如何使用spring-security-pac4j 2.0在我的控制器上启用@Secured注释

时间:2016-08-10 05:21:02

标签: spring-security single-sign-on cas jasig

我使用spring-security对pac4j和基于web application的CAS进行了spring-security-pac4j-demo的集成,并具有以下依赖关系:

compile "org.pac4j:pac4j-core:1.8.8"
compile "org.pac4j:pac4j-cas:1.8.8"
compile "org.pac4j:spring-security-pac4j:1.4.3"
compile "org.springframework.security:spring-security-core:4.1.0.RELEASE"

但是,当我尝试升级到 spring-security-pac4j 版本2.0.0 时,我意识到这种方法已经彻底改变了。在我以前在我的自定义类UserDetailService中加载用户角色之前:

@Component("userDetailsService")
public class UserDetailsService implements AuthenticationUserDetailsService<ClientAuthenticationToken>  {

    private final Logger log = LoggerFactory.getLogger(UserDetailsService.class);

    @Inject
    private UserRepository userRepository;


    @Override
    @Transactional
    public UserDetails loadUserDetails(ClientAuthenticationToken token) throws UsernameNotFoundException {
        String username = token.getUserProfile().getId().toLowerCase();
        log.debug("Authenticating {}", username);

        Optional<User> userFromDatabase = userRepository.findOneByUsername(username);
        if (!userFromDatabase.isPresent()) {
            throw new UsernameNotFoundException("User " + username + " was not found in the database");
        } else if (!userFromDatabase.get().getActivated()) {
            throw new UserNotActivatedException("User " + username + " was not activated");
        }

        Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>();
        for (Authority authority : userFromDatabase.get().getAuthorities()) {
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority(authority.getName());
            grantedAuthorities.add(grantedAuthority);
        }
        return new org.springframework.security.core.userdetails.User(username,username, grantedAuthorities);
    }
}

通过一些额外的配置,spring-security正在检查用@Secured注释的控制器上的用户角色访问权限。 

@Controller
@RequestMapping("/app/*")
public class SecureController {

    @Secured("ROLE_ADMIN")
    @RequestMapping("/secure/admins")
    public String admins(Model model) {
        model.addAttribute("roleName", "ROLE_ADMIN");
        return "secure";
    }

    @Secured("ROLE_USER")
    @RequestMapping("/secure/users")
    public String users(Model model) {
        model.addAttribute("roleName", "ROLE_USER");
        return "secure";
    }
}

使用版本2.0.0 spring-security-pac4j ,即使查看演示,我仍然不知道从哪里开始以便更新我的使用新版本的pac4j进行项目,并使用 @Secured 注释。如果有人可以提供任何提示和/或指示,将不胜感激。

1 个答案:

答案 0 :(得分:0)

我是pac4j和spring-security-pac4j的创建者。

是的,版本2.0确实不同,但这对于所有pac4j功能都是必要的。

成功进行CAS身份验证后,会创建CasProfile并将其保存在您的安全上下文中(在Pac4jAuthentication令牌中)。要计算配置文件的特定角色(例如,通过从数据库中提取),您需要创建一个新的AuthorizationGenerator 并将其附加到客户端:casClient.addAuthorizationGenerator(myAuthGenerator);

相关问题
最新问题