Utilice el objeto de autenticación SpringSec 2.0.x en Spring Security 3.0.x

I have legacy service written againts Spring Security 2.0.4 and it consumes org.springframework.security.Authentication objeto.

Now I am integrating that with newer project written againts Spring Security 3, and I am implementing org.springframework.security.authentication.AuthenticationProvider which consumes (in authenticate method) org.springframework.security.core.Authentication, so I cannot supply this object to legacy code (note that Authentication object now resides in different package).

I read migration guide, but didn't find anything useful about this issue there. Any ideas how to solve this?

preguntado el 28 de agosto de 12 a las 10:08

What is the issue exactly? The behaviour should be almost identical to 2.0.x -

Well that my legacy interface won't consume Spring Security 3 Authentication object. So I had to downgrade to SS2 atm. I am using proxy as reference to remote service, so I can perform conversion from SS3.Authentication to SS2.Authetnication myself but I cannot have both SS2 and SS3 on classpath. So maybe there is another way ... -

OK, it wasn't clear you were talking about remoting. It's true that you can't use serialization-based remoting between version 2 and 3. Also, the recent vulnerabilities due to serialization really make it advisable to implement remote services using something else (such as plain HTTP). -

But what bothers me that Authentication object is pretty much identical in both versions ... so no workaround at all? -

You could add the required package from to your 3.0.x app and add the necessary classes. Then you just need an adapter. But what should ultimately be bothering you is that serialization-based remoting is likely to be a backdoor for other security vulnerabilities and is best avoided. -

0 Respuestas

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.