一尘不染

将自定义UserDetailsS​​ervice添加到Spring Security OAuth2应用

spring-boot

如何将UserDetailsService下面的自定义添加到此Spring OAuth2示例中

默认值user和默认值在应用程序passwordapplication.properties文件中定义authserver

不过,我想以下自定义添加UserDetailsServicedemo包中的authserver应用程序用于测试目的:

package demo;

import java.util.List;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.provisioning.UserDetailsManager;
import org.springframework.stereotype.Service;

@Service
class Users implements UserDetailsManager {

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        String password;
        List<GrantedAuthority> auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER");
        if (username.equals("Samwise")) {
            auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_HOBBIT");
            password = "TheShire";
        }
        else if (username.equals("Frodo")){
            auth = AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_HOBBIT");
            password = "MyRing";
        }
        else{throw new UsernameNotFoundException("Username was not found. ");}
        return new org.springframework.security.core.userdetails.User(username, password, auth);
    }

    @Override
    public void createUser(UserDetails user) {// TODO Auto-generated method stub
    }

    @Override
    public void updateUser(UserDetails user) {// TODO Auto-generated method stub
    }

    @Override
    public void deleteUser(String username) {// TODO Auto-generated method stub
    }

    @Override
    public void changePassword(String oldPassword, String newPassword) {
        // TODO Auto-generated method stub
    }

    @Override
    public boolean userExists(String username) {
        // TODO Auto-generated method stub
        return false;
    }
}

如您所见,这UserDetailsService还不autowired是,它故意使用不安全的密码,因为它仅用于测试目的。

需要什么样的具体变化来进行 GitHub的示例应用程序,以便用户可以登录为username=Samwisepassword=TheShire,或username=Frodopassword=MyRing
是否需要对AuthserverApplication.java其他地方进行更改?


建议:


春天的OAuth2开发指南说,使用一个GlobalAuthenticationManagerConfigurer配置UserDetailsService全球。但是,使用谷歌搜索这些名称所产生的效果会有所帮助。

另外,使用内部弹簧安全性INSTEAD OF
OAuth的其他应用程序使用以下语法来连接UserDetailsService,但是我不确定如何将其语法调整为当前OP:

@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
protected static class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {

    @Autowired
    private Users users;

    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(users);
    }
}

我试着用@Autowire里面的OAuth2AuthorizationConfig连接UsersAuthorizationServerEndpointsConfigurer如下:

@Autowired//THIS IS A TEST
private Users users;//THIS IS A TEST

@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
   endpoints.authenticationManager(authenticationManager)
        .accessTokenConverter(jwtAccessTokenConverter())
        .userDetailsService(users)//DetailsService)//THIS LINE IS A TEST
        ;
}

但是Spring Boot日志表明Samwise找不到该用户,这意味着该用户UserDetailsService未成功连接。这是Spring
Boot日志的相关摘录:

2016-04-20 15:34:39.998 DEBUG 5535 --- [nio-9999-exec-9] o.s.s.a.dao.DaoAuthenticationProvider    :  
        User 'Samwise' not found
2016-04-20 15:34:39.998 DEBUG 5535 --- [nio-9999-exec-9]   
        w.a.UsernamePasswordAuthenticationFilter :  
        Authentication request failed:  
        org.springframework.security.authentication.BadCredentialsException:  
        Bad credentials

我还能尝试什么?


阅读 325

收藏
2020-05-30

共1个答案

一尘不染

使用Spring
Security开发我的oauth服务器时遇到了类似的问题。我的情况略有不同,因为我想添加一个UserDetailsService以对刷新令牌进行身份验证,但是我认为我的解决方案也会为您提供帮助。

像您一样,我首先尝试UserDetailsService使用指定AuthorizationServerEndpointsConfigurer,但这是行不通的。我不确定这是错误还是设计使然,但是UserDetailsService需要在中设置AuthenticationManager以便各种oauth2类找到它。这为我工作:

@Configuration
@EnableWebSecurity 
public class SecurityConfig extends WebSecurityConfigurerAdapter {

  @Autowired
  Users userDetailsService;

  @Autowired
  public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
    auth.userDetailsService(userDetailsService);
  }

  @Override
  protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
    // other stuff to configure your security
  }

}

我认为,如果您从第73行开始更改了以下内容,则可能对您有用:

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.parentAuthenticationManager(authenticationManager)
        .userDetailsService(userDetailsService);
}

您当然也需要@Autowired Users userDetailsService;WebSecurityConfigurerAdapter

我想提及的其他事项:

  1. 这可能是特定于版本的,我在spring-security-oauth2 2.0.12上
  2. 我无法引用任何来源说明其原因,我什至不确定我的解决方案是真正的解决方案还是黑客。
  3. GlobalAuthenticationManagerConfigurer提到在引导几乎可以肯定是一个错字,我无法找到源代码串的任何地方对任何春。
2020-05-30