成功登录后如何更新Spring Security UserDetails impls? [英] How to update Spring Security UserDetails impls after successful login?

问题描述

我有一个Spring Boot应用程序，该应用程序有一个特殊要求，即用户(UserDetails impls)需要具有经过身份验证后即时更改的角色/权限.

I have a Spring Boot app that has a special requirement whereby users (UserDetails impls) need to have roles/permissions that change on the fly, after they have authenticated.

Spring Security是否允许这样做，还是我必须独立于Spring使用自己的角色/权限系统?

Does Spring Security allow for this, or will I have to use my own role/permission system independent of Spring?

我对Spring Security的理解是UserDetails impl在(成功)登录时加载一次，此后再也不会更新.但是必须随时更新用户/本金，用户登录后如何编辑用户名或密码?因此，我假设如果可以即时修改用户名/密码，那么角色和授予的权限(权限)也可以修改.

My understanding with Spring Security is that the UserDetails impl is loaded once at (successful) login and is never updated after that. But it must be possible to update the user/principal on the fly, how else would users edit their username or password when they are logged in? So I assume that if username/password can be modified on the fly, so can roles and granted authorities (permissions).

但是对于我一生来说，我无法在网上找到任何此类示例，也找不到任何说明如何执行此操作的Javadocs.另外，这里是否以任何方式涉及用户缓存(即，Spring Security是否缓存用户，并且该缓存也需要更新)?

But for the life of me I cannot find an example of this anywhere online, nor any Javadocs that explain how to do this. Also, would user caching being involved here in any way (that is, does Spring Security cache users, and would this cache need updating as well)?

我最好的尝试是类似的东西:

// My UserDetailsService impl:
public class MyUserDetailsService implements UserDetailsService {
    @Resource
    private UserCache userCache;

    // Lots of stuff up here

    public void updateUserOnTheFly(UserUpdates userUpdates) {
        MyUser user = (MyUser)SecurityContextHolder.getContext()
            .getAuthentication().getPrincipal();
        MyUserUpdater updater = new MyUserUpdater();

        // Set new roles/permissions here, as well as (perhaps) other
        // things.
        updater.update(user, userUpdates); // I believe this updates the
                        // SecurityContext's Authentication instance

        userCache.removeUserFromCache(user);    // Necessary to first remove?
        userCache.putUserInCache(user);
    }
}

我在这里吗?

推荐答案

通常，您登录后不会更新角色.您在注册时分配特定角色.例如:

Usually you don't update the roles after login. You assign specific role(s) at registration. For e.g.:

• 未登录(未经授权)
• 登录(ROLE_USER)
• 您已手动登录或根据某些逻辑分配的某些特定登录用户(ROLE_ADMIN) ...

• Not signed in (UNAUTHORIZED)
• Signed in (ROLE_USER)
• Some specific signed in user which u assign manually or based on some logic (ROLE_ADMIN) ...

，一旦用户成功登录，您就可以从UserDetails界面中读取凭据.

and once the user successfully logs in you can read the credentials from UserDetails interface.

但这是可以做到的.您的用户应实现UserDetails界面

But it can be done. Your user should implement UserDetails interface

public class MyUser implements UserDetails { ... }

然后，当您基于凭据从数据库中获取用户时，您可以更新角色/权限并返回对象.

And then when you get the user from database based on credentials you can update the roles/authorities and return back the object.

public class MyUserDetailsService implements UserDetailsService {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    MyUser mu = customUserRepository.findByUsername(username);

    List<Authority> authorityList = (List<Authority>) mu.getAuthorities();
    authorityList.add(new Authority("ROLE_ON_THE_FLY"));

    mu.setAuthorities(authorityList);
    return mu;
}
 class Authority implements GrantedAuthority {

    private final String authority;

    public Authority(String authority) {
        this.authority = authority;
    }

    @Override
    public String getAuthority() {
        return authority;
    }
}
}

希望有帮助.

这篇关于成功登录后如何更新Spring Security UserDetails impls?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！