Spring安全webservice验证和从数据库中检索角色
Spring安全webservice验证和从数据库中检索角色
提问于 2017-02-17 19:39:24
我正在努力完成一件非常简单的事情,我相信一旦我做到了,我就会称自己为一头笨蛋。然而,下面是我尝试用sudo代码执行的步骤。
step1
--get username and password from login form
step2
-- send username and password to web service
step3
-- if the return from the service equals "N" show error else if the return from the service equals "Y" then authenticate a user and query database for user roles.
step4
-- if the user role is not allowed to see page show error page else continue to page.我已经尝试了几个教程,但我失败得很痛苦。我怀疑,因为我所看到的一切都是与配置或注释相关的,所以我很难理解用户在什么时候被验证。
我试过了
http://www.ekiras.com/2016/04/authenticate-user-with-custom-user-details-service-in-spring-security.html
http://o7planning.org/en/10603/spring-mvc-security-and-spring-jdbc-tutorial Spring security access with multiple roles
我最大的问题是上面提到的step3。我该怎么做呢?我只是不明白如何对用户进行身份验证,并为该用户添加多个角色以保持在spring的构造范围内。
回答 1
Stack Overflow用户
回答已采纳
发布于 2017-02-20 17:25:59
当你使用Spring-Security时,你可以使用这个结构:
在我的例子中,它是基于注释的,并且使用Spring-Boot。
您将需要一个从WebSecurityConfigurerAdapter扩展的ApplicationSecurity类
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailSecurityService userDetailSecurityService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().antMatchers("/static").permitAll().anyRequest()
.fullyAuthenticated();
http
.csrf().disable()
.formLogin().loginPage("/login").failureUrl("/login?error=1")
.permitAll().defaultSuccessUrl("/")
.successHandler(
new NoRedirectSavedRequestAwareAuthenticationSuccessHandler())
.and()
.sessionManagement()
.sessionAuthenticationErrorUrl("/notauthorized")
.invalidSessionUrl("/notauthorized")
.and()
.logout()
.deleteCookies("JSESSIONID", "SESSION")
.permitAll();
}
//If you want to add some encoder method to store your passwords
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailSecurityService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder(){
return new MD5PasswordEncoder();
}
private class NoRedirectSavedRequestAwareAuthenticationSuccessHandler extends
SimpleUrlAuthenticationSuccessHandler {
final Integer SESSION_TIMEOUT_IN_SECONDS = 30 * 60; /** 30 min */
@Override
public void onAuthenticationSuccess(HttpServletRequest request,
HttpServletResponse response, Authentication authentication)
throws ServletException, IOException {
request.getSession().setMaxInactiveInterval(SESSION_TIMEOUT_IN_SECONDS);
response.sendRedirect("/");
}
}
}您的类UserDetailsSecurityService必须实现UserDetailsService,这是一个Spring-Security类,需要重写方法loadUserByUsername()
@Service
public class UserDetailSecurityService implements UserDetailsService{
@Autowired
UserService userService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
/*Here in your case would call your WebService and check if the result is Y/N and return the UserDetails object with all roles, etc
If the user is not valid you could throw an exception
*/
return userService.findByUsername(username);
}
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/42296990
复制相关文章
相似问题
腾讯云开发者
