堆栈内存溢出
  繁体   English   中英

Spring安全认证服务器

[英]Spring security authentication server

 原文  2021-02-13 13:14:57       java/ spring/ security

问题描述

我正在开发云应用程序的身份验证服务部分,并创建了以下安全配置 class。

@Configuration
@EnableWebSecurity
public class JwtSecurityConfig extends WebSecurityConfigurerAdapter {
private final PasswordEncoder encoder;
private final UserService userService;
private final JwtConstant jwtConstant;

@Autowired
public JwtSecurityConfig(PasswordEncoder encoder, UserService userService, JwtConstant jwtConstant) {
    this.encoder= encoder;
    this.userService = userService;
    this.jwtConstant = jwtConstant;
}

@Bean
public DaoAuthenticationProvider getAuthenticationProvider() {
    DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
    authenticationProvider.setPasswordEncoder(encoder);
    authenticationProvider.setUserDetailsService(userService);
    return authenticationProvider;
}

@Override
protected void configure(AuthenticationManagerBuilder auth) {
    auth.authenticationProvider(getAuthenticationProvider());
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .addFilter(getAuthenticationFilter())
            .authorizeRequests()
            .antMatchers(HttpMethod.PUT, "/signup").permitAll()
            .anyRequest()
            .authenticated();
}

private AuthenticationFilter getAuthenticationFilter() throws Exception {
    return new AuthenticationFilter(authenticationManager(), jwtConstant);
}
}

我不确定 configure(HttpSecurity http) 方法的链方法。 身份验证服务将只接收“登录”和“注册”请求。

  • 我应该删除 authorizeRequests() 方法,因为我没有授权任何东西吗?
  • 如果我真的需要它,我也不确定 anyRequest().authenticated() 部分吗?

1 个解决方案

解决方案1
 0  2021-02-13 14:40:51

有几件事需要更改,但首先,您必须定义一个方法,该方法将为每个请求提供 jwt,并且每个请求都应提供一个包含用户名和密码的AuthRequest object:

@RestController
public class WelcomeController {
    @Autowired
    private JwtUtil jwtUtil;
    @Autowired
    private AuthenticationManager authenticationManager;

    @PostMapping("/signup")
    public String generateToken(@RequestBody AuthRequest authRequest) throws Exception {
        try {
            authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(authRequest.getUserName(), authRequest.getPassword())
            );
        } catch (Exception ex) {
            throw new Exception("inavalid username/password");
        }
        return jwtUtil.generateToken(authRequest.getUserName());
    }
}

UserDetailsService中,您可以进行如下身份验证:

@Service
public class UserDetailsService implements org.springframework.security.core.userdetails.UserDetailsService {
    @Autowired
    private final UserRepository userRepository;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {

        System.out.println("tried to loging : " + username);
        if(!Objects.isNull(username) && !"".equals(username)){

            Optional<User> user = userRepository.findUserByUserName(username);

            System.out.println(user.get());
            if(user.isPresent()){

                User userParam = user.get();
                return new org.springframework.security.core.userdetails.User(userParam.getUserName(),
                        userParam.getPassword(), new ArrayList<>());
            }
        }
        throw new UsernameNotFoundException("user does not exists or empty !!");
    }
}

对于配置方面:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Autowired
    private final UserDetailsService userDetailsService;
    @Autowired
    private final JwtFilter jwtFilter;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Bean
    public PasswordEncoder passwordEncoder(){
        
        return new BCryptPasswordEncoder(10);
    }

    @Bean(name = BeanIds.AUTHENTICATION_MANAGER)
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
                .authorizeRequests().antMatchers("/signup").permitAll()
                .anyRequest().authenticated()
                .and().exceptionHandling().and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        http.addFilterBefore(jwtFilter, UsernamePasswordAuthenticationFilter.class);;
    }
}

欲了解更多信息,您可以关注我的 Github 分支Authnticaition 示例

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring Boot Security OAuth2身份验证服务器和业务服务器的拆分 使用Spring Security进行授权和认证 Spring Security身份验证被忽略 Spring Security 5 身份验证失败 使用 Spring Security 进行 LDAP 身份验证 使用Spring Security进行透明身份验证 使用UsersByUsernameQuery使用Spring Security进行身份验证 Spring Security中的IP身份验证 Tomcat身份验证和Spring安全性 Spring安全和身份验证提供程序
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM