waffle结合spring-security进行windows认证

waffle是实现Windows & Active Directory单点登录的一种方式，它能过做一切windows认证 的事情，包括  Negotiate ，NTLM和Kerberos。其实现步骤如下：

1.下载waffle所需的jar文件，下载地址http://dblock.github.com/waffle/；

2.新建一个web项目，将waffle认证和spring-security相关的jar文件添加到web项目中，waffle所需的jar包分别为：

commons-logging-1.1.1.jar、guava-r07.jar、jna.jar、platform.jar、waffle-jacob.jar、waffle-jna.jar；

3、修改web.xml文件的配置为：

<filter>

<filter-name>springSecurityFilterChain</filter-name>

<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>

</filter>

<filter-mapping>

<filter-name>springSecurityFilterChain</filter-name>

<url-pattern>/*</url-pattern>

</filter-mapping>

<context-param>

<param-name>contextConfigLocation</param-name>

<param-value>/WEB-INF/waffle-filter.xml</param-value> 

</context-param>

<listener>

<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>

</listener>

4、在WEB-INF下建立waffle-filter.xml文件，文件内容如下：

<!-- windows authentication provider -->

<bean id="waffleWindowsAuthProvider"

   class="waffle.windows.auth.impl.WindowsAuthProviderImpl" />

<!-- collection of security filters -->

<bean id="negotiateSecurityFilterProvider"

                class="waffle.servlet.spi.NegotiateSecurityFilterProvider">

<constructor-arg ref="waffleWindowsAuthProvider" />

</bean>

<bean id="basicSecurityFilterProvider" class="waffle.servlet.spi.BasicSecurityFilterProvider">

<constructor-arg ref="waffleWindowsAuthProvider" />

</bean>

<bean id="waffleSecurityFilterProviderCollection"

   class="waffle.servlet.spi.SecurityFilterProviderCollection">

<constructor-arg>

<list>

<ref bean="negotiateSecurityFilterProvider" />  

<ref bean="basicSecurityFilterProvider" />  

</list>

</constructor-arg>

</bean>

<!-- spring filter entry point -->

<sec:http entry-point-ref="negotiateSecurityFilterEntryPoint">

<sec:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

<sec:custom-filter ref="waffleNegotiateSecurityFilter" position="BASIC_AUTH_FILTER" />

</sec:http>

 

<bean id="negotiateSecurityFilterEntryPoint"

   class="waffle.spring.NegotiateSecurityFilterEntryPoint">

<property name="provider" ref="waffleSecurityFilterProviderCollection" />

</bean>

<!-- spring authentication provider -->

<sec:authentication-manager alias="authenticationProvider" />

<!-- spring security filter -->

<bean id="waffleNegotiateSecurityFilter" class="waffle.spring.NegotiateSecurityFilter">

<property name="Provider" ref="waffleSecurityFilterProviderCollection" />

<property name="AllowGuestLogin" value="true" />

<property name="PrincipalFormat" value="fqn" />

<property name="RoleFormat" value="both" />

</bean>

注意:当访问的时候最好将访问地址写成项目部署所在机器的主机名。

当浏览器发送请求时，首先经过negotiateSecurityFilterEntryPoint处理，若未经认证或认证失败，则会弹出一个页面要求输入用户名和密码，点击确定按钮后，交由waffleNegotiateSecurityFilter处理，waffleNegotiateSecurityFilter调用相应的类和方法判断用户名和密码是否正确，如果正确，在允许访问，此时可通过request.getUserPrincipal()获取登录用户的相关信息。