具有 Spring Security 和 Java 配置的自定义身份验证管理器 [英] Custom Authentication Manager with Spring Security and Java Configuration

问题描述

我正在使用 Spring Security 和 SpringMVC 创建一个与现有应用程序(我将其称为 BackendApp)对话的 Web 应用程序(为了清楚起见，我将其称为 WebApp).

I am using Spring Security with SpringMVC to create a web application (I will refer to this as the WebApp for clarity) that speaks to an existing application (I will refer to this as BackendApp).

我想将身份验证职责委托给 BackendApp(这样我就不需要同步两个应用程序).

I want to delegate authentication responsibilities to the BackendApp (so that I don't need to synchronise the two applications).

为了实现这一点，我希望 WebApp(运行 spring security)使用用户在表单中提供的用户名和密码通过 REST 与 BackendApp 通信，并根据 BackendApp 的响应是 200 OK 还是 401 Unauthorized 进行身份验证.

To implement this, I would like the WebApp (running spring security) to communicate to the BackendApp via REST with the username and password provided by the user in a form and authenticate based on whether the BackendApp's response is 200 OK or 401 Unauthorised.

我知道我需要编写一个自定义身份验证管理器来执行此操作，但是我对 spring 很陌生，无法找到有关如何实现它的任何信息.

I understand I will need to write a custom Authentication Manager to do this however I am very new to spring and can't find any information on how to implement it.

我相信我需要做这样的事情:

I believe I will need to do something like this:

public class CustomAuthenticationManager implements AuthenticationManager{

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {

        String username = authentication.getName();
        String pw       = authentication.getCredentials().toString();

        // Code to make rest call here and check for OK or Unauthorised.
        // What do I return?

    }

}

如果成功，我是否设置 authentication.setAuthenticated(true)，否则设置为 false，仅此而已?

Do I set authentication.setAuthenticated(true) if successful and false if otherwise and thats it?

写完后，我如何配置 spring security 以使用 Java 配置文件使用此身份验证管理器?

Once this is written, how do I configure spring security to use this authentication manager using a java configuration file?

在此先感谢您的帮助.

推荐答案

看看我下面的示例.您必须返回一个 UsernamePasswordAuthenticationToken.它包含主体和 GrantedAuthorities.希望我能帮上忙:)

Take a look at my sample below. You have to return an UsernamePasswordAuthenticationToken. It contains the principal and the GrantedAuthorities. Hope I could help :)

public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    String username = authentication.getPrincipal() + "";
    String password = authentication.getCredentials() + "";

    User user = userRepo.findOne(username);
    if (user == null) {
        throw new BadCredentialsException("1000");
    }
    if (!encoder.matches(password, user.getPassword())) {
        throw new BadCredentialsException("1000");
    }
    if (user.isDisabled()) {
        throw new DisabledException("1001");
    }
    List<Right> userRights = rightRepo.getUserRights(username);
    return new UsernamePasswordAuthenticationToken(username, null, userRights.stream().map(x -> new SimpleGrantedAuthority(x.getName())).collect(Collectors.toList()));
}

PS:userRepo 和 rightRepo 是 Spring-Data-JPA 存储库，它们访问我的自定义用户数据库

PS: userRepo and rightRepo are Spring-Data-JPA Repositories which access my custom User-DB

SpringSecurity JavaConfig:

SpringSecurity JavaConfig:

@Configuration
@EnableWebMvcSecurity
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

public MySecurityConfiguration() {
    super(false);
}

@Override
protected AuthenticationManager authenticationManager() throws Exception {
    return new ProviderManager(Arrays.asList((AuthenticationProvider) new AuthProvider()));
}

}

这篇关于具有 Spring Security 和 Java 配置的自定义身份验证管理器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！