如何获得code用户的授权证书带弹簧的安全性？ [英] How to get user's authorization credentials in code with spring security?

问题描述

我试图做的是建立CRUD REST服务。这将维护用户和他们记录的数据库。我想，让用户获得只属于自己的记录访问。
我使用Spring Security进行认证和存储用户的密码与Bcrypt哈希。所有我能理解，现在我的弹簧security.xml文件shuld喜欢的：

What I'm trying to do is to build CRUD REST service. It will maintain a database of users and theirs records. I'd like to allow users to get access only to their own records. I use Spring Security for authentication and store user's password hashed with Bcrypt. All I can understand right now that my spring-security.xml shuld like:

<security:http auto-config='true'>
    <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    <security:http-basic />
</security:http>

<security:authentication-manager>
    <security:authentication-provider>
    <authentication-provider>
        <password-encoder ref="encoder" />
        <jdbc-user-service data-source-ref="dataSource"
            users-by-username-query="select username,password, enabled from users where username=?"
            authorities-by-username-query="select username, role from user_roles where username =?" />
    </authentication-provider>
    </security:authentication-provider>
</security:authentication-manager>

但我需要确切地知道哪些用户已授权服务的进一步的工作。所以，我怎么能做到这一点？而对于相关的问题有没有办法让围绕在在注射数据库用户的角色，因为有计划没有更多的作用。

But for farther work of the service I need to know exactly which user have been authorized. So how could I do that? And for related matter is there way to get around mainlining user's role in the database since there's no more roles planned.

推荐答案

简单。

Authentication auth = SecurityContextHolder.getContext().getAuthentication();
String username = auth.getName();
Object credentials = auth.getCredentials();

要访问的证书的，即密码，您需要设置擦除凭据到假：

To access the credentials, i.e. the password, you need to set erase-credentials to false:

<security:authentication-manager erase-credentials="false">
  ...
</security:authentication-manager>

这篇关于如何获得code用户的授权证书带弹簧的安全性？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！