# 安全配置

# 1)Config 组件

在大多数 pac4j 实现中,可以通过 Config (opens new window) 对象定义安全配置。

它收集了所需的:

示例

FacebookClient facebookClient = new FacebookClient("145278422258960", "be21409ba8f39b5dae2a7de525484da8");
TwitterClient twitterClient = new TwitterClient("CoxUiYwQOSFDReZYdjigBA", "2kAzunH5Btc4gRSaMr7D7MkyoJ5u1VzbOOzE8rBofs");
ParameterClient parameterClient = new ParameterClient("token", new JwtAuthenticator(salt));

Config config = new Config("http://localhost:8080/callback", facebookClient, twitterClient, parameterClient);

config.addAuthorizer("admin", new RequireAnyRoleAuthorizer<>("ROLE_ADMIN"));
config.addAuthorizer("custom", new CustomAuthorizer());

config.addMatcher("excludedPath", new ExcludedPathMatcher("^/facebook/notprotected\\.jsp$"));
1
2
3
4
5
6
7
8
9
10

你也可以使用中间 Clients (opens new window) 对象来构建 Config 对象。

示例

Clients clients = new Clients("http://localhost:8080/callback", facebookClient, twitterClient, parameterClient);

Config config = new Config(clients);
1
2
3

在这个例子中,你可以为所有客户端定义:

  • 相同的回调 URL、UrlResolverCallbackUrlResolverclients.setCallbackUrl(callbackUrl)clients.setUrlResolver(urlResolver) and clients.setCallbackUrlResolver(callbackUrlResolver)
  • 相同的 AjaxRequestResolverclients.setAjaxRequestResolver(ajaxRequestResolver)
  • 相同的 AuthorizationGeneratorclients.addAuthorizationGenerator(authorizationGenerator)

# 2)pac4j-config 模块

pac4j-config 模块:

<dependency>
    <groupId>org.pac4j</groupId>
    <artifactId>pac4j-config</artifactId>
    <version>${pac4j.version}</version>
</dependency>
1
2
3
4
5

收集所有 pac4j 设施以定义此 Config 对象。目前,只有一个组件允许你从一组属性构建客户端:PropertiesConfigFactory (opens new window)

注意

注意,在必要时必须显式声明依赖项(如果要使用 SAML,请使用 pac4j-saml 模块,如果要使用 OAuth,请使用 pac4j-oauth模块……)

示例(YAML dropwizard配置文件)

pac4j:
  callbackUrl: /callback
  clientsProperties:
    facebook.id: 145278422258960
    facebook.secret: be21409ba8f39b5dae2a7de525484da8
    saml.keystorePath: resource:samlKeystore.jks
    saml.keystorePassword: pac4j-demo-passwd
    saml.privateKeyPassword: pac4j-demo-passwd
    saml.identityProviderMetadataPath: resource:metadata-okta.xml
    saml.maximumAuthenticationLifetime: 3600
    saml.serviceProviderEntityId: http://localhost:8080/callback?client_name=SAML2Client
    saml.serviceProviderMetadataPath: sp-metadata.xml
    anonymous: fakevalue
    ldap.type: direct
    ldap.url: ldap://ldap.jumpcloud.com:389
    ldap.useStartTls: false
    ldap.useSsl: false
    ldap.dnFormat: uid=%s,ou=Users,o=58e69adc0914b437324e7632,dc=jumpcloud,dc=com
    ldap.usersDn: ou=Users,o=58e69adc0914b437324e7632,dc=jumpcloud,dc=com
    ldap.principalAttributeId: uid
    ldap.principalAttributes: firstName,lastName
    ldap.enhanceWithEntryResolver: false
    formClient.loginUrl: /login.html
    formClient.authenticator: ldap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

以下是可用于定义客户端的属性(认证器和密码编码器):

