通过Spring Security向控制器注入自定义主体 [英] Injecting Custom Principal to Controllers by Spring Security
问题描述
servletApi()支持非常棒.
servletApi() support of Spring Security is great.
我要这样注入自定义主体:
I want to inject custom Principal as this:
public interface UserPrincipal extends Principal {
public Integer getId();
}
@RequestMapping(value = "/")
public ResponseEntity<List<Conversation>> listAfter(UserPrincipal user){
// implementation
}
or
@RequestMapping(value = "/")
public ResponseEntity<List<Conversation>> listAfter(UserPrincipalImpl user){
// implementation
}
Spring支持在ServletRequestMethodArgumentResolver
的帮助下注入Principal
实例.
Spring has support for injecting Principal
instances with the help of ServletRequestMethodArgumentResolver
.
它是这样注入主体的:
else if (Principal.class.isAssignableFrom(paramType)) {
return request.getUserPrincipal();
}
这是问题开始的地方. request
在这里是SecurityContextHolderAwareRequestWrapper
的实例.它具有以下实现:
Here is the place where the problem begins. request
is here an instance of SecurityContextHolderAwareRequestWrapper
. It has an implementation of:
@Override
public Principal getUserPrincipal() {
Authentication auth = getAuthentication();
if ((auth == null) || (auth.getPrincipal() == null)) {
return null;
}
return auth;
}
因为Authentication
也是Principal
. (到目前为止,我不喜欢春季安全性的唯一部分.我也将单独询问这个问题.)
Because an Authentication
is also an Principal
. (The only part of spring security I did not like so far. I will ask this a separate question as well.)
这引起了问题.因为Authentication
是Principal
而不是UserPrincipal
.
This is causing a problem. Because Authentication
is a Principal
not a UserPrincipal
.
如何解决此问题?我是否还需要实现一个UserPrincipal身份验证?还是应该更改HandlerMethodArgumentResolver的顺序来创建自定义解析器? (这对于Spring MVC来说并不容易,因为内部处理程序具有更高的优先级.)
How can I resolve this problem? Do I need to implement an authentication which is a UserPrincipal as well? Or should I change HandlerMethodArgumentResolver order a create a custom resolver? (This is not easy for Spring MVC because internal handlers has higher priority.)
作为附加信息:
我正在使用Spring Security M2,而我对AuthenticationManagerBuilder
的配置很简单:
I am using Spring Security M2 and my configuration for AuthenticationManagerBuilder
is simply:
@Override
protected void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(detailsService);
}
有帮助吗?
推荐答案
从根本上讲,这似乎与Spring MVC集成时遇到了麻烦,而不是Spring Security问题.由于API返回对象,Spring Security无法知道Authentication @ getPrinicpal()实现了Principal.
Fundamentally this seems like trouble integrating with Spring MVC and not a Spring Security issue. Spring Security has no way of knowing that Authentication@getPrinicpal() implements Principal since the API returns an Object.
我为您提供了一些选择.每个都有优点和缺点,但我认为最好是使用@ModelAttribute
和@ControllerAdvice
I see a few options for you. Each has some pros and cons, but I think the best is using @ModelAttribute
and @ControllerAdvice
最简单的选项是在自定义@ControllerAdvice
上使用@ModelAttribute
注释方法.您可以在春季参考书.
The easiest option is annotate a method with @ModelAttribute
on custom @ControllerAdvice
. You can find details in the Spring Reference.
@ControllerAdvice
public class SecurityControllerAdvice {
@ModelAttribute
public UserPrincipal customPrincipal(Authentication a) {
return (UserPrincipal) a == null ? null : a.getPrincipal();
}
}
现在,您可以在控制器中执行以下操作:
Now in your controller you can do something like this:
@RequestMapping(value = "/")
public ResponseEntity<List<Conversation>> listAfter(@ModelAttribute UserPrincipal user){
// implementation
}
请注意,仅@ModelAttribute
是必需的,以确保在HttpServletRequest#getPrincipal()上使用@ModelAttribute
.如果未实现Principal,则不需要@ModelAttribute
.
Note that the @ModelAttribute
is necessary only to ensure the @ModelAttribute
is used over the HttpServletRequest#getPrincipal(). If it did not implement Principal, @ModelAttribute
is not required.
您还可以执行以下操作:
You can also do something like this:
@RequestMapping(value = "/")
public ResponseEntity<List<Conversation>> listAfter(
@Value("#{request.userPrincipal.principal}") UserPrincipal user){
// implementation
}
之所以可行,是因为HttpServletRequest可以作为ExpressionValueMethodArgumentResolver的属性使用(Spring MVC默认添加),该属性允许通过 SPR-10760 会更好,这将允许您使用自己的自定义注释像这样使用:
This works because the HttpServletRequest is available as an attribute to the ExpressionValueMethodArgumentResolver (added by default by Spring MVC) which allows accessing things via SpEL. I find this less attractive than @ModelAttribute
due to the constant that must be in the @Value
annotation. It will be nicer when SPR-10760 is resolved which would allow for your own custom annotation to be used like:
@Target({ElementType.FIELD, ElementType.METHOD, ElementType.PARAMETER, ElementType.ANNOTATION_TYPE})
@Retention(RetentionPolicy.RUNTIME)
@Documented
@Value("#{request.userPrincipal.principal}")
public @interface CurrentUser { }
@Autowire RequestMappingHandlerAdapter
这有点草率,因为RequestMappingHandlerAdapter已被初始化,但是您可以更改HandlerMethodArgumentResolvers的顺序,如下所示:
@Autowire RequestMappingHandlerAdapter
This is a bit sloppy because the RequestMappingHandlerAdapter has already been initialized, but you can change the ordering of the HandlerMethodArgumentResolvers as shown here:
@EnableWebMvc
@Configuration
public class WebMvcConfiguration
extends WebMvcConfigurerAdapter {
...
@Autowired
public void setArgumentResolvers(RequestMappingHandlerAdapter adapter) {
List<HandlerMethodArgumentResolver> resolvers = new ArrayList<HandlerMethodArgumentResolver>();
resolvers.add(new CustomPrincipalArgumentResolver());
resolvers.addAll(adapter.getArgumentResolvers().getResolvers());
adapter.setArgumentResolvers(resolvers);
}
}
子类WebMvcConfigurationSupport
您也可以扩展WebMvcConfigurationSupport而不是使用@EnableWebMvc
来确保首先使用HandlerMethodArgumentResolver.例如:
Subclass WebMvcConfigurationSupport
You can also extend WebMvcConfigurationSupport instead of using @EnableWebMvc
to ensure your HandlerMethodArgumentResolver is used first. For example:
@Configuration
public class WebConfiguration extends WebMvcConfigurationSupport {
...
@Bean
@Override
public RequestMappingHandlerAdapter requestMappingHandlerAdapter() {
RequestMappingHandlerAdapter adapter = super.requestMappingHandlerAdapter()();
List<HandlerMethodArgumentResolver> resolvers = new ArrayList<HandlerMethodArgumentResolver>();
resolvers.add(new CustomPrincipalArgumentResolver());
resolvers.addAll(adapter.getArgumentResolvers().getResolvers());
adapter.setArgumentResolvers(resolvers);
return adapter;
}
}
这篇关于通过Spring Security向控制器注入自定义主体的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!