具有Spring Security和Java配置的自定义验证管理器 [英] Custom Authentication Manager with Spring Security and Java Configuration

问题描述

我正在使用Spring Security与SpringMVC创建一个Web应用程序（为了清楚起见，我将其称为WebApp），它与现有应用程序相对应（我将其称为BackendApp）。

I am using Spring Security with SpringMVC to create a web application (I will refer to this as the WebApp for clarity) that speaks to an existing application (I will refer to this as BackendApp).

我想将身份验证职责委托给BackendApp（这样我就不需要同步这两个应用程序了）。

I want to delegate authentication responsibilities to the BackendApp (so that I don't need to synchronise the two applications).

为了实现这一点，我希望WebApp（运行spring security）通过REST与BackendApp通信，并使用用户在表单中提供的用户名和密码进行身份验证根据BackendApp的响应是200 OK还是401 Unauthorized。

To implement this, I would like the WebApp (running spring security) to communicate to the BackendApp via REST with the username and password provided by the user in a form and authenticate based on whether the BackendApp's response is 200 OK or 401 Unauthorised.

我知道我需要编写一个自定义身份验证管理器才能执行此操作但是我对Spring和找不到任何有关如何实施它的信息。

I understand I will need to write a custom Authentication Manager to do this however I am very new to spring and can't find any information on how to implement it.

我相信我需要这样做：

public class CustomAuthenticationManager implements AuthenticationManager{

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {

        String username = authentication.getName();
        String pw       = authentication.getCredentials().toString();

        // Code to make rest call here and check for OK or Unauthorised.
        // What do I return?

    }

}

我是否设置authentication.setAuthenticated（true）如果成功则返回false，否则为false？

Do I set authentication.setAuthenticated(true) if successful and false if otherwise and thats it?

编写完成后，如何配置spring security以使用java使用此身份验证管理器配置文件？

Once this is written, how do I configure spring security to use this authentication manager using a java configuration file?

提前感谢您的任何帮助。

Thanks in advance for any assistance.

推荐答案

看看下面的示例。您必须返回UsernamePasswordAuthenticationToken。它包含主体和GrantedAuthorities。希望我能提供帮助：）

Take a look at my sample below. You have to return an UsernamePasswordAuthenticationToken. It contains the principal and the GrantedAuthorities. Hope I could help :)

public Authentication authenticate(Authentication authentication) throws AuthenticationException {
    String username = authentication.getPrincipal() + "";
    String password = authentication.getCredentials() + "";

    User user = userRepo.findOne(username);
    if (user == null) {
        throw new BadCredentialsException("1000");
    }
    if (user.isDisabled()) {
        throw new DisabledException("1001");
    }
    if (!encoder.matches(password, user.getPassword())) {
        throw new BadCredentialsException("1000");
    }
    List<Right> userRights = rightRepo.getUserRights(username);
    return new UsernamePasswordAuthenticationToken(username, password, userRights.stream().map(x -> new SimpleGrantedAuthority(x.getName())).collect(Collectors.toList()));
}

PS：userRepo和rightRepo是访问我的自定义的Spring-Data-JPA存储库用户数据库

PS: userRepo and rightRepo are Spring-Data-JPA Repositories which access my custom User-DB

SpringSecurity JavaConfig：

SpringSecurity JavaConfig:

@Configuration
@EnableWebMvcSecurity
public class MySecurityConfiguration extends WebSecurityConfigurerAdapter {

public MySecurityConfiguration() {
    super(false);
}

@Override
protected AuthenticationManager authenticationManager() throws Exception {
    return new ProviderManager(Arrays.asList((AuthenticationProvider) new AuthProvider()));
}

}

这篇关于具有Spring Security和Java配置的自定义验证管理器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！