我有具有此安全设置的应用程序:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public static class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private AuthService authService;
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider());
auth.authenticationProvider(daoAuthenticationProvider());
}
@Bean
public CustomAuthenticationProvider customAuthenticationProvider() {
return new CustomAuthenticationProvider();
}
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
provider.setUserDetailsService(authService);
provider.setPasswordEncoder(new BCryptPasswordEncoder());
return provider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.requestMatcher(new BasicRequestMatcher()).antMatcher("/**").authorizeRequests().anyRequest()
.fullyAuthenticated().and().httpBasic().and().csrf().disable();
http.addFilterBefore(customAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
}
@Autowired
private AuthenticationManager authenticationManager;
private Logger log = LoggerFactory.getLogger(ApplicationSecurity.class);
public CustomAuthenticationFilter customAuthenticationFilter() throws Exception {
List<AuthenticationProvider> a = ((ProviderManager) authenticationManager).getProviders();
log.debug("providers: " + a);
return new CustomAuthenticationFilter(authenticationManager);
}
}
问题是我的 daoAutentication 执行了两次,我想修复它。在日志中我可以看到:
2017-01-03 10:29:18.106 DEBUG 2154 --- [[ACTIVE] ExecuteThread: '5' for queue: 'weblogic.kernel.Default (self-tuning)'] .r.o.MyApplication$ApplicationSecurity : providers: [org.springframework.security.authentication.dao.DaoAuthenticationProvider@4c46fcec, cz.isvs.reg.rob.ocis.auth.CustomAuthenticationProvider@24448744, org.springframework.security.authentication.dao.DaoAuthenticationProvider@60516c4c]
我不知道为什么有 2 个 DaoAuthenticationProvider。当我像这样编辑配置时:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(kaasAuthenticationProvider());
// auth.authenticationProvider(daoAuthenticationProvider());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
然后就可以正常工作了。只有一个 DaoAuthenticationProvider。问题是我不知道为什么现在可以使用它,所以我不想使用它,直到我了解这种安全性是如何工作的
更新:
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
private Logger log = LoggerFactory.getLogger(CustomAuthenticationProvider.class);
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
log.debug("Authentication: {}.", authentication);
...
return new CustomAuthenticationToken(securityToken, authorities,
new CustomUser(login, "", true, true, true, true, authorities));
}
}
最佳答案
好的,我发现了问题。 This线程对我帮助很大
我正在 Autowiring authenticationManager:
@Autowired
private AuthenticationManager authenticationManager;
上面的线程中没有委托(delegate):
@Bean(name = BeanIds.AUTHENTICATION_MANAGER)
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
这导致:
class InitializeUserDetailsManagerConfigurer
extends GlobalAuthenticationConfigurerAdapter {
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
if (auth.isConfigured()) {
return;
}
...
}
在
之前执行@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider());
auth.authenticationProvider(daoAuthenticationProvider());
}
为什么要多一个 DaoAuthenticationProvider
关于java - 如何在 spring-boot 应用程序中正确配置更多身份验证提供程序,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/41441204/