使用Spring Security检查额外的参数 [英] Check extra parameters with Spring Security
问题描述
请在Spring Security中给出提示,如何在用户登录期间检查其他参数.
例如,不仅要检查用户名"和密码",还要检查他是否通过电子邮件链接确认了注册;
所有数据都存储在DB中,我可以通过实现UserDetailsService轻松获得它;
但是如何使安全服务注意附加参数"isValidated"?
我现在正在使用Spring 3.2.0;
Please give a hint in Spring Security, how can I check additional parameters during user login.
For example, to check not only "username" and "password", but also if he confirmed his registration with email link;
All data is stored in DB and i can get it easily with my implementation of UserDetailsService;
But how to make the security service to pay attention to the additional parameter "isValidated"?
I'm using Spring 3.2.0 now;
推荐答案
One way to achieve this is to create a custom AuthenticationProvider or to extend an existing one. In your case it might be sufficient to extend for instance the DaoAuthenticationProvider and put the logic for checking whether the account is confirmed in additionalAuthenticationChecks() method.
这里是一个例子:
public class CustomAuthenticationProvider extends DaoAuthenticationProvider {
@Override
protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
// Perform the checks from the super class
super.additionalAuthenticationChecks(userDetails, authentication);
// Cast the UserDetails to the implementation you use
User user = (User) userDetails;
// Check the confirmed status
if (!user.isAccountConfirmed()) {
throw new AccountNotConfirmedException("Account is not confirmed yet.");
}
}
public static class AccountNotConfirmedException extends AuthenticationException {
public AccountNotConfirmedException(String message) {
super(message);
}
}
}
您的UserDetails实现应包含有关帐户确认状态的信息.您可以在UserDetailsService的实现中映射此信息.
Your implementation of UserDetails should contain the information about account confirmation status. You can map this information in your implementation of UserDetailsService.
现在,我来看一下,第一个解决方案有些复杂.您可以轻松解决此问题,而无需使用自定义AuthenticationProvider.如果未确认帐户,只需确保您的UserDetails实现的isEnabled()返回false.如果enabled属性为false,则将不允许身份验证(Spring Security会自动对其进行处理).
Now that I look at it, the first solution is a bit overcomplicated. You can easily solve this problem without using custom AuthenticationProvider. Just make sure that isEnabled() of your UserDetails implementation returns false if the account is not confirmed. If the enabled property is false authentication will not be allowed (this is automatically taken care of by Spring Security).
例如,如果要显式处理AuthenticationFailureHandler中的AccountNotConfirmedException,则第一个解决方案可能仍然有用.
The first solution might still be useful if you want explicitly handle the AccountNotConfirmedException in AuthenticationFailureHandler for instance.
这篇关于使用Spring Security检查额外的参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
