spring-security 验证并创建主体，但控制器获取不同的无效用户实例 [英] spring-security authenticates and creates principal but controller gets different invalid user instance

问题描述

我刚刚从 spring-security 5.0.x 升级到 5.1.3，在部署容器内时，我发现我的服务没有从 spring-security 获取经过身份验证的用户主体.

I just upgraded from spring-security 5.0.x to 5.1.3 and on deploying in-container I discovered that my services are not getting the authenticated user principal from spring-security.

相反，它看起来像 spring-webmvc 实例化了我的用户主体的另一个实例，但没有 spring-security 提供的所有用户和 LDAP 详细信息.

Instead it looks like spring-webmvc is instantiated another instance of my user principal, but without all the user and LDAP details provided by spring-security.

我发现了一条来自 Spring 的消息 https://github.com/spring-projects/spring-security/issues/3771 似乎相关，但它说我需要从旧的 AuthenticationPrincipalArgumentResolver 迁移到新的，但是我没有在任何地方明确使用它.

I found one message from Spring https://github.com/spring-projects/spring-security/issues/3771 that seems relevant but it says I need to migrate from the old AuthenticationPrincipalArgumentResolver to the new one, however I'm not explicitly using it anywhere.

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.security.core.annotation.AuthenticationPrincipal;

@Controller
public class MyService {

    @RequestMapping(value = "endpoint1",
        method = RequestMethod.GET,
        produces = MediaType.APPLICATION_JSON_VALUE)
    @ResponseBody
    public String myEndpoint(
        @AuthenticationPrincipal(errorOnInvalidType = true) CustomUser user) {

我什至把 errorOnInvalidType 放在那里，但无济于事.

I even put errorOnInvalidType in there but to no avail.

我还尝试根据文档https://docs.spring.io/spring-security/site/docs/5.1.3.RELEASE/api/

I've also tried creating my custom AuthenticationPrincipal annotation as per the docs https://docs.spring.io/spring-security/site/docs/5.1.3.RELEASE/api/

看起来 AuthenticationPrincipalArgumentResolver 没有完成它的工作，但从调试中我看到升级版本和旧的弃用版本都没有被调用(两者都在 spring-security-web)

It does look like AuthenticationPrincipalArgumentResolver isn't doing its job but from debugging I see neither the upgraded version nor the older deprecated version are called (both are in spring-security-web)

相反，在创建不需要的空主体时，我在堆栈中看到了很多 spring-webmvc 类，例如 HandlerMethodArgumentResolverComposite，所以它看起来像我'我不小心删除了配置的关键部分 - 注释或 jar 或实现.

Instead, I see a lot of spring-webmvc classes in the stack when creating the unwanted empty principal, stuff like HandlerMethodArgumentResolverComposite, so it looks to me like I've accidentally removed a crucial part of the config - either an annotation or a jar or an implementation.

谁能指出我的错误?

推荐答案

好吧，我发现了如何通过手动创建 AuthenticationPrincipalArgumentResolver bean 来强制 Spring 解析 AuthenticationPrincipal.

Well, I found out how to force Spring to resolve the AuthenticationPrincipal by manually creating the AuthenticationPrincipalArgumentResolver bean.

归功于 使用 EnableWebSecurity 时 AuthenticationPrincipal 为空

这篇关于spring-security 验证并创建主体，但控制器获取不同的无效用户实例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！