Spring安全动态授权

时间:2017-03-21 20:53:13

标签: java spring spring-mvc spring-boot spring-security

我使用spring security和spring boot来开发一个应用程序,使用SecurityConf保护我api的特定端点,如下所示:

 @Override
public void configure(final AuthenticationManagerBuilder auth) throws Exception {
    auth
    .inMemoryAuthentication()
    .passwordEncoder(passwordEncoder)
    .withUser(username).password(password).roles(ADMIN_ROLE);
}

@Override
protected void configure(final HttpSecurity http) throws Exception {
    http
    .csrf().disable()
    .authorizeRequests()
    .antMatchers("/api/survey/report/**").hasRole(ADMIN_ROLE)
    .and().formLogin()
    .and().logout();
}

密码和用户名是从开始的数据库加载的。

一切似乎工作正常,但现在我必须实现一个方法来更改管理员的密码,我实现了存储库,服务和控制器方法,用新的加密密码更改数据库,但现在看来现在,除非我重新启动它(导致类加载新的用户名和密码),否则更改不会反映在应用程序中。

如何使应用程序重新加载来自数据库的新用户名和密码,而无需重新启动它? (在生产中,这是一个不停地运行的应用程序)

这是密码更改方法的控制器:

@RequestMapping(value = "/change", method = RequestMethod.POST)
public ResponseEntity changePassword(@RequestBody Password password) {

    return passwordService.updatePassword(password);
}

这是服务方法:

public ResponseEntity updatePassword(Password password) {
    Administrator administrator = administratorRepository.findAdministrator();
    if (passwordEncoder.matches(password.getOldPassword(), administrator.getPassword())) {
        String encodePassword = passwordEncoder.encode(password.getNewPassword());
        administrator.setPassword(encodePassword);
        administratorRepository.updateAdministrator(administrator);

        return new ResponseEntity(HttpStatus.OK);
    }
    return new ResponseEntity(HttpStatus.BAD_REQUEST);
}

修改

我使用Autowired方法在SecurityConfig类的属性上加载用户名和密码,如下所示:

@Autowired
private void initUser() {
    Administrator administrator = administratorRepository.findAdministrator();
    this.password = administrator.getPassword();
    this.username = administrator.getUsername();

}

我的班级定义如下:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

private static final String ADMIN_ROLE = "ADMIN";

private String username;
private String password;

@Autowired
private PasswordEncoder passwordEncoder;

@Autowired
private AdministratorRepository administratorRepository;

passwordencoder是一个用来对管理员传递进行加盐和散列的类,repo是我持久保存数据的地方

1 个答案:

答案 0 :(得分:1)

使用CustomUserDetailService代替AuthenticationProvider,如下所示

Exception in thread "main" java.lang.NoClassDefFoundError: io/reactivex/Observable

然后在

中更改密码
@Component("userDetailsService")
public class CustomUserDetailsService implements org.springframework.security.core.userdetails.UserDetailsService {


    private static String username;
    private static String password;
    private final Logger log = LoggerFactory.getLogger(CustomUserDetailsService.class);

    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {



        return new User(CustomUserDetailsService.username,CustomUserDetailsService.password,null);
    }

}


@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {


    @Inject
    @Qualifier("userDetailsService")
    private UserDetailsService userDetailsService;

    @Inject
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .userDetailsService(userDetailsService);
    }

    @Override
    public void configure(WebSecurity web) throws Exception {

    }

}