spring-security 验证并创建主体,但控制器获取不同的无效用户实例 [英] spring-security authenticates and creates principal but controller gets different invalid user instance
问题描述
我刚刚从 spring-security 5.0.x 升级到 5.1.3,在部署容器内时,我发现我的服务没有从 spring-security 获取经过身份验证的用户主体.
I just upgraded from spring-security 5.0.x to 5.1.3 and on deploying in-container I discovered that my services are not getting the authenticated user principal from spring-security.
相反,它看起来像 spring-webmvc 实例化了我的用户主体的另一个实例,但没有 spring-security 提供的所有用户和 LDAP 详细信息.
Instead it looks like spring-webmvc is instantiated another instance of my user principal, but without all the user and LDAP details provided by spring-security.
我发现了一条来自 Spring 的消息 https://github.com/spring-projects/spring-security/issues/3771 似乎相关,但它说我需要从旧的 AuthenticationPrincipalArgumentResolver
迁移到新的,但是我没有在任何地方明确使用它.
I found one message from Spring https://github.com/spring-projects/spring-security/issues/3771 that seems relevant but it says I need to migrate from the old AuthenticationPrincipalArgumentResolver
to the new one, however I'm not explicitly using it anywhere.
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.ResponseStatus;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
@Controller
public class MyService {
@RequestMapping(value = "endpoint1",
method = RequestMethod.GET,
produces = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public String myEndpoint(
@AuthenticationPrincipal(errorOnInvalidType = true) CustomUser user) {
我什至把 errorOnInvalidType
放在那里,但无济于事.
I even put errorOnInvalidType
in there but to no avail.
我还尝试根据文档https://docs.spring.io/spring-security/site/docs/5.1.3.RELEASE/api/
I've also tried creating my custom AuthenticationPrincipal
annotation as per the docs https://docs.spring.io/spring-security/site/docs/5.1.3.RELEASE/api/
看起来 AuthenticationPrincipalArgumentResolver
没有完成它的工作,但从调试中我看到升级版本和旧的弃用版本都没有被调用(两者都在 spring-security-web
)
It does look like AuthenticationPrincipalArgumentResolver
isn't doing its job but from debugging I see neither the upgraded version nor the older deprecated version are called (both are in spring-security-web
)
相反,在创建不需要的空主体时,我在堆栈中看到了很多 spring-webmvc
类,例如 HandlerMethodArgumentResolverComposite
,所以它看起来像我'我不小心删除了配置的关键部分 - 注释或 jar 或实现.
Instead, I see a lot of spring-webmvc
classes in the stack when creating the unwanted empty principal, stuff like HandlerMethodArgumentResolverComposite
, so it looks to me like I've accidentally removed a crucial part of the config - either an annotation or a jar or an implementation.
谁能指出我的错误?
推荐答案
好吧,我发现了如何通过手动创建 AuthenticationPrincipalArgumentResolver
bean 来强制 Spring 解析 AuthenticationPrincipal
.
Well, I found out how to force Spring to resolve the AuthenticationPrincipal
by manually creating the AuthenticationPrincipalArgumentResolver
bean.
归功于 使用 EnableWebSecurity 时 AuthenticationPrincipal 为空
这篇关于spring-security 验证并创建主体,但控制器获取不同的无效用户实例的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!