我原以为我的授权实现已经完成,但在尝试检索UserDetails对象时,我得到的只是用户名。
我正在使用oauth以及以下细节。
配置AuthenticationManager:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
完成后,我可以调试到我的userDetailsService:
@Service
public class UserServiceImpl implements UserService, UserDetailsService {
@Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
MyUser persistedUser = userRepository.findByEmail(email);
if (persistedUser == null) {
throw new UsernameNotFoundException(String.format("The email %s doesn't exist", email));
}
List<GrantedAuthority> authorities = new ArrayList<>();
MyUser inMemoryUser = new MyUser(persistedUser.getEmail(), null, persistedUser.getEnabled(), false,
false, false, authorities);
return inMemoryUser;
}
}
这很好,我的客户回来了JWT。但是在调试以后的控制器方法时发现了以下问题。
@GetMapping
public @ResponseBody Iterable<Curriculum> getMyCurriculums(@AuthenticationPrincipal MyUser injectedUser) {
Authentication auth = SecurityContextHolder.getContext().getAuthentication();
MyUser principle = (MyUser) auth.getPrincipal();
return curriculumService.findByUser(principle);
}
在这种情况下,injectUser = null,auth是OAuth2Authentication,原则是String - 用户名。它应该是MyUser
答案 0 :(得分:4)
您应该配置Spring Security以将jwt令牌解码为MyUser对象。
首先定义自定义OAuth2Authentication以封装MyUser。
public class OAuth2AuthenticationUser extends OAuth2Authentication {
private MyUser myUser;
public OAuth2AuthenticationUser(OAuth2Request storedRequest, Authentication userAuthentication) {
super(storedRequest, userAuthentication);
}
public MyUser getMyUser() {
return myUser;
}
public void setMyUser(MyUser) {
this.myUser= myUser;
}
}
然后在安全配置类中配置jwt令牌解码,如下所示:
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("SIGNING_KEY");
converter.setAccessTokenConverter(getAuthenticationAccessTokenConverter());
return converter;
}
private DefaultAccessTokenConverter getAuthenticationAccessTokenConverter() {
return new DefaultAccessTokenConverter() {
@Override
public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
OAuth2Authentication authentication = (OAuth2Authentication) super.extractAuthentication(map);
OAuth2AuthenticationUser authenticationUser =
new OAuth2AuthenticationUser(authentication.getOAuth2Request(), authentication.getUserAuthentication());
MyUser myUser = new MyUser();
// Example properties
myUser.setId(map.get("id") != null ? Long.valueOf(map.get("id").toString()) : null);
myUser.setUsername(map.get("user_name") != null ? map.get("user_name").toString() : null);
myUser.setFullName(map.get("fullName") != null ? map.get("fullName").toString() : null);
myUser.setCustomerId(map.get("customerId") != null ? Long.valueOf(map.get("customerId").toString()) : null);
myUser.setCustomerName(map.get("customerName") != null ? map.get("customerName").toString() : null);
// More other properties
authenticationUser.setMyUser(myUser);
return authenticationUser;
}
};
}
然后您可以从Spring Security上下文访问MyUser对象,如下所示:
private static MyUser getMyUser() {
OAuth2AuthenticationUser authentication = (OAuth2AuthenticationUser) SecurityContextHolder.getContext().getAuthentication();
return (authentication != null && authentication.getMyUser() != null ? authentication.getMyUser() : new MyUser());
}
这非常适合无状态环境,因为用户详细信息的数据库访问被最小化,您只需要jwt令牌。