[英]Authorization and Authentication with Spring Security
I have a web service that I have built on top of Spring. 我有一个基于Spring构建的Web服务。 I am currently authenticating using Spring Security as follows: 我目前正在使用Spring Security进行身份验证,如下所示:
@Configuration
@EnableGlobalMethodSecurity(securedEnabled=true)
@EnableWebSecurity
public class ServerSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private Properties properties;
private static final String ALL_URI = "/v1/**";
private static final String HEALTH_URI = "/v1/healthCheck";
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilterBefore(getFilter(), BasicAuthenticationFilter.class);
http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
http.authorizeRequests()
.antMatchers(HEALTH_URI).permitAll()
.anyRequest().authenticated();
http.csrf().disable();
}
private AuthenticationFilter getFilter() {
return new AuthenticationFilter( properties.getKey());
}
}
My AuthenticationFilter
class extends AbstractAuthenticationProcessingFilter
and performs the actual authentication. 我的AuthenticationFilter
类扩展AbstractAuthenticationProcessingFilter
并执行实际的身份验证。 If I want to add Authorization to my security, would I just make those checks in the attemptAuthentication
method apart of the AuthenticationFilter? 如果我想将Authorization添加到我的安全性中,是否可以在AuthenticationFilter之外的attemptAuthentication
方法中进行这些检查? Or is there a better way to do it? 还是有更好的方法呢? The way I understand it is that Authorization and Authentication should be done independently. 据我了解,授权和身份验证应独立进行。 You first authenticate, and then you verify the permissions. 您首先进行身份验证,然后再验证权限。 So, I would assume there would be a better approach to do authorization within Spring Security rather than just adding it to the attemptAuthentication
method. 因此,我认为有一种更好的方法在Spring Security中进行授权,而不仅仅是将其添加到attemptAuthentication
方法中。
You need a AuthenticationProvider
to do authenticate, implement the AuthenticationProvider
and override the authentication
and supports
methods, and then inject to the AuthenticationManager
. 您需要AuthenticationProvider
进行身份验证,实现AuthenticationProvider
并覆盖authentication
和supports
方法,然后注入AuthenticationManager
。
attemptAuthentication
method in filter is usually to get authentication
(eg UsernamePasswordFilter
gets username
and password
from request, and then builds a UsernamePasswordAuthenticationToken
to AuthenticationManager
), 过滤器中的attemptAuthentication
方法通常用于获取authentication
(例如, UsernamePasswordFilter
从请求中获取username
和password
,然后为AuthenticationManager
构建UsernamePasswordAuthenticationToken
),
supports
method tests the AuthenticationProvider
whether can be used to do authenticate.(eg DaoAuthenticationProvider
supports UsernamePasswordAuthenticationToken
) supports
方法测试AuthenticationProvider
是否可用于进行身份验证。(例如DaoAuthenticationProvider
支持UsernamePasswordAuthenticationToken
)
authenticate
method is used to do authenticate(eg DaoAuthenticationProvider
gets the real password by username and then compare to the user input), this method should return an Authentication
that is already authenticated(eg UsernamePasswordAuthenticationToken
), and this authentication should contains the user authorities(this can be used to hasRole('xxx')
), or use detail and so on. authenticate
方法用于进行身份验证(例如, DaoAuthenticationProvider
通过用户名获取真实密码,然后与用户输入进行比较),该方法应返回已通过Authentication
(例如UsernamePasswordAuthenticationToken
),并且此身份验证应包含用户权限(此可以用于hasRole('xxx')
),或使用详细信息等。
After attemptAuthentication
successful, the Authentication
will set into SecurityContextHolder
. attemptAuthentication
Authentication
成功后, Authentication
将设置为SecurityContextHolder
。 and then you can use the hasRole('xx')
, or something else. 然后可以使用hasRole('xx')
或其他方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.