其他部分代码缺少Springboot安全权限 [英] Springboot security authorities missing in other part of the code
问题描述
在我的 Spring Boot 应用程序中,
In my spring boot application,
成功登录后,我在上下文中设置了身份验证详细信息(权限中的用户角色)
After successful login I set the authentication details (with user roles in authorities) in the context
// Perform the authentication
Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
authenticationRequest.getUsername(),
authenticationRequest.getPassword()
)
);
SecurityContextHolder.getContext().setAuthentication(authentication);
但是当我尝试在代码的其他部分再次访问角色时,权限为空.否则,其中包含所有其他安全详细信息.
But when I try to access the roles again in other parts of the code with below line the authorities are null. Otherwise, it has all other security details in it.
我错过了什么?
SecurityContextHolder.getContext().getAuthentication().getAuthorities()
推荐答案
成功登录后,我在上下文中设置了身份验证详细信息(权限中的用户角色)
After successful login I set the authentication details (with user roles in authorities) in the context
在上下文中成功进行身份验证后,您不应设置身份验证详细信息,例如您提到的角色.我将解释基本流程:
You should not set authentication details like roles as you mention after successful authentication in the context. I will explain basic flow:
- 身份验证请求带有用户名和密码参数.
- UsernamePasswordAuthenticationFilter 将检索凭据并创建 UsernamePasswordAuthenticationToken(username,password),并提供给 authenticationmanager.
- authenticationmanager 委托给适当的身份验证提供程序,该提供程序支持 UsernamePasswordAuthenticationToken 身份验证请求对象.(您可以拥有自己的身份验证提供程序实现.)
- 支持的身份验证提供程序将通过输入的用户名从假设数据库中检索用户详细信息(包括权限,尚未通过身份验证),并将提交的密码与检索到的用户密码进行比较.如果成功,则用户详细信息with authority 被传递给 UsernamePasswordAuthenticationToken,它将使用 3 个参数构造,例如:
new UsernamePasswordAuthenticationToken(userDetails,null,roles),它在构造函数中将身份验证标志设置为 true. - 身份验证管理器使用该令牌填充安全上下文(步骤 4)
- Authentication request comes with username and password parameters.
- UsernamePasswordAuthenticationFilter will retrieve credentials and create UsernamePasswordAuthenticationToken(username,password), and gives to authenticationmanager.
- authenticationmanager delegates to appropriate authentication provider which supports UsernamePasswordAuthenticationToken authentication request object.(You can have your own authentication provider implementation.)
- Supporting authentication provider will retrieve user details(including authorities, not authenticated yet) by entered username from let's say DB and compares submitted password to retrieved user's password.If success then user details along with authorities is passed to UsernamePasswordAuthenticationToken which would be constructed with 3 arguments like:
new UsernamePasswordAuthenticationToken(userDetails,null,roles)which in the constructor sets authentication flag to true. - Authentication manager popultates security context with that token(step 4)
如此成功的登录暗示角色也在那里.您是否已向身份验证提供程序或身份验证管理器注册了 userDetailsService 实现?很乐意为您提供更多帮助...
So successful login indicates implicitly that roles are there too. Do you have userDetailsService implementation registered with authentication provider or authentication manager? Would be glad to help you more...
这篇关于其他部分代码缺少Springboot安全权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
