使用带有 Spring Security 插件的现有域类 [英] use existing domain classes with Spring Security plugin

问题描述

我正在尝试将 Stripes 网络应用程序转换为 Grails.Stripes 应用程序使用 Spring Security，但我希望 Grails 应用程序使用 Spring Security Grails 插件.

I'm trying to convert a Stripes web app to Grails. The Stripes app uses Spring Security, but I would like the Grails app to use the Spring Security Grails plugin.

该应用程序已经有 User 和 Role (Java) 类需要重用，即我不能使用 s2-quickstart 脚本生成.

The app already has User and Role (Java) classes that I need to reuse, i.e. I cannot use the Grails domain classes that the s2-quickstart script generates.

Spring Security 插件文档描述了如何使用现有的 User 域类.步骤似乎是:

The Spring Security plugin docs describe how to use an existing User domain class. The steps seem to be:

1. 定义一个从现有User域类读取的UserDetails实现
2. 定义返回 (1) 实例的自定义 UserDetailsS​​ervice 实现
3. 将 (2) 的一个实例注册为一个名为 userDetailsS​​ervice 的 Spring bean.

1. define a UserDetails implementation that reads from the existing User domain class
2. define a custom UserDetailsService implementation that returns instances of (1)
3. register an instance of (2) as a Spring bean named userDetailsService.

然而，文档没有提供有关如何使用现有 Role 类以及表示 User 和 之间的多对多关系的类的任何信息代码>角色.

However the docs don't provide any information about how to use an existing Role class and the class that represents the many-to-many relationship between User and Role.

要将现有的 Role、User 和 UserRole 类与 Grails Spring Security 插件一起使用，还需要哪些其他步骤?我有什么理由运行 s2-quickstart 脚本?

What other steps are necessary to use existing Role, User, and UserRole classes with the Grails Spring Security plugin? Is there any reason for me to run the s2-quickstart script if I don't want to generate any domain classes?

最后，你需要的是一个新的 GrailsUser

In the end, what you need is a new GrailsUser

大概 GrailsUser 这里指的是自定义的 UserDetails 实现?就我而言，我可能会直接实现接口.这样的事情看起来合理吗?

Presumably GrailsUser here refers to the custom UserDetails implementation? In my case I'll probably just implement the interface directly. Does something like this seem reasonable?

class UserAdapter implements UserDetails {
  private String password  
  private Collection<GrantedAuthority> springRoles

  UserAdapter(User user) {
    this.password = user.password

    Collection<Role> roles = // load legacy Role objects
    this.springRoles = roles.collect { new GrantedAuthorityImpl(it.authority) }
  }      

  // If using password hashing, presumably this is the hashed password?
  String getPassword() {
    password  
  }

  ///////// other UserDetails methods omitted

  Collection<GrantedAuthority> getAuthorities() {
    springRoles
  }
}

我没有将整个 User 对象存储在 UserAdapter 中，因为您警告说在 HTTP 会话中存储一个潜在的大对象.

I'm not storing the whole User object within UserAdapter because of your warning about storing a potentially large object in the HTTP session.

你需要的是.....和一个 GrantedAuthority 实例列表(如果是 GrailsUser 则是 id)

what you need is.....and a List of GrantedAuthority instances (and the id if it's a GrailsUser)

如果我像上面一样使用我自己的 UserDetails 实现，那么大概我可以忽略这个关于提供 id 的评论?

If I use my own UserDetails implementation as above, then presumably I can ignore this comment about providing an id?

最后，如果我按照上面概述的方法，我应该设置 Config.groovy 中的这些属性，我是否需要运行 s2-quickstart 脚本(或任何其他脚本)?

Finally, if I follow the approach outlined above, should I set these properties in Config.groovy and do I need to run the s2-quickstart script (or any others)?

推荐答案

请记住，Spring Security 并不关心数据来自哪里，它只需要一个 UserDetails 实例与DAO 身份验证提供程序，它可以来自任何地方.使用域类和数据库表很方便，但这只是一种方法.做对您的数据有用的事情.最后，您需要的是一个新的 GrailsUser(或其他一些 impl)实例，其中包含 username 和 password 集，3 个布尔值集，以及 GrantedAuthority 实例列表(如果是 GrailsUser，则为 id).

Keep in mind that Spring Security doesn't care where the data comes from, it just needs a UserDetails instance when authenticating with the DAO auth provider and it can come from anywhere. It's convenient to use domain classes and database tables, but it's just one approach. Do what works for your data. In the end, what you need is a new GrailsUser (or some other impl) instance with the username and password set, the 3 booleans set, and a List of GrantedAuthority instances (and the id if it's a GrailsUser).

当您拥有旧用户和角色数据时，最简单的做法是创建自定义 UserDetailsS​​ervice.使用 GORM、原始 SQL 查询，以及获取所需数据所需的任何内容.

The simplest thing to do when you have legacy user and role data is to create a custom UserDetailsService. Use GORM, raw SQL queries, whatever you need to get the required data.

另一种选择是编写您自己的 AuthenticationProvider，就像 Glen 在这里所做的那样:http://blogs.bytecode.com.au/glen/2010/01/15/hacking-custom-authentication-providers-with-grails-spring-security.html - 尽管这是一个更大的解决方案，它还涉及您不需要的自定义过滤器.DAO 提供程序使用 UserDetailsS​​ervice，但您可以创建自己的将功能合并到一个类中的服务.

Another option is to write your own AuthenticationProvider like Glen did here: http://blogs.bytecode.com.au/glen/2010/01/15/hacking-custom-authentication-providers-with-grails-spring-security.html - although that's a larger solution that also involves a custom filter which you wouldn't need. The DAO provider uses a UserDetailsService but it's fine to create your own that combines the functionality into one class.

不过，将您的 User 域类重用为 UserDetails 并不是一个好主意.即使您实现了该接口，您也会在 HTTP 会话中存储一个断开连接的潜在大(如果有附加的集合)对象.POJO/POGO 实现(Spring Security 的 User 类、插件的 GrailsUser 类等)非常小，只有几个字符串和布尔值.

It's not a good idea to reuse your User domain class as the UserDetails though. Even if you implement the interface, you'd be storing a disconnected potentially large (if there are attached collections) object in the HTTP session. The POJO/POGO implementations (Spring Security's User class, the plugin's GrailsUser class, etc.) are very small and just a few Strings and booleans.

这篇关于使用带有 Spring Security 插件的现有域类的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！