使用 Grails Spring Security 自动登录 [英] login automatically with Grails Spring Security

问题描述

我的 Grails 应用程序正在使用 Spring Security 插件.我需要以编程方式登录用户，但我无权访问他们的密码.我尝试了以下，据说在使用 Acegi 插件(Spring Security 插件的祖先)时有效:

My Grails app is using the Spring Security plugin. I need to login a user programatically, and I don't have access to their password. I tried the following, which supposedly worked when using the Acegi plugin (an ancestor of the Spring Security plugin):

// automatically login a user and assign them the USER role. 
// In my app, the email address is also the username
GrantedAuthority[] auths = [new GrantedAuthorityImpl('USER')]
SecurityContextHolder.context.authentication 
        = new UsernamePasswordAuthenticationToken(email, 'unknown', auths)

看起来这几乎奏效了，因为如果我在执行上述操作后调用springSecurityService.principal，我会返回自动登录用户的电子邮件地址.但是，如果我调用 springSecurityService.currentUser ，则会出现错误.这个错误的根本原因是:

It seems like this has almost worked, because if I call springSecurityService.principal after executing the above, I get back the email address of the automatically logged in user. However, if I call springSecurityService.currentUser I get an error. The root cause of this error is that:

SpringSecurityUtils.securityConfig.userLookup.userDomainClassName

返回Person"，它不是我的用户类的名称.诸如 之类的各种标签也不起作用，大概是出于同样的原因.

returns "Person" which is not the name of my user class. The various tags such as <sec:loggedInUser> also don't work, presumably for the same reason.

我想知道这个问题是否与我使用 用户和角色的预先存在的域类(而不是插件生成的类)?如果用户通过在表单中​​输入用户名和密码(而不是以编程方式)登录，一切似乎都正常.

I wonder if this problem is somehow related to the fact that I'm using pre-existing domain classes for user and role (rather than classes generated by the plugin)? If the user logs in by entering their username and password into the form (rather than programatically), everything seems to work fine.

按照 Burt 的建议，我替换了上面的代码与:

Following Burt's advice, I replaced the code above with:

springSecurityService.reauthenticate(email)

但我仍然在 SpringSecurityService.getCurrentUser()

String className = SpringSecurityUtils.securityConfig.userLookup.userDomainClassName
grailsApplication.getClassForName(className).get(principal.id)

因为 className 设置为Person"，而不是我的 User 类的名称.

Because className is set to "Person", rather than the name of my User class.

推荐答案

如果用户存在于数据库中使用 springSecurityService.reauthenticate() - 见 此链接 适用于 Grails 2 或 此链接适用于 Grails 3.

If the user exists in the database use springSecurityService.reauthenticate() - see this link for Grails 2 or this link for Grails 3.

此方法旨在在用户更改使其与数据库不同步时更新身份验证，但它也适用于您希望对现有用户强制进行有效身份验证但不知道密码.

This method is designed to update the authentication when a user change has made it out of sync with the database, but it's also useful for this scenario where you want to force a valid authentication for an existing user but don't know the password.

这篇关于使用 Grails Spring Security 自动登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！