.getName());

    PreAuthenticatedGrantedAuthoritiesUserDetailsService test = new PreAuthenticatedGrantedAuthoritiesUserDetailsService();


    if(lp==null){
        role.add(new SimpleGrantedAuthority("ROLE_USER"));
        return new LLUser(token.getName(),"N/A", true, true, true, true, role, null);
    }
    else{
        boolean enabled = (lp.getIsActive()==1)?true:false;
        boolean credentialsNonExpired = (lp.getIsActive()==1)?true:false;
        //test whehther deactivate date is null or deactivate data is greater than current date
        boolean accountNonExpired = ((lp.getDeactivateDate()==null)||(lp.getDeactivateDate().compareTo(new Date())>0))?true:false;
        boolean accountNonLocked = (lp.getIsActive()==1)?true:false;
        Integer personId = lp.getPerson().getId();

        if(lp.getLlRole()!=null){
            if(lp.getLlRole()==10)
            {   
                role.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
                role.add(new SimpleGrantedAuthority("ROLE_PROFILEUSER"));
            }
            if(lp.getLlRole()==25)
                role.add(new SimpleGrantedAuthority("ROLE_PROFILEUSER"));
            }

        role.add(new SimpleGrantedAuthority("ROLE_USER"));

        return new LLUser(token.getName(),"N/A", enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, role, personId);
    }

}

}

LLUser is a custom user object that extends Spring's user object. So, now the issues are,

1). I cannot seem to add SimpleGrantedauthoriy to the "role" collection. I am getting following error and I can't understand it because SimplegGrantedAuthority is an implementation of GrantedAuthority right?

the method add(capture#1-of ? extends GrantedAuthority) in the type collection<capture#1-of ? extends GrantedAuthority> is not applicable for the arguments (SimpleGrantedAuthority)

2). I am very sure my way of initializing the custom User object is incorrect because, there is no password coming from the request and User class will not know what to compare against?

Also, please look at my context config file and let me know if there are any redundant elements or if I am missing anything important. Thanks in advance.

It seems you aren't actually implementing the functions necessary for the PreAuthenticatedGrantedUserDetailsService class. You should be implementing the function loadUserDetails(authenication_token) because that is the function actually used to get the UserDetails object for Spring. Since you don't have this function implemented, Spring will never have a way of getting the UserDetails. Please see the documentation for more details.