最简单的方法来包装自定义验证到Spring的安全性? [英] Simplest way to wrap custom authentication into Spring security?
问题描述
假设我有简单的bean,可以通过密码验证用户,也知道任何特定用户的角色:
Suppose I have simple bean, which can authenticate user by password and also know roles of any specified user:
interface MyBeanInterface {
boolean check(String username, String password);
List<String> roles(String username);
}
什么是外挂这个功能与基本的HTTP安全春web应用程序最简单的方法?
What is the simplest way to plug this functionality into Spring web application with basic HTTP security?
同时,我想我的注释控制器和服务方法,只有 @Secured 注释。没有任何点分隔的predicates <一个href=\"http://docs.spring.io/spring-security/site/docs/4.0.3.RELEASE/reference/htmlsingle/#authorize-requests\"相对=nofollow>喜欢这里,请。
Simultaneously, I would like to annotate my controllers and service methods with @Secured annotation only. No any dot-separated predicates like here, please.
我无法通过无数个populators破经理人,在春季安全API适配器等configurers...
I can't break through that numerous "populators", "managers", "adapters" and other "configurers" in Spring Security API...
更新
我说:
1)问候类,从控制器返回
1) A Greeting class to return from controller
2) GreetingController 类服务的Web请求 / greeting1 和 / greeting2 。我第一次注释方法, @Secured({USER,ADMIN}),第二个具有 @Secured({ADMIN}) 。
2) A GreetingController class to serve web requests /greeting1 and /greeting2. I annotated first method with @Secured({"USER", "ADMIN"}) and the second with @Secured({"ADMIN"}).
3)我写了 MyAuthService 在这里我验证的两个用户具有不同的访问级别。
3) I wrote MyAuthService where I authenticated two user with different level of access.
4)我写了 AuthenticationProviderEx 其中实施认证()方法,调用 MyAuthService 豆。
4) I wrote AuthenticationProviderEx where implemented authenticate() method with calling MyAuthService bean.
5)我写了 SecurityConfig 豆与配置()回我人员。
5) I wrote SecurityConfig bean with configure() returning my provider.
在code是<一个href=\"https://github.com/dims12/spring-simple-auth-wrapper/tree/fdc246699f8b933d1ba55a026a2f4cd895058c26\"相对=nofollow>在这里提交fdc2466 。在这种状态下,它不要求身份验证的。
The code is here in commit fdc2466. In this state it does not asking authentication at all.
更新2
我已经加入 @EnableGlobalMethodSecurity(securedEnabled = TRUE)到 SecurityConfig 类,并开始询问用户名和密码,但不幸的是,返回错误 403 上的任何请求。
I have added @EnableGlobalMethodSecurity(securedEnabled = true) to SecurityConfig class and it started to ask username and password, but, unfortunately, returns error 403 on any request.
推荐答案
请在你的界面自定义身份验证提供包装,是这样的:
Make a custom authentication provider wrapper around your interface, something like:
@Component("customAuthenticationProvider")
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired
private MyBeanInterface myInterface;
public Authentication authenticate(Authentication authentication) {
String username = authentication.getName();
String password = authentication.getCredentials().toString();
if (!myInterface.check(username, password)) {
throw new BadCredentialsException("Bad username or password.");
}
List<GrantedAuthority> authorities = new ArrayList<>();
for (String role : myInterface.roles(username)) {
authorities.add(new SimpleGrantedAuthority(role));
}
return new UsernamePasswordAuthenticationToken(username, password, authorities);
}
public boolean supports(Class<?> clazz) {
return UsernamePasswordAuthenticationToken.class.equals(clazz);
}
}
和使用它在安全配置,使用XML:
And use it in your security config, with XML:
<authentication-manager>
<authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>
更新:同时使用Java的配置如下:
Update: Also works with java config:
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) {
auth.authenticationProvider(customAuthenticationProvider);
}
/* rest of security config here */
}
剩下的就是pretty正常的东西。
The rest is pretty normal stuff.
这篇关于最简单的方法来包装自定义验证到Spring的安全性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
