春季安全性:configure(AuthenticationManagerBuilder auth)vs authenticationManagerBean() [英] Spring Security : configure(AuthenticationManagerBuilder auth) vs authenticationManagerBean()
问题描述
我正在配置Spring Security.为了对用户进行身份验证和授权,我覆盖了WebSecurityConfigurerAdapter的configure(AuthenticationManagerBuilder auth).这很好.下面是我的代码:
I am configuring Spring Security. To authenticate and authorize users, I override configure(AuthenticationManagerBuilder auth) of WebSecurityConfigurerAdapter. This works fine. Below is my code:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(customUserDetailsService)
.passwordEncoder(getPasswordEncoder());
}
但是,当我尝试启用方法级安全性时,使用@EnableGlobalMethodSecurity(securedEnabled = true)的每个操作都会引发异常:
But when I try to to enable method level security, per action, using @EnableGlobalMethodSecurity(securedEnabled = true) it throws an exception:
未找到AuthenticationManager
No AuthenticationManager found
根据我的理解,AuthenticationManager用于对用户进行身份验证和授权,我已经使用configure(AuthenticationManagerBuilder auth)进行了此操作,而Spring正在注入auth对象本身.
As per my understanding AuthenticationManager is used to authenticate and authorize users, which I was already doing using configure(AuthenticationManagerBuilder auth) and Spring was injecting auth object itself.
为什么我需要手动注册AuthenticationManager?
Why I need to register AuthenticationManager manually?
@Bean @Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
configure(AuthenticationManagerBuilder auth)和authenticationManagerBean()的不同用途是什么?
What are the differennt purposes configure(AuthenticationManagerBuilder auth) and authenticationManagerBean() serves?
我正在扩展WebSecurityConfigurerAdapter.为什么我需要通过覆盖authenticationManagerBean()提供自定义AuthenticationManager.
I am extending WebSecurityConfigurerAdapter. Why I need to provide a custom AuthenticationManager by overriding authenticationManagerBean().
推荐答案
Your configuration class extends WebSecurityConfigurerAdapter, which only configures web security (not method security):
提供一个方便的基类来创建
WebSecurityConfigurer实例.该实现允许通过覆盖方法进行自定义.
Provides a convenient base class for creating a
WebSecurityConfigurerinstance. The implementation allows customization by overriding methods.
因此,您的AuthenticationManager仅用于网络安全.
So your AuthenticationManager is only used for web security.
If you want to configure (change the defaults) method security, you can extend GlobalMethodSecurityConfiguration:
Base
Configuration用于启用全局方法安全性.类可以扩展此类以自定义默认值,但必须确保在子类上指定EnableGlobalMethodSecurity批注.
Base
Configurationfor enabling global method security. Classes may extend this class to customize the defaults, but must be sure to specify theEnableGlobalMethodSecurityannotation on the subclass.
要配置AuthenticationManager的方法安全性,您可以
To configure AuthenticationManager for method security, you can
-
将您的
AuthenticationManager暴露为可以由GlobalMethodSecurityConfiguration自动连接的bean,请参见 expose your
AuthenticationManageras a bean that can be autowired byGlobalMethodSecurityConfiguration, seeWebSecurityConfigurerAdapter#authenticationManagerBean:重写此方法可将
configure(AuthenticationManagerBuilder)中的AuthenticationManager公开为Bean.Override this method to expose the
AuthenticationManagerfromconfigure(AuthenticationManagerBuilder)to be exposed as a Bean.-
通过自动装配全局
AuthenticationManagerBuild仅使用一个全局AuthenticationManager,请参阅 use only one global
AuthenticationManagerby autowiring the globalAuthenticationManagerBuild, see Spring Security 3.2.0.RC2 Released:例如,如果要配置全局身份验证(即,只有一个AuthenticationManager),则应自动连接AuthenticationMangerBuilder:
For example, if you want to configure global authentication (i.e. you only have a single AuthenticationManager) you should autowire the AuthenticationMangerBuilder:
@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) { // ... configure it ... }
这篇关于春季安全性:configure(AuthenticationManagerBuilder auth)vs authenticationManagerBean()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
