春季安全性:configure(AuthenticationManagerBuilder auth)vs authenticationManagerBean() [英] Spring Security : configure(AuthenticationManagerBuilder auth) vs authenticationManagerBean()
问题描述
我正在配置Spring Security.为了对用户进行身份验证和授权,我覆盖了WebSecurityConfigurerAdapter
的configure(AuthenticationManagerBuilder auth)
.这很好.下面是我的代码:
I am configuring Spring Security. To authenticate and authorize users, I override configure(AuthenticationManagerBuilder auth)
of WebSecurityConfigurerAdapter
. This works fine. Below is my code:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(customUserDetailsService)
.passwordEncoder(getPasswordEncoder());
}
但是,当我尝试启用方法级安全性时,使用@EnableGlobalMethodSecurity(securedEnabled = true)
的每个操作都会引发异常:
But when I try to to enable method level security, per action, using @EnableGlobalMethodSecurity(securedEnabled = true)
it throws an exception:
未找到AuthenticationManager
No AuthenticationManager found
根据我的理解,AuthenticationManager
用于对用户进行身份验证和授权,我已经使用configure(AuthenticationManagerBuilder auth)
进行了此操作,而Spring正在注入auth
对象本身.
As per my understanding AuthenticationManager
is used to authenticate and authorize users, which I was already doing using configure(AuthenticationManagerBuilder auth)
and Spring was injecting auth
object itself.
为什么我需要手动注册AuthenticationManager
?
Why I need to register AuthenticationManager
manually?
@Bean @Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
configure(AuthenticationManagerBuilder auth)
和authenticationManagerBean()
的不同用途是什么?
What are the differennt purposes configure(AuthenticationManagerBuilder auth)
and authenticationManagerBean()
serves?
我正在扩展WebSecurityConfigurerAdapter
.为什么我需要通过覆盖authenticationManagerBean()
提供自定义AuthenticationManager
.
I am extending WebSecurityConfigurerAdapter
. Why I need to provide a custom AuthenticationManager
by overriding authenticationManagerBean()
.
推荐答案
Your configuration class extends WebSecurityConfigurerAdapter
, which only configures web security (not method security):
提供一个方便的基类来创建
WebSecurityConfigurer
实例.该实现允许通过覆盖方法进行自定义.
Provides a convenient base class for creating a
WebSecurityConfigurer
instance. The implementation allows customization by overriding methods.
因此,您的AuthenticationManager
仅用于网络安全.
So your AuthenticationManager
is only used for web security.
If you want to configure (change the defaults) method security, you can extend GlobalMethodSecurityConfiguration
:
Base
Configuration
用于启用全局方法安全性.类可以扩展此类以自定义默认值,但必须确保在子类上指定EnableGlobalMethodSecurity
批注.
Base
Configuration
for enabling global method security. Classes may extend this class to customize the defaults, but must be sure to specify theEnableGlobalMethodSecurity
annotation on the subclass.
要配置AuthenticationManager
的方法安全性,您可以
To configure AuthenticationManager
for method security, you can
-
将您的
AuthenticationManager
暴露为可以由GlobalMethodSecurityConfiguration
自动连接的bean,请参见 expose your
AuthenticationManager
as a bean that can be autowired byGlobalMethodSecurityConfiguration
, seeWebSecurityConfigurerAdapter#authenticationManagerBean
:重写此方法可将
configure(AuthenticationManagerBuilder)
中的AuthenticationManager
公开为Bean.Override this method to expose the
AuthenticationManager
fromconfigure(AuthenticationManagerBuilder)
to be exposed as a Bean.-
通过自动装配全局
AuthenticationManagerBuild
仅使用一个全局AuthenticationManager
,请参阅 use only one global
AuthenticationManager
by autowiring the globalAuthenticationManagerBuild
, see Spring Security 3.2.0.RC2 Released:例如,如果要配置全局身份验证(即,只有一个AuthenticationManager),则应自动连接AuthenticationMangerBuilder:
For example, if you want to configure global authentication (i.e. you only have a single AuthenticationManager) you should autowire the AuthenticationMangerBuilder:
@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { // ... configure it ... }
这篇关于春季安全性:configure(AuthenticationManagerBuilder auth)vs authenticationManagerBean()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!