waffle结合spring-security进行windows认证

yangyongByJava

waffle是实现Windows & Active Directory单点登录的一种方式，它能过做一切windows认证 的事情，包括  Negotiate ，NTLM和Kerberos。其实现步骤如下：
1.下载waffle所需的jar文件，下载地址http://dblock.github.com/waffle/；
2.新建一个web项目，将waffle认证和spring-security相关的jar文件添加到web项目中，waffle所需的jar包分别为：
commons-logging-1.1.1.jar、guava-r07.jar、jna.jar、platform.jar、waffle-jacob.jar、waffle-jna.jar；
3、修改web.xml文件的配置为：
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/waffle-filter.xml</param-value> 
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
4、在WEB-INF下建立waffle-filter.xml文件，文件内容如下：
<!-- windows authentication provider -->
<bean id="waffleWindowsAuthProvider"
   class="waffle.windows.auth.impl.WindowsAuthProviderImpl" />

<!-- collection of security filters -->
<bean id="negotiateSecurityFilterProvider"
               class="waffle.servlet.spi.NegotiateSecurityFilterProvider">
<constructor-arg ref="waffleWindowsAuthProvider" />
</bean>

<bean id="basicSecurityFilterProvider" class="waffle.servlet.spi.BasicSecurityFilterProvider">
<constructor-arg ref="waffleWindowsAuthProvider" />
</bean>

<bean id="waffleSecurityFilterProviderCollection"
   class="waffle.servlet.spi.SecurityFilterProviderCollection">
<constructor-arg>
<list>
<ref bean="negotiateSecurityFilterProvider" />  
<ref bean="basicSecurityFilterProvider" />  
</list>
</constructor-arg>
</bean>

<!-- spring filter entry point -->
<sec:http entry-point-ref="negotiateSecurityFilterEntryPoint">
<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />
<sec:custom-filter ref="waffleNegotiateSecurityFilter" position="BASIC_AUTH_FILTER" />
</sec:http>
 
<bean id="negotiateSecurityFilterEntryPoint"
   class="waffle.spring.NegotiateSecurityFilterEntryPoint">
<property name="provider" ref="waffleSecurityFilterProviderCollection" />
</bean>

<!-- spring authentication provider -->
<sec:authentication-manager alias="authenticationProvider" />

<!-- spring security filter -->
<bean id="waffleNegotiateSecurityFilter" class="waffle.spring.NegotiateSecurityFilter">
<property name="Provider" ref="waffleSecurityFilterProviderCollection" />
<property name="AllowGuestLogin" value="true" />
<property name="PrincipalFormat" value="fqn" />
<property name="RoleFormat" value="both" />
</bean>
注意:当访问的时候最好将访问地址写成项目部署所在机器的主机名。
当浏览器发送请求时，首先经过negotiateSecurityFilterEntryPoint处理，若未经认证或认证失败，则会弹出一个页面要求输入用户名和密码，点击确定按钮后，交由waffleNegotiateSecurityFilter处理，waffleNegotiateSecurityFilter调用相应的类和方法判断用户名和密码是否正确，如果正确，在允许访问，此时可通过request.getUserPrincipal()获取登录用户的相关信息。