我正在使用带有HTTP Basic Auth的spring-security来保护java webapp。在我的webapp中,我需要获取当前用户的用户名和密码,以进一步针对其他服务进行身份验证。我可以获取用户名,但不能获取密码。
我已尝试使用SecurityContextHolder.getContext().getAuthentication()按照此处How can I get plaintext password from spring-security?的建议访问此信息,但密码将以null的形式返回。
如何获取密码?
感谢。
这是我的applicationContext-security.xml
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<sec:http authentication-manager-ref='authenticationManager'>
<sec:intercept-url pattern="/spring/**" access="ROLE_USER" />
<sec:http-basic />
</sec:http>
<bean id="basicAuthenticationFilter"
class="org.springframework.security.web.authentication.www.BasicAuthenticationFilter">
<property name="authenticationManager" ref="authenticationManager" />
<property name="authenticationEntryPoint" ref="authenticationEntryPoint" />
</bean>
<bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint">
<property name="realmName" value="Announcements Rest Realm" />
</bean>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="authProvider" />
</list>
</property>
</bean>
<bean id="authProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsService" />
</bean>
<bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
<constructor-arg>
<list>
<sec:filter-chain pattern="/spring/**" filters="basicAuthenticationFilter" />
</list>
</constructor-arg>
</bean>
<sec:user-service id="userDetailsService">
<sec:user name="admin" password="**" authorities="ROLE_USER, ROLE_ADMIN" />
<sec:user name="user" password="**" authorities="ROLE_USER" />
</sec:user-service>
答案 0 :(得分:24)
我已经明白了。
我已将身份验证管理器配置更改为使用authentication-manager元素并在其中添加了属性:
<sec:authentication-manager alias="authenticationManager" erase-credentials="false">
<sec:authentication-provider ref="authProvider" />
</sec:authentication-manager>
然后我可以在我的控制器类中使用SecurityContextHolder.getContext().getAuthentication().getCredentials()来获取密码。
感谢Piotrek De的帮助
答案 1 :(得分:0)
你是否记得我/ run as / switch用户?在这种情况下,密码为空(如您提到的主题中所述)。此外,您可能必须使用基本表单身份验证,(向j_spring_security_check发送请求)
答案 2 :(得分:0)
如果要设置当前用户的全部详细信息,包括会话对象中的密码,则可以从该会话对象中获取密码。
答案 3 :(得分:0)
更好的方法是实现'userDetailsService'。因此,您可以控制在进行身份验证时如何使用UserDetails。我实现了基于表单的身份验证并编写了我自定义的用户服务
@Service("userService")
public class UserServiceImpl extends GenericService<User> implements UserDetailsService,UserService{
@Override
@Transactional
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
// Declare a null Spring User
UserDetails userDetails = null;
// Search database for a user that matches the specified username
// You can provide a custom DAO to access your persistence layer
// Or use JDBC to access your database
// DbUser is our custom domain user. This is not the same as Spring's User
User dbUser=this.findUserByUserName(username);
if (dbUser == null) {
throw new UsernameNotFoundException("HiMVC Security:: Error in retrieving user(username=" + username + ")");
}
userDetails = new org.springframework.security.core.userdetails.User(
dbUser.getUserName(),
dbUser.getPassword(),//here you can put a clear text password
true,
true,
true,
true,
loadUserAuthorities(username));
return userDetails;
}