我正在尝试使用Spring Security设置客户AuthenticationProvider,但没有太多运气让它运行起来.我正在使用Java配置,所以我可能会遗漏一些简单的东西,但由于大多数学习材料都是基于XML配置的,所以它不会向我跳出来.
这是使用Spring v4.0.1.RELEASE但使用Spring Security v3.2.2.RELEASE.版本号冲突也许?
据我所知,我所要做的就是创建我的提供者:
public class KBServicesAuthProvider implements AuthenticationProvider {
@Autowired
private ApplicationConfig applicationConfig;
@Autowired
private SessionServiceClient sessionServiceClient;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String email = (String) authentication.getPrincipal();
String password = (String) authentication.getCredentials();
try {
KBSessionInfo sessionInfo = sessionServiceClient.login(applicationConfig.getKbServicesPresenceId(), email,
password);
List grantedRoles = new ArrayList<>();
for (KBRoleMembership role : sessionInfo.getAuthenticatedUser().getRoleMemberships()) {
grantedRoles.add(new SimpleGrantedAuthority(role.getRoleId()));
}
return new UsernamePasswordAuthenticationToken(email, password, grantedRoles);
} catch (InvalidSessionException e) {
throw new AuthenticationCredentialsNotFoundException("Username or password was not accepted", e);
}
}
@Override
public boolean supports(Class authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
然后设置一个类来描述我的安全设置.此类链接在我的提供者中:
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired(required = true)
SessionServiceClient sessionServiceClient;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/").permitAll().anyRequest().authenticated();
http.formLogin().loginPage("/login").permitAll().and().logout().permitAll();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(getKBServicesAuthenticationProvider());
}
@Bean
protected AuthenticationProvider getKBServicesAuthenticationProvider() {
return new KBServicesAuthProvider();
}
}
但我没有在日志中看到任何内容,我的调试点都没有被击中.该应用程序的行为是不安全的(所以我仍然可以访问各种URL等).
关于我应该检查什么的任何想法?
这可能不是完整的答案,因为我自己也在努力解决这个问题.我正在使用自定义身份验证提供程序和自定义用户详细信息服务.我看到了与您相同的行为 - 断点在我的用户详细信息服务中被点击,但在我的身份验证提供程序中没有.这是我的整个配置类的样子:
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomUserDetailsService userDetailsService;
@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
AuthenticationProvider rememberMeAuthenticationProvider = rememberMeAuthenticationProvider();
TokenBasedRememberMeServices tokenBasedRememberMeServices = tokenBasedRememberMeServices();
List authenticationProviders = new ArrayList(2);
authenticationProviders.add(rememberMeAuthenticationProvider);
authenticationProviders.add(customAuthenticationProvider);
AuthenticationManager authenticationManager = authenticationManager(authenticationProviders);
http
.csrf().disable()
.headers().disable()
.addFilter(new RememberMeAuthenticationFilter(authenticationManager, tokenBasedRememberMeServices))
.rememberMe().rememberMeServices(tokenBasedRememberMeServices)
.and()
.authorizeRequests()
.antMatchers("/js/**", "/css/**", "/img/**", "/login", "/processLogin").permitAll()
.antMatchers("/index.jsp", "/index.html", "/index").hasRole("USER")
.antMatchers("/admin", "/admin.html", "/admin.jsp", "/js/saic/jswe/admin/**").hasRole("ADMIN")
.and()
.formLogin().loginProcessingUrl("/processLogin").loginPage("/login").usernameParameter("username").passwordParameter("password").permitAll()
.and()
.exceptionHandling().accessDeniedPage("/login")
.and()
.logout().permitAll();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**", "/css/**", "/img/**");
}
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder(){
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(List authenticationProviders) {
return new ProviderManager(authenticationProviders);
}
@Bean
public TokenBasedRememberMeServices tokenBasedRememberMeServices() {
return new TokenBasedRememberMeServices("testKey", userDetailsService);
}
@Bean
public AuthenticationProvider rememberMeAuthenticationProvider() {
return new org.springframework.security.authentication.RememberMeAuthenticationProvider("testKey");
}
protected void registerAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}
}
我刚刚发现如果我专门将我的身份验证提供程序添加到HttpSecurity对象,我的断点开始受到攻击:
http
.csrf().disable()
.headers().disable()
.authenticationProvider(customAuthenticationProvider)
我的目标是让BCryptPasswordEncoder工作,而不是使用此配置 - 一切都返回为错误的凭据.无论如何,只是想我会分享.
我遇到了同样的问题,问题在于你的方法总会返回false.
@Override
public boolean supports(Class authentication) {
return authentication.equals
(UsernamePasswordAuthenticationToken.class);
}
将上述方法更改为以下方法,问题将得到解决.
@Override
public boolean supports(Class authentication) {
return (UsernamePasswordAuthenticationToken.class
.isAssignableFrom(authentication));
}
京公网安备 11010802040832号 | 京ICP备19059560号-6 