将自定义 UserDetailsService 添加到 Spring Security OAuth2 应用程序 [英] Add custom UserDetailsService to Spring Security OAuth2 app
问题描述
如何将下面的自定义 UserDetailsService
添加到 这个 Spring OAuth2 示例?
How do I add the custom UserDetailsService
below to this Spring OAuth2 sample?
默认user
和默认password
定义在application.properties
文件的authserver
应用程序.
The default user
with default password
is defined in the application.properties
file of the authserver
app.
但是,我想将以下自定义 UserDetailsService
添加到 authserver
应用程序的demo
包 用于测试目的:
However, I would like to add the following custom UserDetailsService
to the demo
package of the authserver
app for testing purposes:
package demo;
import java.util.List;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.stereotype.Service;
@Service
class Users implements UserDetailsManager {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
String password;
List<GrantedAuthority> auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER");
if (username.equals("Samwise")) {
auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_HOBBIT");
password = "TheShire";
}
else if (username.equals("Frodo")){
auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_HOBBIT");
password = "MyRing";
}
else{throw new UsernameNotFoundException("Username was not found. ");}
return new org.springframework.security.core.userdetails.User(username, password, auth);
}
@Override
public void createUser(UserDetails user) {// TODO Auto-generated method stub
}
@Override
public void updateUser(UserDetails user) {// TODO Auto-generated method stub
}
@Override
public void deleteUser(String username) {// TODO Auto-generated method stub
}
@Override
public void changePassword(String oldPassword, String newPassword) {
// TODO Auto-generated method stub
}
@Override
public boolean userExists(String username) {
// TODO Auto-generated method stub
return false;
}
}
如您所见,这个 UserDetailsService
还不是 autowired
,它故意使用不安全的密码,因为它仅用于测试目的.
As you can see, this UserDetailsService
is not autowired
yet, and it purposely uses insecure passwords because it is only designed for testing purposes.
GitHub 示例应用程序,以便用户可以使用 password=TheShire
以 username=Samwise
或username=Frodo 的身份登录
with password=MyRing
? 是否需要对 AuthserverApplication.java
或其他地方?
What specific changes need to be made to the GitHub sample app so that a user can login as username=Samwise
with password=TheShire
, or as username=Frodo
with password=MyRing
? Do changes need to be made to AuthserverApplication.java
or elsewhere?
建议:
Spring OAuth2 开发人员指南说使用 GlobalAuthenticationManagerConfigurer
全局配置 UserDetailsService
.然而,在谷歌上搜索这些名字产生的结果并不那么有用.
The Spring OAuth2 Developer Guide says to use a GlobalAuthenticationManagerConfigurer
to configure a UserDetailsService
globally. However, googling those names produces less than helpful results.
此外,另一个使用内部 spring 安全性 INSTEAD OF OAuth 的应用程序使用以下语法来连接 UserDetailsService
,但我不确定如何将其语法调整为当前 OP:>
Also, a different app that uses internal spring security INSTEAD OF OAuth uses the following syntax to hook up the UserDetailsService
, but I am not sure how to adjust its syntax to the current OP:
@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
@Autowired
private Users users;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(users);
}
}
我尝试在 OAuth2AuthorizationConfig
中使用 @Autowire
将 Users
连接到 AuthorizationServerEndpointsConfigurer
,如下所示:>
I tried using @Autowire
inside the OAuth2AuthorizationConfig
to connect Users
to the AuthorizationServerEndpointsConfigurer
as follows:
@Autowired//THIS IS A TEST
private Users users;//THIS IS A TEST
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager)
.accessTokenConverter(jwtAccessTokenConverter())
.userDetailsService(users)//DetailsService)//THIS LINE IS A TEST
;
}
但是 Spring Boot 日志显示没有找到用户 Samwise
,这意味着 UserDetailsService
没有成功连接.以下是 Spring Boot 日志的相关摘录:
But the Spring Boot logs indicate that the user Samwise
was not found, which means that the UserDetailsService
was not successfully hooked up. Here is the relevant excerpt from the Spring Boot logs:
2016-04-20 15:34:39.998 DEBUG 5535 --- [nio-9999-exec-9] o.s.s.a.dao.DaoAuthenticationProvider :
User 'Samwise' not found
2016-04-20 15:34:39.998 DEBUG 5535 --- [nio-9999-exec-9]
w.a.UsernamePasswordAuthenticationFilter :
Authentication request failed:
org.springframework.security.authentication.BadCredentialsException:
Bad credentials
我还能尝试什么?
推荐答案
我在使用 Spring Security 开发 oauth 服务器时遇到了类似的问题.我的情况略有不同,因为我想添加一个 UserDetailsService
来验证刷新令牌,但我认为我的解决方案也会对您有所帮助.
I ran into a similar issue when developing my oauth server with Spring Security. My situation was slightly different, as I wanted to add a UserDetailsService
to authenticate refresh tokens, but I think my solution will help you as well.
和您一样,我首先尝试使用 AuthorizationServerEndpointsConfigurer
指定 UserDetailsService
,但这不起作用.我不确定这是错误还是设计使然,但是需要在 AuthenticationManager
中设置 UserDetailsService
以便各种 oauth2 类找到它.这对我有用:
Like you, I first tried specifying the UserDetailsService
using the AuthorizationServerEndpointsConfigurer
, but this does not work. I'm not sure if this is a bug or by design, but the UserDetailsService
needs to be set in the AuthenticationManager
in order for the various oauth2 classes to find it. This worked for me:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
Users userDetailsService;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// other stuff to configure your security
}
}
我认为如果您从第 73 行开始更改以下内容,它可能对您有用:
I think if you changed the following starting at line 73, it may work for you:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
您当然还需要在 WebSecurityConfigurerAdapter
我想提的其他事情:
- 这可能是特定于版本的,我使用的是 spring-security-oauth2 2.0.12
- 我无法引用任何来源说明为什么会这样,我什至不确定我的解决方案是真正的解决方案还是黑客.
- 指南中提到的
GlobalAuthenticationManagerConfigurer
几乎肯定是一个错字,我在 Spring 的任何源代码中都找不到该字符串.
- This may be version specific, I'm on spring-security-oauth2 2.0.12
- I can't cite any sources for why this is the way it is, I'm not even sure if my solution is a real solution or a hack.
- The
GlobalAuthenticationManagerConfigurer
referred to in the guide is almost certainly a typo, I can't find that string anywhere in the source code for anything in Spring.
这篇关于将自定义 UserDetailsService 添加到 Spring Security OAuth2 应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!