[英]Adding a custom filter to authentication process in Spring Security
現在,我的身份驗證已使用用戶名和密碼完成。 我想再添加一個步驟,以便它檢查用戶是否被激活。 我有一個用戶表,如果用戶已激活帳戶,該表將保存值。
我有我的SecurityConfig.java
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// This somehow works but only if the account is not validated
// auth.authenticationProvider(new UserActivatedAuthenticationProvider(userService));
auth.userDetailsService(userDetailsService).passwordEncoder(new ShaPasswordEncoder(encodingStrength));
}
和UserActivatedAuthenticationProvider.java
@Component
public class UserActivatedAuthenticationProvider implements AuthenticationProvider {
private final UserService userService;
@Autowired public UserActivatedAuthenticationProvider(UserService userService) {
this.userService = userService;
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String name = authentication.getName();
User user = userService.findByEmail(name);
if (user != null) {
if (!user.isActivated()) {
throw new BadCredentialsException(name + " email is not activated.");
}
}
Object credentials = authentication.getCredentials();
if (!(credentials instanceof String)) {
return null;
}
String password = credentials.toString();
Authentication auth = new UsernamePasswordAuthenticationToken(name, password);
return auth;
}
@Override
public boolean supports(Class<?> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
我只想在激活帳戶后才繼續進行身份驗證。 由於無法獲取用戶名,因此無法在AuthenticationManagerBuilder
使用userService
。 我正在將該項目用作種子。 簡而言之...我還想檢查is_activated
列的值,並像現在一樣基於該值進行操作(用戶名和密碼驗證)。
你並不需要一個AuthenticationProvider
。 您需要實現UserDetailsService
如下;
@Service
public class MyUserDetailsService implements UserDetailsService {
@Autowired
private UserService userService;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
User user = userService.findByEmail(username);
if(user == null) {
throw new UsernameNotFoundException(username);
}
return org.springframework.security.core.userdetails.User(username, user.getPassword(), user.isActivated(), true, true, true, user.getRoles().stream().map(role -> role.getRoleName()).map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
}
}
彈簧類org.springframework.security.core.userdetails.User
作為屬性命名enabled
的,你可以通過你的user.isActivated()
從數據庫標志。
您可以通過提供自定義的用戶信息服務做到這一點。
@Autowired
private CustomUserDetailsService customUserDetailsService ;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService ).passwordEncoder(new ShaPasswordEncoder(encodingStrength));
}
和
@Service
public class CustomUserDetailsService implements UserDetailsService {
@Autowired
private UserService userService;
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
User user = userService.findByEmail(username);
if(user == null) {
throw new UsernameNotFoundException(username);
}
Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
GrantedAuthority grantedAuthority = new SimpleGrantedAuthority("USER");
authorities.add(grantedAuthority);
return org.springframework.security.core.userdetails.User(username, user.getPassword(), user.isActivated(), true, true, true, authorities );
}
}
現在,基於第三PARAM的布爾值,春季安全會自動允許/拒絕用戶登錄,並且還會為用戶如果沒有激活郵件“被禁用的用戶”。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.