添加自定義過濾器在Spring Security認證過程

Question

現在，我的身份驗證已使用用戶名和密碼完成。 我想再添加一個步驟，以便它檢查用戶是否被激活。 我有一個用戶表，如果用戶已激活帳戶，該表將保存值。

我有我的SecurityConfig.java

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {

        // This somehow works but only if the account is not validated
        // auth.authenticationProvider(new UserActivatedAuthenticationProvider(userService));

        auth.userDetailsService(userDetailsService).passwordEncoder(new ShaPasswordEncoder(encodingStrength));

}

和UserActivatedAuthenticationProvider.java

@Component
public class UserActivatedAuthenticationProvider implements AuthenticationProvider {

private final UserService userService;

@Autowired public UserActivatedAuthenticationProvider(UserService userService) {
    this.userService = userService;
}

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

    String name = authentication.getName();
    User user = userService.findByEmail(name);

    if (user != null) {
        if (!user.isActivated()) {
            throw new BadCredentialsException(name + " email is not activated.");
        }
    }

    Object credentials = authentication.getCredentials();

    if (!(credentials instanceof String)) {
        return null;
    }

    String password = credentials.toString();
    Authentication auth = new UsernamePasswordAuthenticationToken(name, password);

    return auth;
}

@Override
public boolean supports(Class<?> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

}

我只想在激活帳戶后才繼續進行身份驗證。 由於無法獲取用戶名，因此無法在AuthenticationManagerBuilder使用userService 。 我正在將該項目用作種子。 簡而言之...我還想檢查is_activated列的值，並像現在一樣基於該值進行操作（用戶名和密碼驗證）。

Answer 1

你並不需要一個AuthenticationProvider 。 您需要實現UserDetailsService如下;

@Service
public class MyUserDetailsService implements UserDetailsService {

    @Autowired
    private UserService userService;

    public UserDetails loadUserByUsername(String username)
                        throws UsernameNotFoundException {
        User user = userService.findByEmail(username);
        if(user == null) {
            throw new UsernameNotFoundException(username);   
        }

        return org.springframework.security.core.userdetails.User(username, user.getPassword(), user.isActivated(), true, true, true, user.getRoles().stream().map(role -> role.getRoleName()).map(SimpleGrantedAuthority::new).collect(Collectors.toList()));

    }
}

彈簧類org.springframework.security.core.userdetails.User作為屬性命名enabled的，你可以通過你的user.isActivated()從數據庫標志。

Answer 2

您可以通過提供自定義的用戶信息服務做到這一點。

@Autowired
private CustomUserDetailsService customUserDetailsService ;

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {    
        auth.userDetailsService(customUserDetailsService ).passwordEncoder(new ShaPasswordEncoder(encodingStrength));

}

和

@Service
public class CustomUserDetailsService implements UserDetailsService {

    @Autowired
    private UserService userService;

    public UserDetails loadUserByUsername(String username)
                        throws UsernameNotFoundException {
        User user = userService.findByEmail(username);
        if(user == null) {
            throw new UsernameNotFoundException(username);   
        }

            Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();        
            GrantedAuthority grantedAuthority = new SimpleGrantedAuthority("USER");
            authorities.add(grantedAuthority);
        return org.springframework.security.core.userdetails.User(username, user.getPassword(), user.isActivated(), true, true, true, authorities );

    }
}

現在，基於第三PARAM的布爾值，春季安全會自動允許/拒絕用戶登錄，並且還會為用戶如果沒有激活郵件“被禁用的用戶”。