getPrincipal() 方法返回用户名而不是 UserDetails

【问题标题】:getPrincipal() method returning username instead of UserDetailsgetPrincipal() 方法返回用户名而不是 UserDetails
【发布时间】:2023-04-03 18:52:01
【问题描述】:

我有一个项目使用 spring boot,spring security 和 oauth2。当我使用 SecurityContextHolder.getContext().getAuthentication().getPrincipal()

在我看到这个方法返回 UserDetails 实现的例子中,这个方法只返回用户名结尾。

按照设置进行

OAuthSecurityConfig.java:

package br.com.altha.api.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.security.SecurityProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableAuthorizationServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;

import br.com.altha.api.security.CustomUserDetailsService;

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
@EnableAuthorizationServer
@EnableResourceServer
@Order(SecurityProperties.BASIC_AUTH_ORDER-2)
@Import(Encoders.class)
public class OAuthSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private PasswordEncoder userPasswordEncoder;

    @Autowired
    private CustomUserDetailsService userDetailsService;

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(userPasswordEncoder);
    }

}

AuthorizationServerConfig.java:

package br.com.altha.api.config;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.oauth2.config.annotation.configurers.ClientDetailsServiceConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configuration.AuthorizationServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerEndpointsConfigurer;
import org.springframework.security.oauth2.config.annotation.web.configurers.AuthorizationServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.TokenStore;
import org.springframework.security.oauth2.provider.token.store.JwtAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.store.JwtTokenStore;

import br.com.altha.api.security.CustomUserDetailsService;

@Configuration
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    private static final String SECRET = "PASSWORD";

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private PasswordEncoder oauthClientPasswordEncoder;

    @Autowired
    private CustomUserDetailsService userDetailsService;

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
            .withClient("altha-adms")
            .secret(oauthClientPasswordEncoder.encode(SECRET))
            .scopes("write", "read")
            .authorizedGrantTypes("password", "refresh_token")
            .accessTokenValiditySeconds(60/*1800*/)
            .refreshTokenValiditySeconds(1800);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints
            .tokenStore(tokenStore())
            .accessTokenConverter(accessTokenConverter())
            .authenticationManager(authenticationManager)
            .reuseRefreshTokens(false)
            .userDetailsService(userDetailsService);
    }

    @Bean
    public JwtAccessTokenConverter accessTokenConverter() {
        JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
        converter.setSigningKey(SECRET);
        return converter;
    }

    @Bean
    public TokenStore tokenStore() {
        return new JwtTokenStore(accessTokenConverter());
    }
}

ResourceServerConfig.java:

package br.com.altha.api.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Import;
import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.error.OAuth2AccessDeniedHandler;
import org.springframework.security.oauth2.provider.expression.OAuth2MethodSecurityExpressionHandler;

import br.com.altha.api.handler.RestExceptionHandler;

@Configuration
@Import(Encoders.class)
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Bean
    public RestExceptionHandler handlerError() {
        return new RestExceptionHandler();
    }

    @Bean
    public MethodSecurityExpressionHandler createExpressionHandler() {
        return new OAuth2MethodSecurityExpressionHandler();
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .antMatchers("/public/**").permitAll()
            .antMatchers("/private/**").authenticated()
            .and().exceptionHandling().accessDeniedHandler(new OAuth2AccessDeniedHandler());
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.stateless(true);
    }
}

【问题讨论】:

  • getPrincipal 可以返回任何它喜欢的东西。所以返回的内容取决于使用的Authentication 的实现,OAuth2Authentication 返回一个String。因此,除非您重新实现您必须忍受的整个 oauth2 部分。因此,简而言之,它按应有的/设计的方式工作。
  • 那么,我如何实现整个 oauth2 部分?可以举个例子吗?

