waffle是实现Windows & Active Directory单点登录的一种方式,它能过做一切windows认证 的事情,包括 Negotiate ,NTLM和Kerberos。其实现步骤如下:
1.下载waffle所需的jar文件,下载地址http://dblock.github.com/waffle/;
2.新建一个web项目,将waffle认证和spring-security相关的jar文件添加到web项目中,waffle所需的jar包分别为:
commons-logging-1.1.1.jar、guava-r07.jar、jna.jar、platform.jar、waffle-jacob.jar、waffle-jna.jar;
3、修改web.xml文件的配置为:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/waffle-filter.xml</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
4、在WEB-INF下建立waffle-filter.xml文件,文件内容如下:
<!-- windows authentication provider -->
<bean id="waffleWindowsAuthProvider"
class="waffle.windows.auth.impl.WindowsAuthProviderImpl" />
<!-- collection of security filters -->
<bean id="negotiateSecurityFilterProvider"
class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
<constructor-arg ref="waffleWindowsAuthProvider" />
</bean>
<bean id="basicSecurityFilterProvider" class="waffle.servlet.spi.BasicSecurityFilterProvider">
<constructor-arg ref="waffleWindowsAuthProvider" />
</bean>
<bean id="waffleSecurityFilterProviderCollection"
class="waffle.servlet.spi.SecurityFilterProviderCollection">
<constructor-arg>
<list>
<ref bean="negotiateSecurityFilterProvider" />
<ref bean="basicSecurityFilterProvider" />
</list>
</constructor-arg>
</bean>
<!-- spring filter entry point -->
<sec:http entry-point-ref="negotiateSecurityFilterEntryPoint">
<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<sec:custom-filter ref="waffleNegotiateSecurityFilter" position="BASIC_AUTH_FILTER" />
</sec:http>
<bean id="negotiateSecurityFilterEntryPoint"
class="waffle.spring.NegotiateSecurityFilterEntryPoint">
<property name="provider" ref="waffleSecurityFilterProviderCollection" />
</bean>
<!-- spring authentication provider -->
<sec:authentication-manager alias="authenticationProvider" />
<!-- spring security filter -->
<bean id="waffleNegotiateSecurityFilter" class="waffle.spring.NegotiateSecurityFilter">
<property name="Provider" ref="waffleSecurityFilterProviderCollection" />
<property name="AllowGuestLogin" value="true" />
<property name="PrincipalFormat" value="fqn" />
<property name="RoleFormat" value="both" />
</bean>
注意:当访问的时候最好将访问地址写成项目部署所在机器的主机名。
当浏览器发送请求时,首先经过negotiateSecurityFilterEntryPoint处理,若未经认证或认证失败,则会弹出一个页面要求输入用户名和密码,点击确定按钮后,交由waffleNegotiateSecurityFilter处理,waffleNegotiateSecurityFilter调用相应的类和方法判断用户名和密码是否正确,如果正确,在允许访问,此时可通过request.getUserPrincipal()获取登录用户的相关信息。