如何在运行时将新用户添加到 Spring Security

【问题标题】:How to add new user to Spring Security at runtime如何在运行时将新用户添加到 Spring Security
【发布时间】:2015-11-21 13:30:07
【问题描述】:

我通过 Hibernate 将用户保存在数据库表中,并且我正在使用 Spring Security 进行身份验证:

import org.springframework.beans.factory.annotation.Autowired;

import org.springframework.context.annotation.*;
import org.springframework.security.config.annotation.authentication.builders.*;
import org.springframework.security.config.annotation.web.configuration.*;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("USER");
    }
}

这很好用,但有一点 - 用户在服务器启动期间被加载。我需要编写在运行时将新用户添加到 Spring Security 的方法 RegisterUser(User user)。这种方法应该只关注这个任务。我不知道如何开始实现此功能,所以感谢您的任何建议! ;)

Ofc 用户具有登录名、密码、角色字符串等字段...

请不要使用 Spring MVC 发布解决方案。本系统是使用 Spring Web Boost 和 Spring Security Boost 4.0.x 版本的 RESTful 应用程序

【问题讨论】:

  • 那里有 Spring Security + Hibernate 的例子,给它一个搜索。例如:mkyong.com/spring-security/…
  • 请问您找到解决问题的方法了吗?可以发布代码吗?

标签: spring maven spring-security persistence registration


【解决方案1】:

如果用户正在注册,您可能希望将用户存储在数据库中而不是内存中:)

  1. 为用户创建authorities

    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));

  2. 实例化用户(使用实现UserDetails的类)

    UserDetails user = new User("user@example.com", passwordEncoder.encode("s3cr3t"), authorities);

  3. 将用户保存在有用的地方。 JdbcUserDetailsManager 可以轻松地将用户保存到数据库中。 

    userDetailsManager.createUser(user);

  4. 创建UsernamePasswordAuthenticationToken

    Authentication authentication = new UsernamePasswordAuthenticationToken(user, null, authorities);

  5. 将身份验证添加到SecurityContext

    SecurityContextHolder.getContext().setAuthentication(authentication);

【讨论】:

  • 我在哪里创建这个用户和SecurityContext?
  • @PhilippJahoda SecurityContext 由 Spring 创建。在从用户获取信息(例如他们想要的用户名和密码)之后,您可能希望在注册逻辑中创建用户,可能在控制器使用的服务层中
  • 感谢您的回复。我正在使用 spring 提供的 /oauth/token URL,这不正确吗?我在哪里可以访问此网址提供的用户名和密码?
【解决方案2】:

使用此代码为当前用户添加权限:

List<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority("ROLE_NEWUSERROLE'); 
    SecurityContextHolder.getContext().setAuthentication(
        new UsernamePasswordAuthenticationToken(
            SecurityContextHolder.getContext().getAuthentication().getPrincipal(),
            SecurityContextHolder.getContext().getAuthentication().getCredentials(),
            authorities)
        );

【讨论】:

    【解决方案3】:

    您可以使用Spring Data JPA 来创建用户。

    @Repository
public interface UserRepository extends JpaRepository<User, Long> {
}

    用法:

    User user = new User();
userRepository.save(user);

    如何验证上述用户:

    1. 创建自定义AuthenticationProvider,从您的数据库中选择用户数据并进行身份验证:
    @Component
public class MyAuthenticationProvider implements AuthenticationProvider {

    @Autowired
    private UserRepository userRepository;

    @Override
    public Authentication authenticate(final Authentication authentication) throws AuthenticationException {
        final UsernamePasswordAuthenticationToken upAuth = (UsernamePasswordAuthenticationToken) authentication;
        final String name = (String) authentication.getPrincipal();

        final String password = (String) upAuth.getCredentials();

        final String storedPassword = userRepository.findByName(name).map(User::getPassword)
            .orElseThrow(() -> new BadCredentialsException("illegal id or passowrd"));

        if (Objects.equals(password, "") || !Objects.equals(password, storedPassword)) {
            throw new BadCredentialsException("illegal id or passowrd");
        }

        final Object principal = authentication.getPrincipal();
        final UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(
            principal, authentication.getCredentials(),
            Collections.emptyList());
        result.setDetails(authentication.getDetails());

        return result;
    }
    ...
    1. 使用WebSecurityConfigurerAdapter配置以上AuthenticationProvider
    @EnableWebSecurity
public class MyWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

    @Autowired
    private MyAuthenticationProvider authProvider;

    @Override
    protected void configure(final HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .httpBasic();
        http.authenticationProvider(authProvider);
    }
}

    参考:

    【讨论】:

    • 我一直在试图解决这个问题。 UserRepository 是在哪里构造的?
    • UserRepository 由 Spring Boot 自动构建。 Core concepts 部分和Spring Data JPA Repositories 部分可能会对您有所帮助。
    【解决方案4】:

    首先,创建一个用于注册用户的表单。

    <%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>  

<!doctype html>
<html lang="en">

<head>
    
    <title>Register New User Form</title>
    
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    
    <!-- Reference Bootstrap files -->
    <link rel="stylesheet"
         href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
    
