Spring Boot 2.1.0使用Kotlin数据类更改安全性? [英] Spring boot 2.1.0 security change with kotlin data class?
问题描述
这个问题使我身体不适.
This problem make me physically ill.
开个玩笑,我一直在尝试使用带有安全性插件的spring-boot向我的Web应用程序添加身份验证层.这是我的数据类.
Joke aside, I've been trying to add an authentication layer to my web app using spring-boot with security plugin. Here is my data class.
@Document(collection = "user")
data class User (
var name : String,
var password : String,
var email : String,
var type : String,
var status : String,
var balance : Int
){
@Id val id : String = ObjectId.get().toHexString()
}
在进行Ctr + C,Ctr + V搜索之后,我成功设置了一些自定义身份验证,该身份验证将从数据库中获取用户信息,如下所示:
After some searching, Ctr+C, Ctr+V, I'm successfully set-up some custom authentication that will get user information from database, look like this:
override fun loadUserByUsername(name : String): UserDetails {
logger.info(name)
val user = repo.findByName(name)
return User(user!!.name,passwordEncoder.encode(user.password),AuthorityUtils.NO_AUTHORITIES)
}
有趣的地方从这里开始,似乎代码从未运行过val user = repo.findByName(name).最糟糕的是,没有异常被抛出,代码运行到该行,其余代码消失了.
出于沮丧,我决定伪造返回对象,以便可以通过这样的身份验证:
Here where the fun begin, its seem that the code never run pass val user = repo.findByName(name). Worst thing is, there are no exception being thrown, the code run to that line and the rest just disappear.
Out of frustration, I decide to fake the return object so that I can get pass the authentication like this:
override fun loadUserByUsername(name : String): UserDetails {
logger.info(name)
//val user = repo.findByName(name)
logger.debug("asdkfhasdklfjhasdf")
return User("string",passwordEncoder.encode("you"),AuthorityUtils.NO_AUTHORITIES)
}
现在,终于可以得到一些例外了:
Now, finally I can get some exception:
{
"timestamp": "2018-11-08T18:08:29.541+0000",
"status": 500,
"error": "Internal Server Error",
"message": "No accessor to set property @org.springframework.data.annotation.Id()private final java.lang.String com.sonnbh.jwt.User.id!",
"path": "/user"
}
spring无法访问属性id的异常状态,因此我将id的类型从val更改为var.
The exception state that spring cannot access property id so I change the type of id from val to var.
@Document(collection = "user")
data class User (
var name : String,
var password : String,
var email : String,
var type : String,
var status : String,
var balance : Int
){
@Id var id : String = ObjectId.get().toHexString()
}
最后,我的应用程序按预期运行.但是,在尝试更深入地研究该问题之后,我发现此问题仅出现在spring-boot v2.1.0上.我使用spring-boot v2.0.5的旧项目实际上在val id上运行良好.这使我想到了一个问题:
Finally, my app work as expected. However, after some attempt trying to dig deeper to the problem, I found that this problem only occur to spring-boot v2.1.0. My old project which use spring-boot v2.0.5 actually run fine with val id. This led me to some question:
- 我对数据类
User的旧实现是否正确?我只是想防止从数据库或init读取User.id后对其进行任何更改.我该怎么做才能改善? - 为什么
spring-boot v2.1无法像spring-boot v2.0.5那样访问属性?
- Did I my old implement of data class
Userproperly? I just want to prevent any change toUser.idafter its being read from database or init. What can I do to improve? - Why
spring-boot v2.1can't access to the property likespring-boot v2.0.5did?
推荐答案
2.1中的Spring数据.改变了处理实体中最终字段的方式.它不再使用反射来覆盖字段的不变性,这通常是好的.有几种方法可以解决该问题.
Spring Data in 2.1. has changed the way in which it deals with final fields in entities. It no longer uses reflection to override the immutability of the fields, which in general is good. There are a few ways to cope with the problem.
它们在这里描述:这是春季队的建议:
- 添加一个@PersistenceConstructor来构造设置不可变字段的实体.
- 添加凋谢方法(MyEntity withXxx(…))以创建一个包含更改后的属性值的新实例.
- 或者:使用Kotlin的数据类功能.这基本上与凋零方法相同.
- Add a @PersistenceConstructor to construct the entity that sets immutable fields.
- Add wither methods (MyEntity withXxx(…)) to create a new instance that contains the changed property value.
- Alternatively: Use Kotlin's data class feature. This will basically do the same as wither methods.
这篇关于Spring Boot 2.1.0使用Kotlin数据类更改安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
