如何从 java.security.Principal 获取所有属性? [英] How to get all attributes from java.security.Principal?

问题描述

我学习 Spring 安全并使用 Spring Security 5 和 OAuth2 Login 编写简单的 Web 应用程序.我想从 Principal(电子邮件，用户名等)获取信息，但我找不到任何方法.编写一些 JSON-parser 不是一个好主意，因为我很确定有一些方法可以获取用户帐户详细信息.

I learning Spring security and write simple web app with Spring Security 5 and OAuth2 Login. I want to get information from Principal (email, username e.t.c) but I can't find any method for it. Write some JSON-parser not a best idea because I pretty sure there is some method for obtaining user account details.

配置

import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .anyRequest().authenticated()
                .and().oauth2Login();
    }
}

控制器

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;

import java.security.Principal;

@Controller
public class HomeController {

    @GetMapping({"", "/"})
    @ResponseBody
    public Principal getHome(Principal principal) {
        return principal;
    }

}

应用程序.yml

spring:
  security:
    oauth2:
      client:
        registration:
          google:
            client-id: xyz1
            client-secret: secret1
          facebook:
            client-id: xyz2
            client-secret: secret2
          github:
            client-id: xyz3
            client-secret: secret3

推荐答案

通过反复试验，以及使用 Spring Boot 2.3.2 我发现在那个特定场景(带有 Spring Boot 的 OAuth2)中，您必须强制转换 Authentication 对象你开始使用 onAuthenticationSuccess 方法(是的，这就是我的场景的不同之处，因为我在我的身份验证成功处理程序中观察到了这个对象 - 但是这个场景会有很大不同吗?)到 OAuth2AuthenticationToken.如果您真的暂停执行并将 Authentication 对象添加到 Watches，您将看到它确实是那种类型.现在这个对象的 getPrincipal() 返回正确转换的 OAuth2User 对象，它有一个方法 getAttributes().我真的希望能更容易地弄清楚这一点.

Through trial and error, and with Spring Boot 2.3.2 I found out that in THAT particular scenario (OAuth2 with Spring Boot) you have to cast the Authentication object you get on onAuthenticationSuccess method (and yes, that is the difference of my scenario, because I observed this object in my authentication success handler - but would this scenario be much different?) to OAuth2AuthenticationToken. If you actually pause execution and add Authentication object to the Watches, you will see that it's really that type. Now this object's getPrincipal() returns properly cast OAuth2User object, which has a method getAttributes(). I really wish it was easier to figure that out.

事实上，在我的场景中，OAuth2User 对象可以直接传递给我的 Controller 方法(我不确定@AuthenticationPrincipal 注释是否必要或正确..):

In fact, in MY scenario, OAuth2User object could be passed to my Controller method directly (and I am not sure if that annotation @AuthenticationPrincipal is necessary or proper..):

@Controller
@RequestMapping("/authorized")
public class AuthorizedController {

    @RequestMapping("/default")
    public String handle(@AuthenticationPrincipal OAuth2User principal,
            Model m) {
         // ...
    }
}

这篇关于如何从 java.security.Principal 获取所有属性?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！