使用Grails Spring Security自动登录 [英] login automatically with Grails Spring Security

问题描述

我的Grails应用程序使用Spring Security插件。我需要以编程方式登录用户，并且我无法访问他们的密码。我尝试了以下方法，这在使用Acegi插件（Spring Security插件的祖先）时应该可行：

My Grails app is using the Spring Security plugin. I need to login a user programatically, and I don't have access to their password. I tried the following, which supposedly worked when using the Acegi plugin (an ancestor of the Spring Security plugin):

// automatically login a user and assign them the USER role. 
// In my app, the email address is also the username
GrantedAuthority[] auths = [new GrantedAuthorityImpl('USER')]
SecurityContextHolder.context.authentication 
        = new UsernamePasswordAuthenticationToken(email, 'unknown', auths)

看起来这样做几乎奏效，因为如果我在执行上述操作后调用 springSecurityService.principal ，我找回自动登录用户的电子邮件地址。但是，如果我调用 springSecurityService.currentUser ，则会出现错误。这个错误的根本原因是：

It seems like this has almost worked, because if I call springSecurityService.principal after executing the above, I get back the email address of the automatically logged in user. However, if I call springSecurityService.currentUser I get an error. The root cause of this error is that:

SpringSecurityUtils.securityConfig.userLookup.userDomainClassName

返回Person，它不是我用户类的名称。诸如< sec：loggedInUser> 之类的各种标签也不起作用，这大概是出于同样的原因。

returns "Person" which is not the name of my user class. The various tags such as <sec:loggedInUser> also don't work, presumably for the same reason.

我不知道这个问题是否与我使用用户和角色的预先存在的域类（而不是由插件生成的类）？如果用户通过在表单中​​输入他们的用户名和密码（而不是以编程方式）来登录，那么一切似乎都正常。

I wonder if this problem is somehow related to the fact that I'm using pre-existing domain classes for user and role (rather than classes generated by the plugin)? If the user logs in by entering their username and password into the form (rather than programatically), everything seems to work fine.

遵循 Burt的建议，我将上面的代码替换为：

Following Burt's advice, I replaced the code above with:

springSecurityService.reauthenticate(email)

但是我仍然在 SpringSecurityService.getCurrentUser（）

String className = SpringSecurityUtils.securityConfig.userLookup.userDomainClassName
grailsApplication.getClassForName(className).get(principal.id)

由于 className 设置为Person，而不是名称我的用户类。

Because className is set to "Person", rather than the name of my User class.

推荐答案

如果用户存在于数据库中，请使用 springSecurityService.reauthentic ate（） - 请参阅 http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/6%20Helper%20Classes.html#6.2%20SpringSecurityService

If the user exists in the database use springSecurityService.reauthenticate() - see http://grails-plugins.github.com/grails-spring-security-core/docs/manual/guide/6%20Helper%20Classes.html#6.2%20SpringSecurityService

此方法用于在用户更改与数据库不同步时更新身份验证，但对于需要强制进行有效身份验证的情况也很有用一个现有的用户，但不知道密码。

This method is designed to update the authentication when a user change has made it out of sync with the database, but it's also useful for this scenario where you want to force a valid authentication for an existing user but don't know the password.

这篇关于使用Grails Spring Security自动登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！