更新到Spring-security-3.2.0.RC2时的AuthenticationManager

时间:2013-11-05 21:00:00

标签: spring-security

我最近更新了来自RC1的spring-security-3.2.0.RC2,根据博客文章,QUIESCENT_POST_PROCESSOR已被删除。之前我曾经创建过如下所示的AuthenticationManager bean:

@Bean(name = {"defaultAuthenticationManager", "authenticationManager"})
public AuthenticationManager defaultAuthenticationManager() throws Exception {
    return new AuthenticationManagerBuilder(null).userDetailsService(context.getBean(MyUserDetailsService.class)).passwordEncoder(new Md5PasswordEncoder()).and().build();
}

所以我把它改成了:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws BeansException, Exception {
    auth.userDetailsService(context.getBean(MyUserDetailsService.class)).passwordEncoder(new Md5PasswordEncoder());
}

但遗憾的是我无法再获取AuthenticationManager。我也是这样创建RememberMeAuthenticationFilter:

@Bean(name = { "defaultRememberMeAuthenticationFilter", "rememberMeAuthenticationFilter" })
protected RememberMeAuthenticationFilter defaultRememberMeAuthenticationFilter() throws Exception {
    return new RememberMeAuthenticationFilter(defaultAuthenticationManager(), context.getBean(DefaultRememberMeServices.class));
}

所以你可以看到我需要掌握AuthenticationManager,但我不知道如何???

2 个答案:

答案 0 :(得分:15)

你真的不需要掌握AuthenticationManager。从the javadoc of HttpSecurity开始,以下内容应该可以正常运行:

@Configuration
@EnableWebSecurity
public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth
             .inMemoryAuthentication()
                  .withUser("user").password("password").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/**").hasRole("USER")
                .and()
            .formLogin()
                .permitAll()
                .and()
            // Example Remember Me Configuration
            .rememberMe();
    }
}

当然,如果您使用的是全局AuthenticationManager,这也可以使用:

@Configuration
@EnableWebSecurity
public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth
             .inMemoryAuthentication()
                  .withUser("user").password("password").roles("USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/**").hasRole("USER")
                .and()
            .formLogin()
                .permitAll()
                .and()
            // Example Remember Me Configuration
            .rememberMe();
    }
}

唯一的区别是第一个示例将AuthenticationManger隔离到HttpSecurity,因为第二个示例将允许AuthenticationManager被全局方法安全性或其他HttpSecurity(WebSecurityConfigurerAdapter)使用。

这样做的原因是.rememberMe()将自动找到AuthenticationManager,UserDetailsS​​ervice并在创建RememberMeAuthenticationFilter时使用它。它还会创建相应的RememberMeServices,因此无需执行此操作。当然,如果你想自定义它,还有.rememberMe()的其他选项,所以请参阅RememberMeConfigurer javadoc以获取更多选项。

如果您真的需要对AuthenticationManager实例的引用,您可以执行以下操作:

@Configuration
@EnableWebSecurity
public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private AuthenticationManagerBuilder auth;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth
             .inMemoryAuthentication()
                  .withUser("user").password("password").roles("USER");
    }

    @Bean
    public AuthenticationManager authenticationManager() {
        return auth.build();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .antMatchers("/**").hasRole("USER")
                .and()
            .formLogin()
                .permitAll()
                .and()
            // Example Remember Me Configuration
            .rememberMe();
    }
}

如果您想拥有多个AuthenticationManager实例,可以执行以下操作:

    @Autowired
    private ObjectPostProcessor<Object> opp;

    public AuthenticationManager authenticationManager()
            throws Exception {
        return new AuthenticationManagerBuilder(opp)
            .inMemoryAuthentication()
               .withUser("user").password("password").roles("USER").and()
            .and()
            .build();
    }

    public AuthenticationManager authenticationManager2()
            throws Exception {
        return new AuthenticationManagerBuilder(opp)
            .inMemoryAuthentication()
               .withUser("admin").password("password").roles("ADMIN").and()
            .and()
            .build();
    }

注意除了使用QUIESENT_POST_PROCESSOR而不是使用@Autowired注释使用真正的ObjectPostProcessor

之外,这几乎与你手头的东西相同。

PS:感谢您试试RC2!

答案 1 :(得分:3)

公开和访问AuthenticationManager bean的方法如下:

@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception
{
   return super.authenticationManagerBean();
}