Spring Security CustomUserDetails未对

时间:2018-03-15 15:52:07

标签: java spring-boot spring-security

我在春季启动应用中使用spring security。 我的应用程序适用于内存中身份验证。 但是,当从数据库加载用户时,它不会进行身份验证。它返回403访问被拒绝错误代码。 UserDetailsS​​ervice能够从数据库中获取用户信息,但我不知道它出错的地方。我是春天的新手。

这是我与安全相关的完整代码

User.java

import java.util.Set;

import javax.persistence.CascadeType;
import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.FetchType;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.JoinColumn;
import javax.persistence.ManyToMany;
import javax.persistence.Table;
import javax.validation.constraints.NotNull;

import lombok.Data;

@Entity
@Table(name = "user")
@Data
public class User {

    @Id
    @NotNull
    @GeneratedValue(strategy = GenerationType.AUTO)
    private Long userId;

    @Column(name = "USERNAME", unique = true)
    @NotNull
    private String username;

    @Column(name = "PASSWORD")
    @NotNull
    private String password;

    @Column(name = "DISPLAY_NAME")
    private String displayName;

    @ManyToMany(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
    @JoinColumn(name = "id")
    private Set<Role> userRoles;

    private String profilePicturePath;

}

Role.java

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.Table;

import lombok.Data;

@Entity
@Table(name = "roles")
@Data
public class Role {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private long id;

    private String role;

}

UserRepository.java

import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;

import com.cloudsofts.cloudschool.people.users.pojos.User;

@Repository("userRepository")
public interface UserRepository extends JpaRepository<User, Long> {

    User findByUsername(String username);
}

RoleRepository.java

import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.stereotype.Repository;

import com.cloudsofts.cloudschool.people.users.pojos.Role;

@Repository
public interface RoleRepository extends JpaRepository<Role, Long> {

}

UserService.java

import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;

import com.cloudsofts.cloudschool.people.users.pojos.User;
import com.cloudsofts.cloudschool.people.users.repositories.UserRepository;

@Service
public class UserService {

    @Autowired
    UserRepository userRep;

    @Autowired
    private PasswordEncoder passwordEncoder;

    public List<User> getAllUsers() {

    List<User> users = userRep.findAll();
    return users;
    }

    public void addUser(User user) {
    user.setPassword(passwordEncoder.encode(user.getPassword()));
    userRep.save(user);
    }

    public void updateUser(User user) {
    user.setPassword(passwordEncoder.encode(user.getPassword()));
    userRep.save(user);
    }

    public void deleteUser(Long id) {

    userRep.delete(id);
    }

    public User getUser(Long id) {

    return userRep.findOne(id);
    }

}

RoleService.java

import java.util.List;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

import com.cloudsofts.cloudschool.people.users.pojos.Role;
import com.cloudsofts.cloudschool.people.users.repositories.RoleRepository;

@Service
public class RoleService {

    @Autowired
    RoleRepository userRoleRep;

    public void addUserRole(Role role) {
    userRoleRep.save(role);
    }

    public void updateUserRole(Role role) {
    userRoleRep.save(role);
    }

    public void deleteUserRole(Long id) {
    userRoleRep.delete(id);
    }

    public Role getUserRole(Long id) {
    return userRoleRep.findOne(id);
    }

    public List<Role> getAllUserRoles() {
    return userRoleRep.findAll();
    }

}

CustomUserDetails.java

import java.util.Collection;
import java.util.HashSet;
import java.util.Set;

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;

import lombok.Data;

@Data
public class CustomUserDetails implements UserDetails {

    private static final long serialVersionUID = 1L;

    private User user;

    public CustomUserDetails(final User user) {
    this.user = user;
    }

    public CustomUserDetails() {
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
    final Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();

    Set<Role> roles = null;

    if (user != null) {
        roles = user.getUserRoles();
    }
    if (roles != null) {
        for (Role role : roles) {
        authorities.add(new SimpleGrantedAuthority(role.getRole()));
        }
    }
    return authorities;
    }

    @Override
    public String getPassword() {

    return user.getPassword();
    }

    @Override
    public String getUsername() {

    return user.getUsername();
    }

    @Override
    public boolean isAccountNonExpired() {

    return true;
    }

    @Override
    public boolean isAccountNonLocked() {

    return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {

    return true;
    }

    @Override
    public boolean isEnabled() {

    return true;
    }

}

CustomUserDetailsS​​ervice.java

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import com.cloudsofts.cloudschool.people.users.pojos.CustomUserDetails;
import com.cloudsofts.cloudschool.people.users.pojos.Role;
import com.cloudsofts.cloudschool.people.users.pojos.User;
import com.cloudsofts.cloudschool.people.users.repositories.UserRepository;

@Service("userDetailsService")
public class CustomUserDetailsService implements UserDetailsService {

    @Autowired
    UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

    User user = userRepository.findByUsername(username);

    if (user == null) {
        throw new UsernameNotFoundException(username);
    } else {

        System.out.println("______________________________________________________________");

        System.out.println("username: " + user.getUsername());
        System.out.println("password: " + user.getPassword());
        System.out.println("Roles: ");

        for (Role role : user.getUserRoles()) {
        System.out.println(role.getRole());
        }
        System.out.println("______________________________________________________________");

        return new CustomUserDetails(user);
    }
    }

}

SecurityConfig.java

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

import com.cloudsofts.cloudschool.security.CustomUserDetailsService;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Qualifier("userDetailsService")

    @Autowired
    CustomUserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) {
    try {
        auth.userDetailsService(this.userDetailsService).passwordEncoder(passwordEncoder());
        System.out.println("_________________________________________________");

        String username = SecurityContextHolder.getContext().getAuthentication().getName();
        System.out.println("_________________________________________________");
        System.out.println("You have logged in as " + username);
        System.out.println("_________________________________________________");
    } catch (Exception e) {
        System.out.println("_________________________________________________");
        System.out.println(e.getMessage());
        System.out.println("_________________________________________________");

    }

    }

    @Bean(name = "passwordEncoder")
    public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
    }

    /*
     * @Autowired public void configureGlobal(AuthenticationManagerBuilder auth)
     * throws Exception {
     * auth.inMemoryAuthentication().withUser("student").password("student").roles(
     * "student").and().withUser("admin") .password("admin").roles("admin"); }
     */

    @Override
    protected void configure(HttpSecurity http) throws Exception {

    http.csrf().disable();
    // http.authorizeRequests().anyRequest().permitAll();

    // http.authorizeRequests().antMatchers("/api/**").permitAll();
    http.authorizeRequests().antMatchers("/student/**").hasAnyRole("student", "admin");
    http.authorizeRequests().antMatchers("/api/admin/**").hasRole("admin");
    http.authorizeRequests().antMatchers("/library/**").hasAnyRole("librarian", "admin");
    http.httpBasic();

    // http.formLogin().and().logout().logoutSuccessUrl("/login?logout").permitAll();

    }

}

截图

Postman Screenshot

Browser Screenshot

Users in the db

Roles in the db

User-Role mapping

Console output after giving the credentials

2 个答案:

答案 0 :(得分:-1)

您似乎使用BCryptPasswordEncoder来加密和解密密码。但'用户'表截图以纯文本显示密码。您可以验证保存或更新用户的位置,它实际上是编码密码,密码编码器bean的类型是'BCryptPasswordEncoder'

答案 1 :(得分:-1)

我解决了问题。

我必须添加 ROLE _ 作为角色的前缀。

现在一切正常