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.0/jquery.min.js"></script>
    
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>

</head>

<body>

    <div>
        
        <div id="loginbox" style="margin-top: 50px;"
            class="mainbox col-md-3 col-md-offset-2 col-sm-6 col-sm-offset-2">
            
            <div class="panel panel-primary">

                <div class="panel-heading">
                    <div class="panel-title">Register New User</div>
                </div>

                <div style="padding-top: 30px" class="panel-body">

                    <!-- Registration Form -->
                    <form:form action="${pageContext.request.contextPath}/register/processRegistrationForm" 
                               modelAttribute="user"
                               class="form-horizontal">

                        <!-- Place for messages: error, alert etc ... -->
                        <div class="form-group">
                            <div class="col-xs-15">
                                <div>
                                
                                    <!-- Check for registration error -->
                                    <c:if test="${registrationError != null}">
                                
                                        <div class="alert alert-danger col-xs-offset-1 col-xs-10">
                                            ${registrationError}
                                        </div>
        
                                    </c:if>
                                                                            
                                </div>
                            </div>
                        </div>

                        <!-- User name -->
                        <div style="margin-bottom: 25px" class="input-group">
                            <span class="input-group-addon"><i class="glyphicon glyphicon-user"></i></span> 
                            
                            <form:input path="username" placeholder="username" class="form-control" />
                        </div>

                        <!-- Password -->
                        <div style="margin-bottom: 25px" class="input-group">
                            <span class="input-group-addon"><i class="glyphicon glyphicon-lock"></i></span> 
                            
                            <form:password path="password" placeholder="password" class="form-control" />
                        </div>

                        <!-- Register Button -->
                        <div style="margin-top: 10px" class="form-group">                       
                            <div class="col-sm-6 controls">
                                <button type="submit" class="btn btn-primary">Register</button>
                            </div>
                        </div>
                        
                    </form:form>

                </div>

            </div>

        </div>

    </div>

</body>
</html>

    并在控制器中编写一个action方法来获取表单信息并将用户保存到数据库中。

    @Controller
@RequestMapping( "/register" )
public class RegistrationController
{
    
    @Autowired
    private UserDetailsManager userDetailsManager;
    
    private PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
    
    private Logger logger = Logger.getLogger( getClass().getName() );
    
    @InitBinder
    public void initBinder( WebDataBinder dataBinder )
    {
        
        StringTrimmerEditor stringTrimmerEditor = new StringTrimmerEditor( true );
        
        dataBinder.registerCustomEditor( String.class, stringTrimmerEditor );
    }
    
    
    @PostMapping( "/processRegistrationForm" )
    public String processRegistrationForm( @Valid @ModelAttribute( "user" ) com.exmaple.spring_demo.entity.User user, BindingResult theBindingResult, Model theModel )
    {
        
        String userName = user.getUsername();
        
        logger.info( "Processing registration form for: " + userName );
        
        // form validation
        if ( theBindingResult.hasErrors() )
        {
            
            theModel.addAttribute( "user", new com.exmaple.spring_demo.entity.User() );
            theModel.addAttribute( "registrationError", "User name/password can not be empty." );
            
            logger.warning( "User name/password can not be empty." );
            
            return "security/user/registration-form";
        }
        
        // check the database if user already exists
        boolean userExists = doesUserExist( userName );
        
        if ( userExists )
        {
            theModel.addAttribute( "user", new com.exmaple.spring_demo.entity.User() );
            theModel.addAttribute( "registrationError", "User name already exists." );
            
            logger.warning( "User name already exists." );
            
            return "security/user/registration-form";
        }
        
        //
        // whew ... we passed all of the validation checks!
        // let's get down to business!!!
        //
        
        // encrypt the password
        String encodedPassword = passwordEncoder.encode( user.getPassword() );
        
        // prepend the encoding algorithm id
        encodedPassword = "{bcrypt}" + encodedPassword;
        
        // give user default role of "ROLE_USER"
        List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList( "ROLE_USER" );
        
        // create user object (from Spring Security framework)
        User tempUser = new User( userName, encodedPassword, authorities );
        
        // save user in the database
        userDetailsManager.createUser( tempUser );
        
        logger.info( "Successfully created user: " + userName );
        
        return "security/user/registration-confirmation";
    }
    
    
    @GetMapping( "/showRegistrationForm" )
    public String showMyLoginPage( Model theModel )
    {
        
        theModel.addAttribute( "user", new com.exmaple.spring_demo.entity.User() );
        
        return "security/user/registration-form";
        
    }
    
    
    private boolean doesUserExist( String userName )
    {
        
        logger.info( "Checking if user exists: " + userName );
        
        // check the database if the user already exists
        boolean exists = userDetailsManager.userExists( userName );
        
        logger.info( "User: " + userName + ", exists: " + exists );
        
        return exists;
    }
    
}

    现在,在 Spring Configuration 中定义 DataSource。

    package com.exmaple.spring_demo.config;

import java.beans.PropertyVetoException;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.core.env.Environment;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.provisioning.JdbcUserDetailsManager;
import org.springframework.security.provisioning.UserDetailsManager;
import com.mchange.v2.c3p0.ComboPooledDataSource;


