在 Spring Security 中使用 HttpSecurity 和 AuthenticationManagerBuilder 注册身份验证提供程序有什么区别? [英] What is the difference between registering an authenticationprovider with HttpSecurity vs AuthenticationManagerBuilder in Spring Security?

问题描述

WebSecurityConfigurerAdapter 提供如下两种覆盖:

protected void configure(AuthenticationManagerBuilder auth)

和

protected void configure(HttpSecurity http)

HttpSecurity 和 AuthenticationManagerBuilder 都为 authenticationProviders 提供注册.将我的提供商注册到一个和另一个之间有什么区别吗?

我还使用带有 @SpringBootApplication(exclude = SecurityAutoConfiguration.class) 的 Spring boot 2.1 来完全关闭它们的自动配置.

解决方案

来自

一般来说，WebSecurityConfigurerAdapter 除了Filter 的配置(如UsernamePasswordAuthenticationFilter、>LogoutFilter 等)它还在 HttpSecurity 中创建和配置(添加 AuthenticationProviders 和父 AuthenticationManager)AuthenticationManagers 使用 AuthenticationManagerBuilder.

WebSecurityConfigurerAdapter 只会为 HttpSecurity 创建一个 AuthenticationManager.然而，AuthenticationManager 有它自己的 AuthenticationProviders 和它自己的可选父 AuthenticationProvider.当您执行 http.authenticationProvider(...) 时，您将新的 AuthenticationProvider 添加到属于该 http<的 AuthenticationManager/代码>.通过使用 configure(AuthenticationManagerBuilder auth)，您正在配置 AuthenticationManager，它是属于该特定 HttpSecurity 的 AuthenticationManager 的父级代码>.

Spring 为该特定 AuthenticationManager 的父级提供默认配置，但是通过使用 configure(AuthenticationManagerBuilder auth)，您拒绝了 Spring 的配置，而支持您的 (auth).

WebSecurityConfigurerAdapter offers two overrides as follows:

protected void configure(AuthenticationManagerBuilder auth)

and

protected void configure(HttpSecurity http)

Both HttpSecurity and AuthenticationManagerBuilder offer registration for authenticationProviders. Is there any difference between registering my providers with one vs the other?

I'm also using Spring boot 2.1 with @SpringBootApplication(exclude = SecurityAutoConfiguration.class) to turn off their autoconfig completely.

解决方案

From Spring Security Architecture

The main strategy interface for authentication is AuthenticationManager [...]

The most commonly used implementation of AuthenticationManager is ProviderManager, which delegates to a chain of AuthenticationProvider instances. An AuthenticationProvider is a bit like an AuthenticationManager [...]

A ProviderManager can support multiple different authentication mechanisms in the same application by delegating to a chain of AuthenticationProviders. If a ProviderManager doesn’t recognise a particular Authentication instance type it will be skipped.

A ProviderManager has an optional parent, which it can consult if all providers return null. If the parent is not available then a null Authentication results in an AuthenticationException.

Generally speaking WebSecurityConfigurerAdapter provides configuration for HttpSecurity apart from Filter's configuration (like UsernamePasswordAuthenticationFilter, LogoutFilter etc.) it's also creates and configures (adding AuthenticationProviders and parent AuthenticationManager) AuthenticationManagers in HttpSecurity by using AuthenticationManagerBuilder.

WebSecurityConfigurerAdapter will create only one AuthenticationManager for HttpSecurity. However AuthenticationManager has its own AuthenticationProviders and its own optional parent AuthenticationProvider. When you are doing http.authenticationProvider(...) you are adding new AuthenticationProvider to the AuthenticationManager which belong to that http. By using configure(AuthenticationManagerBuilder auth) you are configuring AuthenticationManager which is the parent of the AuthenticationManager which belongs to that particular HttpSecurity.

Spring is providing default configuration for the parent of that particular AuthenticationManager, but by using configure(AuthenticationManagerBuilder auth) you are rejecting spring's configuration in favour of your (auth).

这篇关于在 Spring Security 中使用 HttpSecurity 和 AuthenticationManagerBuilder 注册身份验证提供程序有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！