Spring Security @AuthenticationPrincipal [英] Spring Security @AuthenticationPrincipal

问题描述

我一直在尝试让@AuthenticationPrincipal与自定义User类一起正常使用.不幸的是，用户始终为空.这是代码:

I've been trying to get @AuthenticationPrincipal to work properly with a custom User class. Unfortunately, the user is always null. Here's the code:

控制器

@RequestMapping(value = "/", method = RequestMethod.GET)
public ModelAndView index(@AuthenticationPrincipal User user) {
    ModelAndView mav= new ModelAndView("/web/index");
    mav.addObject("user", user);
    return mav;
}

安全配置

@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    CustomUserDetailsService customUserDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth.userDetailsService(customUserDetailsService).passwordEncoder(passwordEncoder());
    }

}

CustomUserDetailsS​​ervice

@Component
public class CustomUserDetailsService implements UserDetailsService {

@Autowired
UserRepository userRepository;

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
    // Spring Data findByXY function
    return userRepository.findByUsername(username);
}

用户实体

public class User implements UserDetails{
    private String username;
    private String password;
    private Collection<Authority> authorities;

    // Getters and Setters

}

权威实体

public class Authority implements GrantedAuthority{
    private User user;
    private String role;

    // Getters and Setters

    @Override
    public String getAuthority() {
        return this.getRole();
    }
}

我尝试了各种解决方案，例如在网上找到的像这样转换我的自定义用户对象:

I've tried various solutions to this I found online, e.g. converting my custom user object like this:

return new org.springframework.security.core.userdetails.User(user.getLogin(), user.getPassword(), true, true, true, true,  authorities);

获取活动用户的其他方法都没有问题，但是我发现@AuthenticationProvider CustomUserObject是最干净的方法，这就是为什么我想使其正常工作.任何帮助，我们将不胜感激.

The other ways to get the active users are working without a problem, but I find the @AuthenticationProvider CustomUserObject to be the cleanest way, which is why I would like to get this to work. Any help is greatly appreciated.

推荐答案

您可以直接在方法参数中为经过身份验证的用户指定依赖项，而不必使用@AuthenticationPrincipal.如下所示

Instead of using @AuthenticationPrincipal you can directly specify your dependency for authenticated user in method argument. something as given below

@RequestMapping(value = "/", method = RequestMethod.GET)
public ModelAndView index(Principal user) {
    ModelAndView mav= new ModelAndView("/web/index");
    mav.addObject("user", user);
    return mav;
} 

此Principal对象将是通过Spring安全性进行身份验证的实际对象.当该方法被调用时，Spring会为您注入.

This Principal object will be actual object that got authenticated through spring security. Spring will inject this for you when the method will get invoked.

这篇关于Spring Security @AuthenticationPrincipal的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！