Spring Security如何添加/配置AuthenticationManagerBuilder? [英] How Spring Security add/configure AuthenticationManagerBuilder?

问题描述

我正在研究基于Spring Security Java的配置.

I am working on Spring Security Java-based configuration.

我已经创建了自己的 MyAuthenticationProvider ，我想在 ProviderManager ( AuthenticationManager 的单个实例)中注册.

I have created my own MyAuthenticationProvider which I want to register in the ProviderManager (single instance of AuthenticationManager).

我发现 ProviderManager 有一个提供程序列表，可以在其中注册我的单个 MyAuthenticationProvider .

I have found that ProviderManager has a list of providers to which I can register my single MyAuthenticationProvider.

这是我的配置的一部分:

Here is the part of my Configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(MyAuthenticationProvider);
    }
}

我发现 AuthenticationManagerBuilder 具有 parentAuthenticationManager ， defaultUserDetailsS​​ervice 和许多其他字段.

I found out that AuthenticationManagerBuilder has parentAuthenticationManager, defaultUserDetailsService and many other fields.

我的问题是:

1. 此 @Autowired 注释从何处添加 AuthenticationManagerBuilder 身份验证?在应用程序上下文中是否已经创建了 AuthenticationManagerBuilder ?
2. 正在注入的 AuthenticationManagerBuilder 的默认状态是什么?默认状态下，我是说会在 AuthenticationManagerBuilder 中注册一些 parentAuthenticationManager ， authenticationProvider 吗?
3. 如果我要添加 auth.authenticationProvider(MyAuthenticationProvider)，这是否意味着我要在 AuthenticationManagerBuilder 中添加一个提供程序?

4. 这是什么意思?摘自Spring文档

1. Where is this @Autowired annotation adding AuthenticationManagerBuilder auth from? Is the AuthenticationManagerBuilder already created in the application context?
2. What would be the default state of AuthenticationManagerBuilder which is being injected? By default state I mean will there be some parentAuthenticationManager, authenticationProviders already registered in the AuthenticationManagerBuilder?
3. If I am adding auth.authenticationProvider(MyAuthenticationProvider), does this mean that I am adding one more provider in the AuthenticationManagerBuilder?

4. What does this mean? Taken from Spring Documentation

configureGlobal方法的名称并不重要.但是，仅在类中配置AuthenticationManagerBuilder很重要用@ EnableWebSecurity，@ EnableWebMvcSecurity注释，@EnableGlobalMethodSecurity或@EnableGlobalAuthentication.正在做否则会有无法预测的结果.

The name of the configureGlobal method is not important. However, it is important to only configure AuthenticationManagerBuilder in a class annotated with either @EnableWebSecurity, @EnableWebMvcSecurity, @EnableGlobalMethodSecurity, or @EnableGlobalAuthentication. Doing otherwise has unpredictable results.

推荐答案

答案1:

@EnableWebSecurity 用 @EnableGlobalAuthentication

...
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
...

和 @EnableGlobalAuthentication 导入 AuthenticationConfiguration :

...
@Import(AuthenticationConfiguration.class)
@Configuration
public @interface EnableGlobalAuthentication {
}

在 AuthenticationConfiguration 中，您将看到已声明 AuthenticationManagerBuilder bean:

In AuthenticationConfiguration, you'll see that an AuthenticationManagerBuilder bean is declared:

...
@Bean
public AuthenticationManagerBuilder authenticationManagerBuilder(
        ObjectPostProcessor<Object> objectPostProcessor, ApplicationContext context) {
    ...
}

当您 @Autowire 一个 AuthenticationManagerBuilder 时，这就是您将获得的.您可以使用多种方法轻松配置内存，jdbc，ldap，...身份验证.

When you @Autowire an AuthenticationManagerBuilder, this is the one that you will get. You have several methods at your disposal to easily configure in-memory, jdbc, ldap,... authentication.

背景:

Spring Security Java配置经历了多个阶段，以无缝地将您的配置与 ApplicationContext 合并.一个合并在一起的地方是 WebSecurityConfigurerAdapter .

The Spring Security Java config goes through several stages to seamlessly incorporate your configurations with the ApplicationContext.One place where this comes together is in the getHttp() method in WebSecurityConfigurerAdapter.

例如，这是节选:

AuthenticationManager authenticationManager = authenticationManager();

authenticationBuilder.parentAuthenticationManager(authenticationManager);

让您了解如何非直截了当"配置顺序为，上面的authenticationManager变量将为:

To give you an idea of how "not-straightforward" the sequence of configuration is, the authenticationManager variable above will be either:

• 您通过覆盖 configure(AuthenticationManagerBuilder auth)
添加的身份验证管理器
• OR:您在通过AuthenticationConfiguration
对 AuthenticationManagerBuilder bean进行 @Autowired 的方法中添加的身份验证管理器
• OR:在上下文中找到的AuthenticationManager bean

• The authentication manager you added by overriding configure(AuthenticationManagerBuilder auth)
• OR: The authentication manager you added in the method that @Autowired the AuthenticationManagerBuilder bean from AuthenticationConfiguration
• OR: an AuthenticationManager bean found in the context

默认情况下，我是说在 AuthenticationManagerBuilder

如果查看 AuthenticationConfiguration ，您会发现默认情况下， InitializeUserDetailsBeanManagerConfigurer 将应用于 AuthenticationManagerBuilder bean.只要它在上下文中找到 UserDetailsS​​ervice bean，并且没有添加其他提供程序，它将添加 DaoAuthenticationProvider .这就是为什么在 Spring Security参考，仅提供@Bean UserDetailsS​​ervice bean就足够了.

If you look at AuthenticationConfiguration, you'll see that by default, the InitializeUserDetailsBeanManagerConfigurer is applied to the AuthenticationManagerBuilder bean. As long as it finds a UserDetailsService bean in the context and no other provider has been added, it will add a DaoAuthenticationProvider. This is why in the Spring Security reference, only providing a @Bean UserDetailsService bean is sufficient.

但是，一旦您像添加身份验证提供程序一样，"default"(默认)提供者尚未注册.

But once you add an authentication provider as you did, the "default" provider is not registered.

这篇关于Spring Security如何添加/配置AuthenticationManagerBuilder?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！