Java 将Spring配置为使用数据库进行身份验证
我想将Spring安全性配置为将数据库用于RESTAPI请求。我试过这个:Java 将Spring配置为使用数据库进行身份验证,java,spring,spring-boot,spring-security,spring-security-rest,Java,Spring,Spring Boot,Spring Security,Spring Security Rest,我想将Spring安全性配置为将数据库用于RESTAPI请求。我试过这个: @Configuration @EnableWebSecurity @Import(value= {Application.class, ContextDatasource.class}) @ComponentScan(basePackages= {"org.rest.api.server.*"}) public class ApplicationSecurityConfig ex
@Configuration
@EnableWebSecurity
@Import(value= {Application.class, ContextDatasource.class})
@ComponentScan(basePackages= {"org.rest.api.server.*"})
public class ApplicationSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private RestAuthEntryPoint authenticationEntryPoint;
@Autowired
MyUserDetailsService myUserDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// auth
// .inMemoryAuthentication()
// .withUser("test")
// .password(passwordEncoder().encode("testpwd"))
// .authorities("ROLE_USER");
auth.userDetailsService(myUserDetailsService);
auth.authenticationProvider(authenticationProvider());
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(myUserDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/securityNone")
.permitAll()
.anyRequest()
.authenticated()
.and()
.httpBasic()
.authenticationEntryPoint(authenticationEntryPoint);
}
@Bean
public PasswordEncoder passwordEncoder() {
return NoOpPasswordEncoder.getInstance();
}
}
服务:
public interface MerchantsService {
public Merchants getCredentials(String login, String pwd) throws Exception;
}
服务实现
@Service
@Qualifier("merchantsService")
@Transactional
public class MerchantsServiceImpl implements MerchantsService {
@Autowired
private EntityManager entityManager;
@Override
public Merchants getCredentials(String login, String pwd) throws Exception {
String hql = "select e from " + Merchants.class.getName() + " e where e.login = ? and e.pwd = ?";
Query query = entityManager.createQuery(hql).setParameter(0, login).setParameter(1, pwd);
Merchants merchants = (Merchants) query.getSingleResult();
return merchants;
}
}
@Service
public class MyUserDetailsService implements UserDetailsService {
@Autowired
private MerchantsService merchantsService;
@Override
public Merchants loadUserByUsername(String username) {
Merchants user = merchantsService.getCredentials(username, pwd);
if (user == null) {
throw new UsernameNotFoundException(username);
}
return user;
}
}
我有两个问题:
public UserDetails loadUserByUsername(字符串用户名)
只能接受用户名。有没有其他方法来实现代码您必须返回
User
class对象,它本身就是UserDetails接口的实现。获得身份验证后,您将获得一个对象。您必须从中获取用户凭据以及角色。还有一个建议,尽量保持类名为单数
public UserDetails loadUserByUsername(String username) {
Merchants user = merchantsService.getCredentials(username, pwd);
Set<GrantedAuthority> grantedAuthorities = new HashSet<>();
for (Role role : user.getRoles()){
grantedAuthorities.add(new SimpleGrantedAuthority(role.getName()));
}
return new User(user.getUsername(), user.getPassword(), grantedAuthorities);
}
public UserDetails loadUserByUsername(字符串用户名){
商户用户=merchantsService.getCredentials(用户名,pwd);
Set grantedAuthories=new HashSet();
for(角色:user.getRoles()){
添加(新的SimpleGrantedAuthority(role.getName());
}
返回新用户(User.getUsername()、User.getPassword()、GrantedAuthories);
}
您不需要做密码匹配自己,它是由Spring Security自己使用PasswordEncoder完成的
有关更多详细信息,请浏览以下链接。
使用Spring Security时,必须实现一个服务,该服务实现UserDetails服务和相应的loadUserByUsername方法,该方法返回UserDetails。以下是一个示例方法:
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = this.getUserByUsername(username); // getting the user from the database with our own method
return new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), new ArrayList<>());
}
@覆盖
public UserDetails loadUserByUsername(字符串用户名)引发UsernameNotFoundException{
User User=this.getUserByUsername(username);//使用我们自己的方法从数据库中获取用户
返回新的org.springframework.security.core.userdetails.User(User.getUsername(),User.getPassword(),new ArrayList());
}
您不必担心验证密码,因为spring security会处理它。这就是您想要的吗?这个例子有两个问题:1:我没有角色,因为根据业务需求,没有必要——所以我们需要删除它。2:我需要在身份验证中包含密码。