@Configuration
@EnableWebSecurity
@ComponentScan( "com.exmaple.spring_demo.config" )
@PropertySource( "classpath:persistence-mysql.properties" )
public class SecurityConfigJDBC extends WebSecurityConfigurerAdapter
{


    /**
     * set up variable to hold the properties 
     */
    @Autowired
    private Environment env;


    // define a bean for our security datasource
    @Bean
    public DataSource dataSource()
    {

        // create connection pool
        ComboPooledDataSource securityDataSource = new ComboPooledDataSource();

        // set the jdbc driver class    
        try
        {
            securityDataSource.setDriverClass( env.getProperty( "jdbc.driver" ) );
        }
        catch ( PropertyVetoException exc )
        {
            throw new RuntimeException( exc );
        }

        // log the connection props
        // for sanity's sake, log this info
        // just to make sure we are REALLY reading data from properties file

        System.out.println( ">>> jdbc.url=" + env.getProperty( "jdbc.url" ) );
        System.out.println( ">>> jdbc.user=" + env.getProperty( "jdbc.user" ) );


        // set database connection props    
        securityDataSource.setJdbcUrl( env.getProperty( "jdbc.url" ) );
        securityDataSource.setUser( env.getProperty( "jdbc.user" ) );
        securityDataSource.setPassword( env.getProperty( "jdbc.password" ) );

        // set connection pool props    
        securityDataSource.setInitialPoolSize( getIntProperty( "connection.pool.initialPoolSize" ) );

        securityDataSource.setMinPoolSize( getIntProperty( "connection.pool.minPoolSize" ) );

        securityDataSource.setMaxPoolSize( getIntProperty( "connection.pool.maxPoolSize" ) );

        securityDataSource.setMaxIdleTime( getIntProperty( "connection.pool.maxIdleTime" ) );

        return securityDataSource;
    }


    @Bean
    public UserDetailsManager userDetailsManager()
    {

        JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager();

        jdbcUserDetailsManager.setDataSource( dataSource() );

        return jdbcUserDetailsManager;
    }


    @Override
    protected void configure( AuthenticationManagerBuilder auth ) throws Exception
    {

        auth.jdbcAuthentication().dataSource( dataSource() );
    }


    @Override
    protected void configure( HttpSecurity http ) throws Exception
    {
        
        
        http.authorizeRequests()
                .antMatchers( "/home/**" ).hasRole( "USER" )
                .antMatchers( "/manager/**" ).hasRole( "MANAGERS" )
                .antMatchers( "/admin/**" ).hasRole( "ADMIN" )
                .and()
                .formLogin()
                .loginPage( "/showMyLoginPage" )
                .loginProcessingUrl( "/authenticateTheUser" )// submit form data
                .permitAll()
                .and()
                .logout().permitAll()
                .and()
                .exceptionHandling().accessDeniedPage( "/access-denied" )
                .and()
                .csrf()
                .disable();
        
        
    }


    /**
     * need a helper method
     * read environment property and convert to int
     */
    private int getIntProperty( String propName )
    {

        String propVal = env.getProperty( propName );

        // now convert to int
        int intPropVal = Integer.parseInt( propVal );

        return intPropVal;
    }


}

    最后,在 src/main/resources/persistence-mysql.properties 中创建 JDBC 属性文件。

    #
# JDBC connection properties
#
jdbc.driver=com.mysql.jdbc.Driver
jdbc.url=jdbc:mysql://localhost:3306/spring_security_demo?useSSL=false
jdbc.user=springstudent
jdbc.password=springstudent
#
# Connection pool properties
#
connection.pool.initialPoolSize=5
connection.pool.minPoolSize=5
connection.pool.maxPoolSize=20
connection.pool.maxIdleTime=3000

    UserDetailsS​​ervice (JdbcDaoImpl) 的标准 JDBC 实现需要表来加载用户的密码、帐户状态(启用或禁用)和权限列表(角色)。您需要调整此架构以匹配您正在使用的数据库方言。

    CREATE TABLE `authorities` (
`username` varchar(50) NOT NULL,
`authority` varchar(50) NOT NULL,
UNIQUE KEY `authorities_idx_1` (`username`,`authority`),
CONSTRAINT `authorities_ibfk_1`
FOREIGN KEY (`username`)
REFERENCES `users` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;


CREATE TABLE `users` (
`username` varchar(50) NOT NULL,
`password` varchar(50) NOT NULL,
`enabled` tinyint(1) NOT NULL,
PRIMARY KEY (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

    【讨论】:

      猜你喜欢
      • 2011-01-14
      • 2011-09-19
      • 2020-10-24
      • 2020-11-07
      • 2018-04-10
      • 2014-12-11
      • 2015-11-21
      • 1970-01-01
      • 2021-10-20
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode