将自定义UserDetailsService添加到Spring Security OAuth2应用程序
作者:互联网
如何将下面的自定义UserDetailsService添加到this Spring OAuth2 sample?
默认密码的默认用户在authserver应用程序的application.properties
文件中定义.
但是,我想将以下自定义UserDetailsService添加到the demo
package of the authserver
app以进行测试:
package demo;
import java.util.List;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.stereotype.Service;
@Service
class Users implements UserDetailsManager {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
String password;
List<GrantedAuthority> auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER");
if (username.equals("Samwise")) {
auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_HOBBIT");
password = "TheShire";
}
else if (username.equals("Frodo")){
auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_HOBBIT");
password = "MyRing";
}
else{throw new UsernameNotFoundException("Username was not found. ");}
return new org.springframework.security.core.userdetails.User(username, password, auth);
}
@Override
public void createUser(UserDetails user) {// TODO Auto-generated method stub
}
@Override
public void updateUser(UserDetails user) {// TODO Auto-generated method stub
}
@Override
public void deleteUser(String username) {// TODO Auto-generated method stub
}
@Override
public void changePassword(String oldPassword, String newPassword) {
// TODO Auto-generated method stub
}
@Override
public boolean userExists(String username) {
// TODO Auto-generated method stub
return false;
}
}
正如您所看到的,此UserDetailsService尚未自动装配,并且它故意使用不安全的密码,因为它仅用于测试目的.
需要对the GitHub sample app进行哪些具体更改,以便用户可以使用password = TheShire以username = Samwise登录,或者使用password = MyRing作为username = Frodo?是否需要对AuthserverApplication.java
或其他地方进行更改?
几点建议:
Spring OAuth2 Developer Guide表示使用GlobalAuthenticationManagerConfigurer全局配置UserDetailsService.但是,使用Google搜索这些名称会产生不太有用的结果.
此外,使用内部Spring安全性INSTEAD OF OAuth的另一个应用程序使用以下语法来连接UserDetailsService,但我不确定如何将其语法调整为当前OP:
@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
@Autowired
private Users users;
@Override
public void init(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(users);
}
}
我尝试在OAuth2AuthorizationConfig中使用@Autowire将用户连接到AuthorizationServerEndpointsConfigurer,如下所示:
@Autowired//THIS IS A TEST
private Users users;//THIS IS A TEST
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authenticationManager(authenticationManager)
.accessTokenConverter(jwtAccessTokenConverter())
.userDetailsService(users)//DetailsService)//THIS LINE IS A TEST
;
}
但Spring Boot日志表明未找到用户Samwise,这意味着UserDetailsService未成功连接.以下是Spring Boot日志的相关摘录:
2016-04-20 15:34:39.998 DEBUG 5535 --- [nio-9999-exec-9] o.s.s.a.dao.DaoAuthenticationProvider :
User 'Samwise' not found
2016-04-20 15:34:39.998 DEBUG 5535 --- [nio-9999-exec-9]
w.a.UsernamePasswordAuthenticationFilter :
Authentication request failed:
org.springframework.security.authentication.BadCredentialsException:
Bad credentials
我还能尝试什么?
最佳答案:
在使用Spring Security开发我的oauth服务器时遇到了类似的问题.我的情况略有不同,因为我想添加一个UserDetailsService来验证刷新令牌,但我认为我的解决方案也会对你有所帮助.
和你一样,我首先尝试使用AuthorizationServerEndpointsConfigurer指定UserDetailsService,但这不起作用.我不确定这是一个bug还是设计,但需要在AuthenticationManager中设置UserDetailsService,以便各种oauth2类找到它.这对我有用:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
Users userDetailsService;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
// other stuff to configure your security
}
}
我想如果您从第73行开始更改以下内容,它可能对您有用:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.parentAuthenticationManager(authenticationManager)
.userDetailsService(userDetailsService);
}
您当然还需要添加@Autowired Users userDetailsService; WebSecurityConfigurerAdapter中的某个地方
我想提到的其他事情:
>这可能是版本特定的,我在spring-security-oauth2 2.0.12
>我不能引用任何来源为什么会这样,我甚至不确定我的解决方案是真正的解决方案还是黑客攻击.
>指南中提到的GlobalAuthenticationManagerConfigurer几乎肯定是一个错字,我无法在源代码中的任何地方找到该字符串中的任何内容.
标签:spring,spring-security,spring-boot-2,spring-security-oauth2,spring-oauth2 来源: https://codeday.me/bug/20190516/1115677.html