Spring Boot：将请求范围的，延迟初始化的自定义User对象注入控制器

Question

I'm building a Spring Boot application to provide a stateless REST API. For security, we're using OAuth 2. My app receives a bearer-only token.

The user's information is stored in our database. I can look it up using the injected Principal in the controller:

@RequestMapping(...)
public void endpoint(Principal p) {
  MyUser user = this.myUserRepository.findById(p.getName());
  ...
}

To avoid this extra line of boilerplate, I would like to be able to inject the MyUser object directly into my controller method. How can I achieve this? (The best I've come up with so far is to create a Lazy, Request-scoped @Bean...but I haven't been able to get it working...)

Answer 1

The Idiomatic Way

The idiomatic way in Spring Security is to use a UserDetailsService or implement your own :

public class MyUserDetailsService implements UserDetailsService {
    @Autowired
    MyUserRepository myUserRepository;

    public UserDetails loadUserByUsername(String username) {
        return this.myUserRepository.findById(username);
    }
}

And then there are several spots in the Spring Security DSL where this can be deposited, depending on your needs.

Once integrated with the authentication method you are using (in this case OAuth 2.0), then you'd be able to do:

public void endpoint(@AuthenticationPrincipal MyUser myuser) {

}

The Quick, but Less-Flexible Way

It's generally better to do this at authentication time (when the Principal is being ascertained) instead of at method-resolution time (using an argument resolver) as it makes it possible to use it in more authentication scenarios.

That said, you could also use the @AuthenticationPrincipal argument resolver with any bean that you have registered, eg

public void endpoint(
    @AuthenticationPrincipal(expression="@myBean.convert(#this)") MyUser user) 
{

}

...

@Bean
public Converter<Principal, MyUser> myBean() {
    return principal -> this.myUserRepository.findById(p.getName())
}

The tradeoff is that this conversion will be performed each time this method is invoked. Since your app is stateless, this might not be an issue (since the lookup needs to be performed on each request anyway), but it would mean that this controller could likely not be reused in other application profiles.

Answer 2

You can achieve this by implementing HandlerMethodArgumentResolver. For example:

Custom annotation:

@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.PARAMETER)
public @interface Version {
}

Implementation:

public class HeaderVersionArgumentResolver implements HandlerMethodArgumentResolver {

@Override
public boolean supportsParameter(MethodParameter methodParameter) {
    return methodParameter.getParameterAnnotation(Version.class) != null;
}

@Override
public Object resolveArgument(
  MethodParameter methodParameter, 
  ModelAndViewContainer modelAndViewContainer, 
  NativeWebRequest nativeWebRequest, 
  WebDataBinderFactory webDataBinderFactory) throws Exception {

    HttpServletRequest request 
      = (HttpServletRequest) nativeWebRequest.getNativeRequest();

    return request.getHeader("Version");
}
}

When you implement this you should add this as argument resolver:

@Configuration
public class WebConfig implements WebMvcConfigurer {

@Override
public void addArgumentResolvers(
  List<HandlerMethodArgumentResolver> argumentResolvers) {
    argumentResolvers.add(new HeaderVersionArgumentResolver());
}
}

Now we can use it as argument

public ResponseEntity findByVersion(@PathVariable Long id, @Version String version)