休息控制器方法中的主要参数答案

【问题标题】：Principal argument in rest controller method休息控制器方法中的主要参数
【发布时间】：2018-03-26 08:14:02
【问题描述】：

如何在控制器方法中使用Principal 对象作为参数而不是使用SecurityContextHolder.getContext().getAuthentication().getPrincipal()

我用的是spring 4，spring mvc

我的休息控制器

@RestController
@Api(value = "Dictionary Resource")
@RequestMapping("/test")
public class TestControllerImpl {
    @RequestMapping(value = "test", method = RequestMethod.GET, produces = MediaType.APPLICATION_JSON_VALUE, consumes = MediaType.ALL_VALUE)
        public TestDTO test(Principal principal) {
        System.out.println("principal = "+principal.getName()); // this is null pointner exception, principal is null, but i want this use

        Principal principal1 = (Principal)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        System.out.println("principal1() = "+principal1.getName()); // this work fine
    }
}

我有如下类 HandlerInterceptor：

@Component
public class MyHandlerInterceptor implements HandlerInterceptor {


    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
         MyAuthentication auth= MyAuthentication.builder().login("admin").build();
         SecurityContextHolder.getContext().setAuthentication(auth);
         return true;
    }

    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler, ModelAndView modelAndView) throws Exception {

    }

    @Override
    public void afterCompletion(HttpServletRequest request, HttpServletResponse response, Object handler, Exception ex) throws Exception {

    }
}

和身份验证类与主体

@Data
@Builder
public class MyAuthentication implements Authentication{

    private String login;

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        List<GrantedAuthority> authorities = new ArrayList<>(1);
        authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
        return authorities;
    }

    @Override
    public Object getCredentials() {
        return null;
    }

    @Override
    public Object getDetails() {
        return null;
    }

    @Override
    public Object getPrincipal() {
        return (Principal)() -> login;
    }

    @Override
    public boolean isAuthenticated() {
        return true;
    }

    @Override
    public void setAuthenticated(boolean isAuthenticated) throws IllegalArgumentException {

    }

    @Override
    public String getName() {
        return login;
    }

    public static Principal getCurrentPrincipal(){
        return (Principal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    }
}

【问题讨论】：

你试过用@AuthenticationPrincipal在控制器方法中注释参数吗？
@ago Principal 和 @AuthenticationPrincipal 也不起作用
@skwisgaar 不起作用
奇怪，出于好奇，我分叉了一些示例 spring 安全项目并将 @AuthenticationPrincipal 添加到控制器，它按预期工作（您可以在 github.com/loonydevil/example-spring-boot-security 检查最后一次提交）。我是否正确，您将自动填充的主体设为 null 但同时安全上下文持有者正确返回它？

标签： java spring spring-mvc authorization

【解决方案1】：

rest 控制器中的主要参数在此示例中按预期工作。

@RestController
public class MyController {

    @GetMapping("/greeting")
    public Greeting greeting(Principal principal, @RequestParam(value = "name", defaultValue = "World") String name) {... }

【讨论】：