Spring swichUserFilter无需切换即可重定向到目标网址

时间:2019-06-24 10:44:33

标签: spring spring-boot spring-security jhipster switch-user

我需要为userA复制一些数据。 由于我不知道userA的密码,我想以adminUser身份登录并切换到userA并发布数据。与此相关,我有两个问题:-

问题1)我首先尝试使用此处How to impersonate user using SwitchUserFilter in Spring?

中的响应中给出的示例登录并切换 

    private final TokenProvider tokenProvider;
    protected UserDetailsService userDetailsService;//= (UserDetailsService) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    private final CorsFilter corsFilter;
    private final SecurityProblemSupport problemSupport;



    public SecurityConfiguration(UserDetailsService userDetailsService,TokenProvider tokenProvider, CorsFilter corsFilter, SecurityProblemSupport problemSupport) {
        this.tokenProvider = tokenProvider;
        this.corsFilter = corsFilter;
        this.userDetailsService = userDetailsService;
        this.problemSupport = problemSupport;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring()
            .antMatchers(HttpMethod.OPTIONS, "/**")
            .antMatchers("/swagger-ui/index.html")
            .antMatchers("/test/**");
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        // @formatter:off
        http
            .csrf()
            .disable()
            .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
            .addFilterAfter(switchUserFilter(), FilterSecurityInterceptor.class)
            .exceptionHandling()
            .authenticationEntryPoint(problemSupport)
            .accessDeniedHandler(problemSupport)
        .and()
            .headers()
            .frameOptions()
            .disable()
        .and()
            .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
        .and()
            .authorizeRequests()
            .antMatchers("/api/authenticate").permitAll()
            .antMatchers("/api/register").permitAll()
            .antMatchers("/api/activate").permitAll()
            .antMatchers("/api/account/reset-password/init").permitAll()
            .antMatchers("/api/account/reset-password/finish").permitAll()
            .antMatchers("/api/**").authenticated()
            .antMatchers("/management/health").permitAll()
            .antMatchers("/management/info").permitAll()
            .antMatchers("/management/prometheus").permitAll()
            .antMatchers("/management/**").hasAuthority(AuthoritiesConstants.ADMIN)
            .antMatchers("/login/switchUser").permitAll()
            .antMatchers("/login/impersonate").permitAll()
        .and()
            .apply(securityConfigurerAdapter());
        // @formatter:on
    }


    @Bean
    public SwitchUserFilter switchUserFilter() {

        SwitchUserFilter filter = new SwitchUserFilter();
            filter.setUserDetailsService(userDetailsService);
            filter.setSwitchUserUrl("/login/impersonate");
            filter.setSwitchFailureUrl("/login/switchUser");
            filter.setTargetUrl("/#/home");

        return filter;      
    }


    private JWTConfigurer securityConfigurerAdapter() {
        return new JWTConfigurer(tokenProvider);
    }
}

我尝试过的是,我以adminUser身份登录,并且尝试通过将URL更改为http://localhost:9000/login/impersonate?username=userA

来切换URL

现在,我的问题是我已成功重定向到主屏幕,但我的用户仍然是adminUser。 (我这样做的原因是,当我从邮递员打出get / post电话时,我得到的回应是浏览器已过时且需要启用javascript)

P.S。 :-我有一个jhipster开发的应用程序,因此默认情况下已经添加了大多数类。

P.P.S。 :-我知道我很蠢

问题2)正如我之前提到的,我需要复制数据并且需要以编程方式进行处理,我如何才能做到这一点? SwitchUserFilter可以调用剩余网址并向其传递一些自定义数据/值吗?

1 个答案:

答案 0 :(得分:1)

在UserJwTController中添加此自定义方法

@PostMapping("/authenticate-externalnodes")
    public ResponseEntity<JWTToken> authenticateExternalnodes(@Valid @RequestBody LoginVM loginVM) {
        // Get Roles for user via username
        Set<Authority> authorities = userService.getUserWithAuthoritiesByLogin(loginVM.getUsername()).get()
                .getAuthorities();
        // Create Granted Authority Rules
        Set<GrantedAuthority> grantedAuthorities = new HashSet<>();
        for (Authority authority : authorities) {
            grantedAuthorities.add(new SimpleGrantedAuthority(authority.getName()));
        }
        UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
                loginVM.getUsername(), "", grantedAuthorities);
        Authentication authentication = authenticationToken;
        SecurityContextHolder.getContext().setAuthentication(authentication);
        boolean rememberMe = (loginVM.isRememberMe() == null) ? false : loginVM.isRememberMe();
        String jwt = tokenProvider.createToken(authentication, rememberMe);
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add(JWTFilter.AUTHORIZATION_HEADER, "Bearer " + jwt);
        return new ResponseEntity<>(new JWTToken(jwt), httpHeaders, HttpStatus.OK);
    }
相关问题
最新问题