我将Spring Security添加到Spring Boot应用程序中,但之后,身份验证过程服务器在下一个请求中无法识别相同的用户。我使用Angular 5作为UI,也许可能要求在UI端的这个问题不包括cookie。请帮助我,请理解为什么Spring Security无法识别已登录的用户。
在网络配置中:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/rest/user/login").permitAll();
http.csrf().disable()
.authenticationProvider(authenticationProvider())
.exceptionHandling()
.authenticationEntryPoint(unauthorizedHandler)
.and()
.formLogin()
.permitAll()
.loginProcessingUrl("/rest/user/login")
.usernameParameter("username")
.passwordParameter("password")
.successHandler(logInSuccessHandler)
.failureHandler(authFailureHandler)
.and()
.logout().permitAll()
.logoutRequestMatcher(new AntPathRequestMatcher("/rest/user/logout", "POST"))
.logoutSuccessHandler(logoutHandler)
.and()
.sessionManagement()
.maximumSessions(1);
http.authorizeRequests().anyRequest().authenticated();
}
会话管理器已激活.sessionManagement().maximumSessions(1);
身份验证完成成功,我的UserDetailsService实现通过登录名和密码正确返回User个对象。但是下一次请求这个控制器:
@GetMapping("/rest/list")
public RestList list() {
...
}
重定向到:
@Component
public class UnauthorizedHandler implements AuthenticationEntryPoint {
@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException) throws IOException {
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
}
}
我已登录检查器:
@Component
public class LoggedInChecker {
public User getLoggedInUser() {
User user = null;
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null) {
Object principal = authentication.getPrincipal();
// principal can be "anonymousUser" (String)
if (principal instanceof UserDetailsImpl) {
UserDetailsImpl userDetails = (UserDetailsImpl) principal;
user = userDetails.getUser();
}
}
return user;
}
}
我在UserService
@Service
public class UserServiceImpl implements UserService {
@Autowired
private UserRepository userRepository;
@Autowired
private LoggedInChecker loggedInChecker;
@Override
public User getUserByUsername(String username) {
return userRepository.findByUsername(username);
}
@Override
public List<String> getPermissions(String username) {
User user = userRepository.findByUsername(username);
return nonNull(user) ? user.getRoles().stream().map(Role::getRole).collect(toList()) : Lists.newArrayList();
}
@Override
public User getCurrentUser() {
return loggedInChecker.getLoggedInUser();
}
@Override
public Boolean isCurrentUserLoggedIn() {
// This place must call but nothing happening
return nonNull(loggedInChecker.getLoggedInUser());
}
}
我认为Spring会自动调用我的UserSevice进行检查授权。但是如何指定HttpSecurity以获取有关会话的保存信息?
在Angular方面,我使用HttpClient:
@Injectable()
export class CoreApi {
private baseUrl = 'http://localhost:8080/rest/';
constructor(public http: HttpClient) {
}
public get(url: string = ''): Observable<any> {
return this.http.get(this.getUrl(url));
}
}
也许您知道如何指定Spring Security以LoggedInChecker或其他方式检查auth,请告诉我。谢谢!