我尝试使用两个不同的AuthenticationProviders创建一个spring安全配置,并公开一个rest接口来验证凭据(这只是在dev环境中使用,并将被prod中的oAuth服务替换。)但是当我将AuthenticationManager注入Controller,spring创建一个默认的AuthenticationManager并将其注入RestController。如何使spring注入WebSecurityConfigurationAdapter中配置的AuthenticationManager?我使用的是spring-boot-starter-security:1.5.7.RELEASE。这是我的安全配置:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
@Configuration
public class LocalWebSecurityConfigurationAdapter extends WebSecurityConfigurerAdapter {
private final DevUserDetailsService devUserDetailService;
private final ServiceUserDetailService serviceUserDetailService;
@Autowired
public LocalWebSecurityConfigurationAdapter(DevUserDetailsService devUserDetailService, ServiceUserDetailService serviceUserDetailService) {
this.devUserDetailService = devUserDetailService;
this.serviceUserDetailService = serviceUserDetailService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().authorizeRequests().antMatchers("/api/public/**").permitAll()
.antMatchers("/api/login").permitAll()
.antMatchers("/api/**").fullyAuthenticated()
.anyRequest().permitAll()
.and().exceptionHandling().authenticationEntryPoint(unauthorizedEntryPoint())
.and().httpBasic();
}
@Bean
public AuthenticationEntryPoint unauthorizedEntryPoint() {
return (request, response, authException) -> response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(devUserDetailService);
DaoAuthenticationProvider serviceUserAuthProvider = new DaoAuthenticationProvider();
serviceUserAuthProvider.setUserDetailsService(serviceUserDetailService);
serviceUserAuthProvider.setPasswordEncoder(passwordEncoder());
auth.authenticationProvider(serviceUserAuthProvider);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
这是我的RestController:
@RestController
@RequestMapping("/api/login")
public class LoginController {
private final Logger log = LoggerFactory.getLogger(this.getClass());
private final AuthenticationManager authenticationManager;
public LoginController(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@RequestMapping(method = RequestMethod.POST)
public Map<String, String> login(@RequestBody Map<String, String> body) {
String user = body.get("user");
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(user, body.get("password"));
try {
authenticationManager.authenticate(token);
return Collections.singletonMap("status", "ok");
} catch (BadCredentialsException e) {
return Collections.singletonMap("status", "bad credentials");
} catch (AuthenticationException e) {
log.warn("Could not authenticate user {} because {}.", user, e.getMessage(), e);
return Collections.singletonMap("status", "general error");
}
}
}
既然你们可能是春天的专家,那么最好的做法是根据环境(使用配置文件)创建不同的安全配置,而不运行代码而不创建冗余代码?我试过一个超级班,但春天并没有那么多。
答案 0 :(得分:0)
我终于找到了解决方案。通过在我的配置类中使用configureGlobal,可以在所有Spring托管组件中共享AuthenticationManager。
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth, DevUserDetailsService devUserDetailService,
@Qualifier("serviceUserAuthenticationProvider") AuthenticationProvider serviceUserAuthProvider) throws Exception {
auth.userDetailsService(devUserDetailService);
auth.authenticationProvider(serviceUserAuthProvider);
}
对于重用配置,我仍然没有找到一个好的解决方案。为所有常见配置创建一个抽象的“超级配置”,一旦用@Bean注释一个方法并创建多个WebSecurityConfigurerAdapter导致一个覆盖另一个,就会产生麻烦,所以如果有最佳实践,我仍然感兴趣适当的解决方案。我已经成功地做了我想做的事情,但它对我来说仍然感觉有点像黑客。对于任何绊倒类似问题的人,我希望这会有所帮助。
答案 1 :(得分:0)
在LocalWebSecurityConfigurationAdapter中声明bean:
@Bean(name="appAuthenticationManager")
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
并像其他bean一样注入其他组件:
public LoginController(@Qualifier("appAuthenticationManager") AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}