我有一个 spring boot webapp,它使用基于 Java 的配置来配置 JdbcUserDetailsManager:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
protected DataSource dataSource;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.dataSource(dataSource)
.usersByUsernameQuery("select username as principal, password as credentials, true from users where username = ?")
.authoritiesByUsernameQuery("select username as principal, authority as role from authorities where username = ?")
.rolePrefix("ROLE_");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.formLogin()
.successHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.NO_CONTENT.value());
})
.failureHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.FORBIDDEN.value());
})
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.NO_CONTENT.value());
});
}
}
我可以在 configAuthentication() 中设置一个断点,所以我知道该方法正在被调用。我现在想在我的应用程序类中注入(inject) JdbcUserDetailsManager:
@EnableAutoConfiguration
@ComponentScan
public class Application {
private Environment env;
private UserDetailsManager userDetailsManager;
@Autowired
public Application(JdbcTemplate jdbcTemplate, Environment env, UserDetailsManager userDetailsManager) {
this.env = env;
this.userDetailsManager = userDetailsManager;
...
当我尝试启动我的应用程序时,出现以下错误:
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'application': Unsatisfied dependency expressed through constructor argument with index 2 of type [org.springframework.security.provisioning.UserDetailsManager]: : No qualifying bean of type [org.springframework.security.provisioning.UserDetailsManager] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.provisioning.UserDetailsManager] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}
但我知道一个事实,即 JdbcUserDetailsManager 在 Application 构造函数被调用之前被实例化。这里发生了什么?我如何验证 JdbcUserDetailsManager 是否实际注册到上下文?
更新:通过如下更改我的SecurityConfig,我能够解决问题:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
protected DataSource dataSource;
private JdbcUserDetailsManager userDetailsManager;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
this.userDetailsManager = auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery(
"select username,password,enabled from users where username=?")
.authoritiesByUsernameQuery(
"select username, role from user_roles where username=?").getUserDetailsService();
}
@Bean(name = "userDetailsManager")
public JdbcUserDetailsManager getUserDetailsManager() {
return userDetailsManager;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.formLogin()
.successHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.NO_CONTENT.value());
})
.failureHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.FORBIDDEN.value());
})
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.NO_CONTENT.value());
});
}
}
感谢 Plínio Pantaleão 将我推向正确的方向。不幸的是,我无法授予评论赏金。我还不清楚为什么 AuthenticationManagerBuilder 没有在上下文中自动将 UserDetailsService 注册为 Bean。如果有人可以就为什么我必须提供 getter 或 可以提供权威的答案可以解释如何在没有 getter 的情况下使其工作(这对我来说有点 hacky),我将奖励该答案.
最佳答案
Spring 注入(inject) bean,因此您必须在上下文中有一个 bean 才能进行注入(inject)。
但不要在 configAuthentication() 方法中创建 bean。在它自己的方法中创建它,然后从 configAuthentication() 方法中引用它。像这样:
@Bean
public JdbcUserDetailsManager userDetailsManager() {
JdbcUserDetailsManager manager = new JdbcUserDetailsManager();
manager.setDataSource(dataSource);
manager.setUsersByUsernameQuery(
"select username,password,enabled from users where username=?");
manager.setAuthoritiesByUsernameQuery(
"select username, role from user_roles where username=?");
manager.setRolePrefix("ROLE_");
return manager;
}
@Autowired
public void configAuthentication(AuthenticationManagerBuilder builder)
throws Exception {
builder.userDetailsService(userDetailsManager());
}
现在 userDetailsManager() 生成一个正确配置的 bean(允许注入(inject)),您可以使用它进行身份验证。 Spring 在这里做了一些魔术,以确保对 userDetailsManager()(或任何其他 bean 定义)的重复调用一遍又一遍地返回相同的对象,而不是每次都创建新的实例。
我将您的方法名称从 getUserDetailsManager() 更改为 userDetailsManager()。这个方法是bean定义,不是getter,所以就是这个原因。我还从 @Bean 注释中删除了名称,因为 Spring 在这里自动使用方法名称作为 bean 名称。
一些额外的注释来填写一些细节:
首先,对 jdbcAuthentication() 的调用会产生一个新的 JdbcUserDetailsManager 实例,但它完全是内部的(即,不是 Spring 管理的 bean)。我们可以判断是因为当有多个 bean 满足一次注入(inject)时 Spring 会报错。详情看AuthenticationManagerBuilder的源码, JdbcUserDetailsManagerConfigurer和各种父类(super class)。基本上,您将看到 jdbcAuthentication() 调用产生了一个内部详细信息管理器,它被 userDetailsService() 调用所取代。
其次,调用 userDetailsService() 会丢弃 jdbcAuthentication() 配置。以下是 AuthenticationManagerBuilder 中的相关方法:
public <T extends UserDetailsService>
DaoAuthenticationConfigurer<AuthenticationManagerBuilder,T>
userDetailsService(T userDetailsService) throws Exception {
this.defaultUserDetailsService = userDetailsService;
return apply(
new DaoAuthenticationConfigurer<AuthenticationManagerBuilder,T>
(userDetailsService));
}
这就是为什么我们将 JdbcUserDetailsManager 配置从 jdbcAuthentication() 部分移到 userDetailsManager() 方法本身。 (jdbcAuthentication() 调用基本上公开了一个方便、流畅的接口(interface)来创建 JdbcUserDetailsManager,但我们在这里不需要它,因为我们已经有了我们的 JdbcUserDetailsManager.)
关于java - 无法使用 Spring Boot 和基于 Java 的配置注入(inject) UserDetailsManager,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25631791/