Java 如何在spring boot中配置自定义身份验证和授权?
我们有一个从AuthenticationProvider实现的CutomAuthentication类,还有一个CutomAccessDecisionMgr类impl AccessDecisionManager。如何在java配置的应用程序中注册它们Java 如何在spring boot中配置自定义身份验证和授权?,java,spring,spring-boot,spring-security,Java,Spring,Spring Boot,Spring Security,我们有一个从AuthenticationProvider实现的CutomAuthentication类,还有一个CutomAccessDecisionMgr类impl AccessDecisionManager。如何在java配置的应用程序中注册它们 <beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterce
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.dashboard.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com.xy.dashboard.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.dashboard.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean>
在我的xml中
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.dashboard.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com.xy.dashboard.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.dashboard.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean>
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.dashboard.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com.xy.dashboard.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.dashboard.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean>
您需要实现AuthenticationProvider接口并提供Authentication方法的实现
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.dashboard.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com.xy.dashboard.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.dashboard.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean>
第一步,,
您的Web安全配置应该是这样的
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.dashboard.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com.xy.dashboard.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.dashboard.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean>
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider authProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http.formLogin().loginPage("/login").permitAll().and().requestMatchers()
.antMatchers("/login", "/oauth/authorize", "/oauth/confirm_access").and().authorizeRequests()
.anyRequest().authenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider);
}
}
第二步,
您需要创建自己的类来实现AuthenticationProvider它应该是这样的
<beans:bean id="filterSecurityInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor">
<beans:property name="accessDecisionManager" ref="accessDecisionManager" />
<beans:property name="authenticationManager" ref="authenticationManager" />
<beans:property name="securityMetadataSource" ref="securityMetadataSource" />
</beans:bean>
<authentication-manager alias="authenticationManager" xmlns="http://www.springframework.org/schema/security">
<authentication-provider ref="customAuthentication"></authentication-provider>
</authentication-manager>
<beans:bean name="accessDecisionManager" class="com.xy.dashboard.security.CustomAccessDecisionManager" ></beans:bean>
<beans:bean name="securityMetadataSource" class="com.xy.dashboard.security.InvocationSecurityMetadataSourceService">
</beans:bean>
<beans:bean id="customAuthentication" class="com.xy.dashboard.security.CustomAuthentication" />
<beans:bean id="securityExceptionTranslationHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
<beans:property name="exceptionMappings">
<beans:props>
<beans:prop key="org.springframework.security.authentication.CredentialsExpiredException">/changepassword.xhtml</beans:prop>
</beans:props>
</beans:property>
<beans:property name="defaultFailureUrl" value="/login.jsp" />
</beans:bean>
为什么不使用Java配置而不是XML配置?前面我们使用的是XML配置,但现在我们想转到Java配置,谢谢您的回复。我正在做类似的事情,但我想知道如何注册我的CutmAccessDecisionManager。好的,您似乎想从配置中进行动态角色检查。我曾经添加AccessDecisionManager以从数据库进行动态角色检查。首先,您需要添加SecurityFilterChain。您的FilterChain应该有角色投票权。谢谢Gaurav。我想知道如何注册我的CustomAccessDecisionManager。您可以在上面的配置xml中看到,我们有FilterSecurityInterceptor,我们将CustomAccessDecisionMgr和CustomAuthprovider注入其中。我们在web.xml中有DelegatingFilterProxy。而CustmAccessDecisionMgr是从AccessDecisionManager实现的