如何使用Spring-security以编程方式登录用户? [英] How to login a user programmatically using Spring-security?

问题描述

我需要以编程方式登录通过Facebook API进行身份验证的用户.这样做的原因是，与每个用户(例如购物车)相关的项目数量很多，因此，一旦使用Facebook API验证了用户身份，我就需要使用spring安全性登录该用户，以便能够访问他/她的购物车.

I need to programmatically login users that were authenticated through Facebook API. The reason for that is that there are number of items that are associated to each user (for example shopping cart), therefore once user is authenticated using Facebook API, I need to log the user in using spring security as well to be able to access his/her shopping cart.

根据我的研究，有很多方法可以实现它，但是当我从我的代码发送登录请求时，我无法部署其中的任何一个方法，另一个问题是有些人创建了用户对象，但是他们没有解释如何创建它.

Based on my research, there are many methods to implement it but I could not deploy any of them as I am sending log-in request from my code, also another problem is that some people created user object but they did not explain how to create it.

那些创建了用户对象但没有解释如何做的人.

Those who created a user object but did not explain how.

从第一个示例开始:此答案

  Authentication auth = 
  new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());

从第二个示例开始:这一个

  34.User details = new User(username);
  35.token.setDetails(details);

在第三个示例中:这一个

  Authentication authentication = new UsernamePasswordAuthenticationToken(user, null,
  AuthorityUtils.createAuthorityList("ROLE_USER"));

另一个示例在这里，这无济于事，因为我需要使用自己的代码而不是浏览器来登录用户；因此，我不知道如何填充HttpServletRequest对象.

Another example is here, it does not help because I need to log-in user from my own code not from browser; therefore I do not know how to populate HttpServletRequest object.

protected void automatedLogin(String username, String password, HttpServletRequest request) {

MyCode

...
if(isAuthenticatedByFB())
{
    login(username);
    return "success";
}
else{
    return "failed";
}

推荐答案

不幸的是，Spring安全似乎没有对程序化登录的完全"支持.这是我成功完成的方法:

Unfortunately it seems there is no "complete" support of programmatic login in Spring security. Here is how I've done it successfully:

@Autowired AuthenticationSuccessHandler successHandler;
@Autowired AuthenticationManager authenticationManager;  
@Autowired AuthenticationFailureHandler failureHandler;

public void login(HttpServletRequest request, HttpServletResponse response, String username, String password) {
    UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
    token.setDetails(new WebAuthenticationDetails(request));//if request is needed during authentication
    Authentication auth;
    try {
        auth = authenticationManager.authenticate(token);
    } catch (AuthenticationException e) {
        //if failureHandler exists  
        try {
            failureHandler.onAuthenticationFailure(request, response, e);
        } catch (IOException | ServletException se) {
            //ignore
        }
        throw e;
    }
    SecurityContext securityContext = SecurityContextHolder.getContext();
    securityContext.setAuthentication(auth);
    successHandler.onAuthenticationSuccess(request, response, auth);//if successHandler exists  
    //if user has a http session you need to save context in session for subsequent requests
    HttpSession session = request.getSession(true);
    session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
}

更新基本上，Spring的 RememberMeAuthenticationFilter.doFilter()

UPDATE Essentially the same is done by Spring's RememberMeAuthenticationFilter.doFilter()

这篇关于如何使用Spring-security以编程方式登录用户?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！