小贝子编程

防止 spring 注入默认的 AuthenticationManager



我正在尝试使用两个不同的身份验证提供程序创建一个 spring 安全配置,并公开一个 rest 接口来验证凭据(这仅在开发环境中使用,将被 prod 中的 oAuth 服务取代。但是当我将 AuthenticationManager 注入控制器时,spring 会创建一个默认的 AuthenticationManager 并将其注入 RestController 中。如何使 spring 注入在 WebSecurityConfigurationAdapter 中配置的 AuthenticationManager?我正在使用 spring-boot-starter-security:1.5.7.RELEASE。这是我的安全配置:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@Configuration
public class LocalWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
    private final DevUserDetailsService devUserDetailService;
    private final ServiceUserDetailService serviceUserDetailService;
    @Autowired
    public LocalWebSecurityConfigurationAdapter(DevUserDetailsService devUserDetailService, ServiceUserDetailService serviceUserDetailService) {
        this.devUserDetailService = devUserDetailService;
        this.serviceUserDetailService = serviceUserDetailService;
    }
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and().authorizeRequests().antMatchers("/api/public/**").permitAll()
                .antMatchers("/api/login").permitAll()
                .antMatchers("/api/**").fullyAuthenticated()
                .anyRequest().permitAll()
                .and().exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint())
                .and().httpBasic();
    }
    @Bean
    public AuthenticationEntryPoint unauthorizedEntryPoint() {
        return (request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
    }
    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(devUserDetailService);
        DaoAuthenticationProvider serviceUserAuthProvider = new DaoAuthenticationProvider();
        serviceUserAuthProvider.setUserDetailsService(serviceUserDetailService);
        serviceUserAuthProvider.setPasswordEncoder(passwordEncoder());
        auth.authenticationProvider(serviceUserAuthProvider);
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

这是我的 RestController:

@RestController
@RequestMapping("/api/login")
public class LoginController {
    private final Logger log = LoggerFactory.getLogger(this.getClass());
    private final AuthenticationManager authenticationManager;
    public LoginController(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }
    @RequestMapping(method = RequestMethod.POST)
    public Map<String, String> login(@RequestBody Map<String, String> body) {
        String user = body.get("user");
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, body.get("password"));
        try {
            authenticationManager.authenticate(token);
            return Collections.singletonMap("status", "ok");
        } catch (BadCredentialsException e) {
            return Collections.singletonMap("status", "bad credentials");
        } catch (AuthenticationException e) {
            log.warn("Could not authenticate user {} because {}.", user, e.getMessage(), e);
            return Collections.singletonMap("status", "general error");
        }
    }
}

既然你们可能是 Spring 的专家,是否有最佳实践可以根据运行代码的环境(使用配置文件)创建不同的安全配置,而无需创建冗余代码?我尝试了一个超级课程,但春天不太喜欢这样。

我终于找到了解决方案。通过在我的配置类中使用configureGlobal,AuthenticationManager在所有弹簧管理的组件之间共享。

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth, DevUserDetailsService devUserDetailService,
                            @Qualifier("serviceUserAuthenticationProvider") AuthenticationProvider serviceUserAuthProvider) throws Exception {
    auth.userDetailsService(devUserDetailService);
    auth.authenticationProvider(serviceUserAuthProvider);
}

对于重用配置,我仍然没有找到一个好的解决方案。为所有常见配置创建一个抽象的"超级配置"一旦使用@Bean注释方法就会产生麻烦,并且创建多个 WebSecurityConfigurerAdapter 会导致一个覆盖另一个,所以如果有最佳实践,我仍然对适当的解决方案感兴趣。我已经设法做了我想做的事,但这对我来说仍然有点像黑客。对于任何偶然遇到类似问题的人,我希望这会有所帮助。

LocalWebSecurityConfigurationAdapter 中声明 bean: 

@Bean(name="appAuthenticationManager") 
@Override 
public AuthenticationManager authenticationManagerBean() throws Exception {  
       return super.authenticationManagerBean(); 
}

并像注入任何其他 Bean 一样注入其他组件:

public LoginController(@Qualifier("appAuthenticationManager") AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
}

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium