我正在创建自己的自定义身份验证提供程序。现在我只是检查静态用户名和密码,但稍后这将被替换为更高级的东西,所以虽然我不需要在这种情况下使用自定义提供程序,但这对我没有多大帮助,因为它只是基础工作我还没有添加其他代码。
话虽如此,这是我的代码处于损坏状态。
我的自定义身份验证提供程序:
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;
import java.util.ArrayList;
import java.util.List;
@Component
public class SatAuthenticationProvider implements AuthenticationProvider {
private static final Logger LOGGER = LoggerFactory.getLogger(SatAuthenticationProvider.class);
public SatAuthenticationProvider() {
LOGGER.info("*** CustomAuthenticationProvider created");
}
@Override
public boolean supports(Class<? extends Object> authentication) {
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
LOGGER.info("*** Creating authentication");
if (authentication.getName().equals("test") && authentication.getCredentials().equals("test")) {
List<GrantedAuthority> grantedAuths = new ArrayList<>();
grantedAuths.add(new SimpleGrantedAuthority("USER"));
grantedAuths.add(new SimpleGrantedAuthority("ADMIN"));
return new UsernamePasswordAuthenticationToken(authentication.getName(), authentication.getCredentials(), grantedAuths);
} else {
return null;
}
}
}
这是我消耗的安全配置是:
import com.comcast.iot.das.auth.SatAuthenticationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class DeviceSecurityConfig extends WebSecurityConfigurerAdapter {
private static final Logger LOGGER = LoggerFactory.getLogger(SatAuthenticationProvider.class);
@Autowired
private SatAuthenticationProvider satAuthenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.info("*** configuring http");
http.authorizeRequests().anyRequest()
.hasRole("USER")
.and()
.httpBasic();
}
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
LOGGER.info("*** Setting builder");
auth.authenticationProvider(this.satAuthenticationProvider);
}
}
现在,当我运行此命令时,如果我使用curl 访问未指定用户和密码的端点,我会得到以下信息:
% curl http://localhost:8080/molecule
{
"timestamp" : 1505925047977,
"status" : 401,
"error" : "Unauthorized",
"message" : "Full authentication is required to access this resource",
"path" : "/molecule"
}
如果我指定正确的用户名和密码,我会得到以下信息:
% curl -u test:test http://localhost:8080/molecule
{
"timestamp" : 1505925033015,
"status" : 403,
"error" : "Forbidden",
"message" : "Access is denied",
"path" : "/molecule"
}
最后,如果我指定了错误的用户名和密码,我会得到以下信息:
% curl -u test:test2 http://localhost:8080/molecule
{
"timestamp" : 1505925199406,
"status" : 401,
"error" : "Unauthorized",
"message" : "No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken",
"path" : "/molecule"
}
最后一点,虽然我无法让角色直接工作,但我可以让它测试用户是否经过身份验证并使用它来授予权限。这不是一个可行的解决方案,因为我需要角色,但它可能会给任何试图回答这个问题的人一些提示。
所以我可以更改 DeviceSecurityConfig 类的配置方法,如下所示:
@Override
protected void configure(HttpSecurity http) throws Exception {
LOGGER.info("*** configuring http");
http.authorizeRequests().anyRequest()
.authenticated()
.and()
.httpBasic();
}
使用这个新版本的代码,我的curl请求似乎至少可以按预期工作(尽管当然无法添加角色):。这是我刚才提到的代码编辑后的curl 结果。
没有用户名和密码:
% curl http://localhost:8080/molecule
{
"timestamp" : 1505925444957,
"status" : 401,
"error" : "Unauthorized",
"message" : "Full authentication is required to access this resource",
"path" : "/molecule"
}
密码错误:
% curl -u test:test2 http://localhost:8080/molecule
{
"timestamp" : 1505925456018,
"status" : 401,
"error" : "Unauthorized",
"message" : "No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken",
"path" : "/molecule"
}
使用以下命令的正确密码和用户名现在会从我通常期望的端点(省略)返回完整响应。
% curl -u test:test http://localhost:8080/molecule
最佳答案
角色权限应以 ROLE_ 为前缀:
grantedAuths.add(new SimpleGrantedAuthority("ROLE_USER"));
grantedAuths.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
关于java - Spring-boot 安全性不会尊重具有自定义 AuthenticationProvider 的角色,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/46327563/