标签: java spring-boot spring-security oauth-2.0


【解决方案1】:

使用 Spring Boot 1.5.x,您可以实现 PrincipalExtractor 并覆盖它的 Object extractPrincipal(Map<String, Object> map)。以下示例组件具有自动装配的 UserdetailsS​​ervice 以根据用户名查找 UserDetails 对象。

@Component
public class MyPrincipalExtractor implements PrincipalExtractor {

    private UserDetailsService userDetailsService;

    @Value("${security.oauth2.client.principal-attribute}")
    private String principalAttribute;

    @Autowired
    public MyPrincipalExtractor(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    @Override
    public Object extractPrincipal(Map<String, Object> map) {
        if (!map.containsKey(principalAttribute)) {
            return null;
        }

        final String username = (String) map.get(principalAttribute);
        try {
            return userDetailsService.loadUserByUsername(username);
        } catch (UsernameNotFoundException e) {
            // This may be the first time this user is accessing the system, 
            // maybe you want to extract some other attributes from the map 
            // and return a different type of user object that can be used to 
            // create a new user. 
        }
    }
}

现在SecurityContextHolder.getContext().getAuthentication().getPrincipal() 将包含一个 UserDetails 对象。

更详细的教程见:

【讨论】:

  • 这引用了 Spring OAuth2(更具体地说是 Spring Boot 支持)。该项目处于维护模式,因为从 Spring Security 5 开始,OAuth2 支持 Spring Security 开箱即用。不能保证这将适用于较新的 Spring Security 或 Spring Boot 2.0 。它也适用于 Spring Boot 1.5 而不是 Spring Security 1.5。
  • @M.Deinum 是的,我的意思是说 Spring Boot 1.5.x。将更新答案。是的,它可能不适用于新的 Spring Security 5。
  • 这个方法对我不起作用,可能是因为我使用的是 Spring Boot 2x
  • 没错@PauloCarvalho 这个方法只适用于 Spring Boot 1.5.x 和 Spring Security 4.2.x
【解决方案2】:

我可以用这段代码解决这个问题:

我向 UserAuthenticationConverter 添加了一个 bean

@Bean
public UserAuthenticationConverter userAuthenticationConverter() {
    DefaultUserAuthenticationConverter defaultUserAuthenticationConverter = new DefaultUserAuthenticationConverter();
    defaultUserAuthenticationConverter.setUserDetailsService(userDetailsService);
    return defaultUserAuthenticationConverter;
}

在这之后,我在 JwtAccessTokenConverter 中设置了这个 bean

@Bean
public JwtAccessTokenConverter accessTokenConverter() {
    final JwtAccessTokenConverter jwtAccessTokenConverter = new JwtAccessTokenConverter();
    jwtAccessTokenConverter.setSigningKey(SECRET);
    ((DefaultAccessTokenConverter) jwtAccessTokenConverter.getAccessTokenConverter())
            .setUserTokenConverter(userAuthenticationConverter());
    return jwtAccessTokenConverter;
}

【讨论】:

  • 太好了,当我们升级到 Spring Boot 2 时我会需要这个
  • 谢谢,这可以在我的资源服务器中通过以下方式获取自定义 UserDetails 对象:最终身份验证身份验证 = SecurityContextHolder.getContext().getAuthentication(); if (authentication != null && authentication instanceof OAuth2Authentication) { final Object principal = ((OAuth2Authentication)authentication).getUserAuthentication().getPrincipal();
【解决方案3】:

原因会因身份验证/授权技术而异,但在我的情况下,我有 2 个过滤器身份验证/授权问题是将username 而不是整个用户对象传递给授权过滤器中的UsernamePasswordAuthenticationToken

return new UsernamePasswordAuthenticationToken(userDetails.getUsername(), .....);

第一个构造函数参数被设置为Principle 对象。

所以解决方法是传递整个 userDetails 对象

return new UsernamePasswordAuthenticationToken(userDetails, .....);

【讨论】:

    猜你喜欢
    • 2019-08-25
    • 2016-02-19
    • 2018-05-28
    • 1970-01-01
    • 2017-10-17
    • 2011-07-12
    • 1970-01-01
    • 2021-05-07
    • 2019-08-08
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode