如何对多用户数据库使用Spring Security功能

时间:2019-07-13 17:56:58

标签: java database spring-boot spring-security

我有一个包含不同用户数据的数据库。例如。表记录编号1代表用户A的订单,记录编号2代表用户B的订单,记录编号3再次代表用户A的订单,等等。

我计划使用Spring Security进行用户身份验证。是否可以使用Spring Security用户信息以某种方式选择用户的数据库记录? Spring Security是否具有一些用户安全性上下文,并且可以在SQL查询中使用当前登录的用户ID来获取用户数据?

1 个答案:

答案 0 :(得分:0)

您可以使用以下方法获取用户名或用户ID并在您的SQL中使用

import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;

public static String getUsername() {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        if (auth != null) {
            Object principal = auth.getPrincipal();

            if (principal instanceof UserDetails) {
                return ((UserDetails) principal).getUsername();
            }

            return principal.toString();
        }

        return ANONYMOUS_USER;
    }

    public static Integer getId() {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();

        if (auth != null) {
            Object principal = auth.getPrincipal();

            if (principal instanceof UserWithId) {
                return ((UserWithId) principal).getId();
            }
        }

        return null;
    }

您的UserDetailsS​​erviceImpl类的loadUserByUsername方法可以返回还包含ID的自定义用户对象。

@Transactional(readOnly = true)
@Override
public UserDetails loadUserByUsername(String username) {
    if (username == null || username.trim().isEmpty()) {
        throw new UsernameNotFoundException("Empty username");
    }
    log.debug("Security verification for user '{}'", username);

    User account = userRepository.getByUsername(username);

    if (account == null) {
        log.info("User {} could not be found", username);
        throw new UsernameNotFoundException("user " + username + " could not be found");
    }

    Collection<GrantedAuthority> grantedAuthorities = toGrantedAuthorities(account.getRoleNames());
    String password = account.getPassword();
    boolean enabled = account.getIsEnabled();
    boolean accountNonExpired = true;
    boolean credentialsNonExpired = true;
    boolean accountNonLocked = true;
    return new UserWithId(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, grantedAuthorities, account.getId());
}

UserWithId类如下:

import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
public class UserWithId extends User {
    private static final long serialVersionUID = 1L;
    private Integer id;

    public UserWithId(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked,
            Collection<? extends GrantedAuthority> authorities, Integer id) {
        super(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
        this.id = id;
    }

    public Integer getId() {
        return id;
    }
}

如果要基于对象的授权,则应考虑使用Spring Security ACL

相关问题
最新问题