可用属性 用途
encoder.spring.type (bcryptnooppbkdf2scryptstandard)、encoder.spring.bcrypt.lengthencoder.spring.pbkdf2.secretencoder.spring.pbkdf2.iterationsencoder.spring.pbkdf2.hashWidthencoder.spring.scrypt.cpuCostencoder.spring.scrypt.memoryCostencoder.spring.scrypt.parallelizationencoder.spring.scrypt.keyLengthencoder.spring.scrypt.saltLengthencoder.spring.standard.secret 根据提供的属性和命名为 encoder.springencoder.spring.N 的属性定义 SpringPasswordEncoder
encoder.shiro(如果不需要特定属性)、encoder.shiro.generatePublicSaltencoder.shiro.hashAlgorithmNameencoder.shiro.hashIterationsencoder.shiro.privateSalt 根据提供的属性和命名为 encoder.shiroencoder.shiro.N 定义 ShiroPasswordEncoder
ldap.typeldap.dnFormatldap.principalAttributesldap.principalAttributeIdldap.principalAttributePasswordldap.subtreeSearchldap.usersDnldap.userFilterldap.enhanceWithEntryResolverldap.trustCertificatesldap.keystoreldap.keystorePasswordldap.keystoreTypeldap.minPoolSizeldap.maxPoolSizeldap.poolPassivatorldap.validateOnCheckoutldap.validatePeriodicallyldap.validatePeriodldap.failFastldap.idleTimeldap.prunePeriodldap.blockWaitTimeldap.urlldap.useStartTlsldap.connectTimeoutldap.providerClassldap.allowMultipleDnsldap.bindDnldap.bindCredentialldap.saslRealmldap.saslMechanismldap.saslAuthorizationIdldap.saslSecurityStrengthldap.saslQualityOfProtection 基于提供的属性和名为 ldapldap.NLdapAuthenticator
db.dataSourceClassNamedb.jdbcUrldb.userAttributesdb.userIdAttributedb.usernameAttributedb.userPasswordAttributedb.usersTabledb.usernamedb.passworddb.autoCommitdb.connectionTimeoutdb.idleTimeoutdb.maxLifetimedb.connectionTestQuerydb.minimumIdledb.maximumPoolSizedb.poolNamedb.initializationFailTimeoutdb.isolateInternalQueriesdb.allowPoolSuspensiondb.readOnlydb.registerMbeansdb.catalogdb.connectionInitSqldb.driverClassNamedb.transactionIsolationdb.validationTimeoutdb.leakDetectionThresholddb.customParamKeydb.customParamValuedb.loginTimeoutdb.dataSourceJndidb.passwordEncoder 根据提供的属性和命名为 dbdb.N 的属性定义 DbAuthenticator
rest.url 根据提供的属性和命名的 restrest.N 定义 RestAuthenticator
anonymous 要定义 AnonymousClient,将忽略该值
directBasicAuth.authenticator 基于提供的属性定义 DirectBasicAuthClient
saml.keystorePasswordsaml.privateKeyPasswordsaml.keystorePathsaml.identityProviderMetadataPathsaml.maximumAuthenticationLifetimesaml.serviceProviderEntityIdsaml.serviceProviderMetadataPathsaml.destinationBindingType
saml.keystoreAlias 根据提供的属性定义 SAML2Client
cas.loginUrlcas.protocol 根据提供的属性定义 CasClient
oidc.typegoogleazure)、oidc.azure.tenant (用于 AzureAD tenant)、
oidc.id, oidc.secretoidc.scopeoidc.discoveryUrioidc.useNonceoidc.preferredJwsAlgorithmoidc.maxClockSkewoidc.clientAuthenticationMethodoidc.customParamKey1oidc.customParamValue1oidc.customParamKey2oidc.customParamValue2 根据提供的属性定义 OpenID connect 客户端
formClient.authenticatorformClient.loginUrlformClient.usernameParametetformClient.passwordParameter 根据提供的属性定义 FormClient
indirectBasicAuth.authenticatorindirectBasicAuth.realName 基于提供的属性定义 IndirectBasicAuthClient
facebook.idfacebook.secretfacebook.scopefacebook.field 根据提供的属性定义 FacebookClient
twitter.idtwitter.secret 根据提供的属性定义 TwitterClient
github.idgithub.secret 根据提供的属性定义 GitHubClient
dropbox.iddropbox.secret 根据提供的属性定义 DropBoxClient
windowslive.idwindowslive.secret 根据提供的属性定义 WindowsLiveClient
yahoo.idyahoo.secret 根据提供的属性定义 YahooClient
linkedin.idlinkedin.secretlinkedin.fieldslinkedin.scope 根据提供的属性定义 LinkedIn2Client
foursquare.idfoursquare.secret 根据提供的属性定义 FoursquareClient
google.idgoogle.secretgoogle.scope 根据提供的属性定义 Google2Client
oauth2.idoauth2.secretoauth2.authUrloauth2.tokenUrloauth2.profileUrloauth2.profilePathoauth2.profileIdoauth2.scopeoauth2.withStateoauth2.clientAuthenticationMethod 根据提供的属性定义 GenericOAuth20Client

注意:

  • 你可以通过在属性末尾添加一个数字来定义同一类型的多个客户端:cas.loginUrl.2oidc.type.5 ……
  • .passwordEncoder 属性必须设置为已定义在 PasswordEncoder 中的名字,比如 encoder.springencoder.shiro.3
  • .authenticator 属性必须设置为已定义在 Authenticator 中的名字,比如 ldapdb.1 或隐式值:testUsernamePasswordtestToken(用于测试认证器)。

原文链接 (opens new window)