我有一个用@PreAuthorize注释的方法,它使用自定义bean
@PreAuthorize("@preAuthUtils.test(authentication)")
public void method(){
...
}
这个bean什么也不做,只是打印出auth和user(principle(
@Component(value = "preAuthUtils")
public class PreAuthUtils {
public boolean test(UsernamePasswordAuthenticationToken x) {
System.out.println("type: " + x.getClass().getSimpleName());
System.out.println("string: " + x.toString());
final var user = x.getPrincipal();
System.out.println("type: " + user.getClass().getSimpleName());
System.out.println("string: " + user.toString());
return true;
}
}
输出(请求后(
type: UsernamePasswordAuthenticationToken
string: UsernamePasswordAuthenticationToken [Principal=johndoe, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=null], Granted Authorities=[ROLE_USER, ROLE_CUSTOMER]]
type: String
string: johndoe
问题是为什么用户是String类型的?而不是我的习惯";DefaultUserDetails";实现UserDetails的类?
因为我需要获得用户的id和信息来决定是认证还是限制用户,我花了6个小时,我只想哭
我终于发现了。
这一切都是由于我的JWT过滤器实际上对用户进行了身份验证。。。
这里的主体是userDetails(IN WAS STRING..(
final var authentication = new UsernamePasswordAuthenticationToken(principal, null, authorities);
authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(context));
SecurityContextHolder.getContext().setAuthentication(authentication);