Spring Security 2.0.6什么调用UserDetailService的loadUserByName方法 [英] Spring Security 2.0.6 what calls the loadUserByName method of an UserDetailService

问题描述

我正在构建一个简单的Sring MVC应用。现在，我正在尝试添加Spring安全性。我添加了一个 customUserDetailsS​​ervice ，它使用DAO访问MySql数据库并获取用户。

  @Transactional（readOnly = true）
公共类CustomUserDetailService实现了UserDetailsS​​ervice {
 
 @ EJB（名称= UserDAOLocal）
 UserDAOLocal dao = null; 
 
 public UserDetails loadUserByUsername（String username）抛出UsernameNotFoundException，DataAccessException {
 System.out.println（检查是否被调用）
 UserDetails user = null; 
 DBUsers dbUser = dao.findUserName（用户名）; 
 
用户=新用户（dbUser.getUserName（），dbUser.getPassword（），true，true，true，true，getAuthorities（dbUser.getAccess（）））; 
个返回用户； 
} 
 
私人GrantedAuthority [] getAuthorities（Integer access）{
 
 GrantedAuthority [] authList = new GrantedAuthority [2]; 
 
 authList [0] = new GrantedAuthorityImpl（ ROLE_USER）; 
 if（access.compareTo（1）== 0）{
 authList [1] = new GrantedAuthorityImpl（（ ROLE_ADMIN））; 
 
} 
返回authList; 
} 
} 
  

我已经添加了 UserDetailsS​​ervice 到 Spring-security.xml 。

 < security：authentication-manager alias = authenticationManager> 
< security：authentication-provider user-service-ref = customUserDetailsS​​ervice /> 
< / security：authentication-manager> 
 
< bean id = customUserDetailsS​​ervice class = service.CustomUserDetailService /> 
  

我将 j_spring_security_check 作为 login.jsp 页面上的登录表单。

当我输入有效的用户名和密码时，应用程序总是告诉这是错的。而且，我找不到任何证据证明 customUserDetailsS​​ervice 随时在运行。 （我使用了 System.out.println（检查是否已调用）在服务器上进行检查）。

什么调用 CustomUserDetailsS​​ervice loadUserByUsername（）方法>？

我该如何配置？

（我提供的所有代码可能都是不必要的） ：））

编辑：
这是Spring-Security.xml的其余部分

 < security：http auto-config = true> 
 
 
< security：intercept-url pattern = / AddEmployee.htm access = ROLE_ADMIN /> 
< security：intercept-url pattern = / FireEmployee.htm access = ROLE_ADMIN /> 
< security：intercept-url pattern = / employees.htm access = ROLE_USER /> 
 
< security：form-login login-page = / login.htm 
 authentication-failure-url = / login.htm？error = true 
登录-processing-url = / j_spring_security_check.htm 
 default-target-url = / common.htm /> 
 
<安全性：注销
 invalidate-session = true 
 logout-success-url = / login.htm 
 logout-url = / logout.htm /> 
 
< / security：http> 
  

我通过编辑身份验证提供程序来解决此问题。我决定不使用DAO和用户数据库。并在xml文件中使用了硬编码的用户

 < security：authentication-provider> 
< security：user-service> 
< security：user name = sam password = sam123 Authority = ROLE_ADMIN，ROLE_USER /> 
< security：用户名= pam密码= pam123授权机构= ROLE_USER /> 
< / security：user-service> 
< / security：authentication-provider> 
  

这很好。

但是我想知道为什么从未使用过我的customUserDetailService，并学习如何正确使用它。

解决方案

共享更多配置。 Spring-security.xml提供的帮助（如果可能）

设计了Spring安全性，以便您的身份验证提供程序调用 loadUserByUsername（） UserDetailsS​​ervice 的$ c>方法，该方法返回userDetails对象。
过程如下：

• Authentication Manager的任务是用于验证用户。因此它将用户名发送到身份验证提供程序。




• 身份验证提供程序调用 loadUserByUsername（）方法并传递字符串类型的用户名，该用户名返回 userDetails 对象。 / p>




• 现在，此 userDetails 对象包含用于身份验证的所有必要信息，例如用户名，密码，isEnabled等。

现在，如果要自定义 userDetailsS​​ervice 以使用您的 Dao 您可以自定义它。

这是身份验证过程的工作方式。
您可以参考以下 链接 以获得更广泛的理解。

I'm building a simple Sring MVC app. And now i'm trying to add Spring security. I've added a customUserDetailsService that uses a DAO to access a MySql database and get users.

