具有 Spring Security 和 Java 配置的自定义身份验证管理器 [英] Custom Authentication Manager with Spring Security and Java Configuration
问题描述
我正在使用 Spring Security 和 SpringMVC 创建一个与现有应用程序(我将其称为 BackendApp)对话的 Web 应用程序(为了清楚起见,我将其称为 WebApp).
I am using Spring Security with SpringMVC to create a web application (I will refer to this as the WebApp for clarity) that speaks to an existing application (I will refer to this as BackendApp).
我想将身份验证职责委托给 BackendApp(这样我就不需要同步两个应用程序).
I want to delegate authentication responsibilities to the BackendApp (so that I don't need to synchronise the two applications).
为了实现这一点,我希望 WebApp(运行 spring security)使用用户在表单中提供的用户名和密码通过 REST 与 BackendApp 通信,并根据 BackendApp 的响应是 200 OK 还是 401 Unauthorized 进行身份验证.
To implement this, I would like the WebApp (running spring security) to communicate to the BackendApp via REST with the username and password provided by the user in a form and authenticate based on whether the BackendApp's response is 200 OK or 401 Unauthorised.
我知道我需要编写一个自定义身份验证管理器来执行此操作,但是我对 spring 很陌生,无法找到有关如何实现它的任何信息.
I understand I will need to write a custom Authentication Manager to do this however I am very new to spring and can't find any information on how to implement it.
我相信我需要做这样的事情:
I believe I will need to do something like this:
public class CustomAuthenticationManager implements AuthenticationManager{
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName();
String pw = authentication.getCredentials().toString();
// Code to make rest call here and check for OK or Unauthorised.
// What do I return?
}
}
如果成功,我是否设置 authentication.setAuthenticated(true),否则设置为 false,仅此而已?
Do I set authentication.setAuthenticated(true) if successful and false if otherwise and thats it?
写完后,我如何配置 spring security 以使用 Java 配置文件使用此身份验证管理器?
Once this is written, how do I configure spring security to use this authentication manager using a java configuration file?
在此先感谢您的帮助.
推荐答案
看看我下面的示例.您必须返回一个 UsernamePasswordAuthenticationToken.它包含主体和 GrantedAuthorities.希望我能帮上忙:)
Take a look at my sample below. You have to return an UsernamePasswordAuthenticationToken. It contains the principal and the GrantedAuthorities. Hope I could help :)
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getPrincipal() + "";
String password = authentication.getCredentials() + "";
User user = userRepo.findOne(username);
if (user == null) {
throw new BadCredentialsException("1000");
}
if (!encoder.matches(password, user.getPassword())) {
throw new BadCredentialsException("1000");
}
if (user.isDisabled()) {
throw new DisabledException("1001");
}
List<Right> userRights = rightRepo.getUserRights(username);
return new UsernamePasswordAuthenticationToken(username, null, userRights.stream().map(x -> new SimpleGrantedAuthority(x.getName())).collect(Collectors.toList()));
}
PS:userRepo 和 rightRepo 是 Spring-Data-JPA 存储库,它们访问我的自定义用户数据库
PS: userRepo and rightRepo are Spring-Data-JPA Repositories which access my custom User-DB
SpringSecurity JavaConfig:
SpringSecurity JavaConfig:
@Configuration
@EnableWebMvcSecurity
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {
public MySecurityConfiguration() {
super(false);
}
@Override
protected AuthenticationManager authenticationManager() throws Exception {
return new ProviderManager(Arrays.asList((AuthenticationProvider) new AuthProvider()));
}
}
这篇关于具有 Spring Security 和 Java 配置的自定义身份验证管理器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!