使用Spring Security进行授权和认证
[英]Authorization and Authentication with Spring Security
问题描述
I have a web service that I have built on top of Spring. 
我有一个基于Spring构建的Web服务。 I am currently authenticating using Spring Security as follows: 我目前正在使用Spring Security进行身份验证,如下所示:
@Configuration
@EnableGlobalMethodSecurity(securedEnabled=true)
@EnableWebSecurity
public class ServerSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private Properties properties;
private static final String ALL_URI = "/v1/**";
private static final String HEALTH_URI = "/v1/healthCheck";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(getFilter(), BasicAuthenticationFilter.class);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
.antMatchers(HEALTH_URI).permitAll()
.anyRequest().authenticated();
http.csrf().disable();
}
private AuthenticationFilter getFilter() {
return new AuthenticationFilter( properties.getKey());
}
}
My AuthenticationFilter class extends AbstractAuthenticationProcessingFilter and performs the actual authentication. 我的AuthenticationFilter类扩展AbstractAuthenticationProcessingFilter并执行实际的身份验证。 If I want to add Authorization to my security, would I just make those checks in the attemptAuthentication method apart of the AuthenticationFilter? 如果我想将Authorization添加到我的安全性中,是否可以在AuthenticationFilter之外的attemptAuthentication方法中进行这些检查? Or is there a better way to do it? 还是有更好的方法呢? The way I understand it is that Authorization and Authentication should be done independently. 据我了解,授权和身份验证应独立进行。 You first authenticate, and then you verify the permissions. 您首先进行身份验证,然后再验证权限。 So, I would assume there would be a better approach to do authorization within Spring Security rather than just adding it to the attemptAuthentication method. 因此,我认为有一种更好的方法在Spring Security中进行授权,而不仅仅是将其添加到attemptAuthentication方法中。
1 个解决方案
解决方案1
1 2016-12-25 09:11:00
You need a AuthenticationProvider to do authenticate, implement the AuthenticationProvider and override the authentication and supports methods, and then inject to the AuthenticationManager . 您需要AuthenticationProvider进行身份验证,实现AuthenticationProvider并覆盖authentication和supports方法,然后注入AuthenticationManager 。
attemptAuthentication method in filter is usually to get authentication (eg UsernamePasswordFilter gets username and password from request, and then builds a UsernamePasswordAuthenticationToken to AuthenticationManager ), 过滤器中的attemptAuthentication方法通常用于获取authentication (例如, UsernamePasswordFilter从请求中获取username和password ,然后为AuthenticationManager构建UsernamePasswordAuthenticationToken ),
supports method tests the AuthenticationProvider whether can be used to do authenticate.(eg DaoAuthenticationProvider supports UsernamePasswordAuthenticationToken ) supports方法测试AuthenticationProvider是否可用于进行身份验证。(例如DaoAuthenticationProvider支持UsernamePasswordAuthenticationToken )
authenticate method is used to do authenticate(eg DaoAuthenticationProvider gets the real password by username and then compare to the user input), this method should return an Authentication that is already authenticated(eg UsernamePasswordAuthenticationToken ), and this authentication should contains the user authorities(this can be used to hasRole('xxx') ), or use detail and so on. authenticate方法用于进行身份验证(例如, DaoAuthenticationProvider通过用户名获取真实密码,然后与用户输入进行比较),该方法应返回已通过Authentication (例如UsernamePasswordAuthenticationToken ),并且此身份验证应包含用户权限(此可以用于hasRole('xxx') ),或使用详细信息等。
After attemptAuthentication successful, the Authentication will set into SecurityContextHolder . attemptAuthentication Authentication成功后, Authentication将设置为SecurityContextHolder 。 and then you can use the hasRole('xx') , or something else. 然后可以使用hasRole('xx')或其他方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.