@Transactional(readOnly = true)
public class CustomUserDetailService implements UserDetailsService {

    @EJB(name = "UserDAOLocal")
    UserDAOLocal dao = null;

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
        System.out.println("Checking if this is invoked")
        UserDetails user = null;
        DBUsers dbUser = dao.findUserName(username);

        user = new User(dbUser.getUserName(), dbUser.getPassword(), true, true, true, true, getAuthorities(dbUser.getAccess()));
        return user;
    }

    private GrantedAuthority[] getAuthorities(Integer access) {

        GrantedAuthority[] authList = new GrantedAuthority[2];

        authList[0] = new GrantedAuthorityImpl("ROLE_USER");
        if (access.compareTo(1) == 0) {
            authList[1] = new GrantedAuthorityImpl(("ROLE_ADMIN"));

        }
        return authList;
    }
}

And i've added the UserDetailsService to the Spring-security.xml.

  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider user-service-ref="customUserDetailsService"/>
</security:authentication-manager>

<bean id="customUserDetailsService" class="service.CustomUserDetailService"/>

I put j_spring_security_check as the action to the login form on the login.jsp page.

When i enter a valid username and a password the app always tells it's wrong. What's more is i can't find any evidence that the customUserDetailsService is running at anytime. (I used System.out.println("Checking if this is invoked") to check on the server).

What invokes the loadUserByUsername() method of the CustomUserDetailsService? When is it invoked?

How can i configure it?

(All the codes i supplied might be unnecessary :))

EDIT: Here is the rest of the Spring-Security.xml

<security:http auto-config="true">


    <security:intercept-url pattern="/AddEmployee.htm" access="ROLE_ADMIN"/>
    <security:intercept-url pattern="/FireEmployee.htm" access="ROLE_ADMIN"/>
    <security:intercept-url pattern="/employees.htm" access="ROLE_USER"/>

    <security:form-login login-page="/login.htm"
authentication-failure-url="/login.htm?error=true"
login-processing-url="/j_spring_security_check.htm"
default-target-url="/common.htm"/>

    <security:logout
invalidate-session="true"
logout-success-url="/login.htm"
logout-url="/logout.htm"/>

</security:http>

I worked around the problem by editing the authentication provider like this. I decided not use DAO, and user database. and used hard coded users inside the xml file

 <security:authentication-provider>
    <security:user-service>
        <security:user name="sam" password="sam123" authorities="ROLE_ADMIN,ROLE_USER" />
        <security:user name="pam" password="pam123" authorities="ROLE_USER" />
    </security:user-service>
</security:authentication-provider>

This works perfectly.

But i would like to know why my customUserDetailService was never used, And learn how to use it correctly.

解决方案

Sharing more config. from Spring-security.xml would help(if possible)

Spring security is Designed so that your Authentication provider calls loadUserByUsername() method of the UserDetailsService which returns userDetails Object. Process is as follows:

• Task of Authentication Manager is to Authenticate the user. So it sends the user name to Authentication provider.

• Authentication Provider calls loadUserByUsername() method and passes user name of type String which returns userDetails Object.

• Now this userDetails object contains all necessary information for authentication, such as username, password, isEnabled etc.

Now if you want to customize userDetailsService for using your Dao you can customize it.

This is how your authentication process works. You can refer this link for broader understanding.

这篇关于Spring Security 2.0.6什么调用UserDetailService的loadUserByName方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！