java Spring Security 如何添加/配置 AuthenticationManagerBuilder?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/25948090/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How Spring Security add/configure AuthenticationManagerBuilder?
提问by beinghuman
I am working on Spring Security Java-based configuration.
我正在研究基于 Spring Security Java 的配置。
I have created my own MyAuthenticationProviderwhich I want to register in the ProviderManager(single instance of AuthenticationManager).
我已经创建了我自己的MyAuthenticationProvider,我想在ProviderManager(的单个实例AuthenticationManager)中注册。
I have found that ProviderManagerhas a list of providers to which I can register my single
MyAuthenticationProvider.
我发现ProviderManager有一个提供者列表,我可以在其中注册我的单个
MyAuthenticationProvider.
Here is the part of my Configuration:
这是我的配置的一部分:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(MyAuthenticationProvider);
}
}
I found out that AuthenticationManagerBuilderhas parentAuthenticationManager, defaultUserDetailsServiceand many other fields.
我发现AuthenticationManagerBuilder了parentAuthenticationManager,defaultUserDetailsService等诸多领域。
My questions are:
我的问题是:
- Where is this
@Autowiredannotation addingAuthenticationManagerBuilderauth from? Is theAuthenticationManagerBuilderalready created in the application context? - What would be the default state of
AuthenticationManagerBuilderwhich is being injected? By default state I mean will there be someparentAuthenticationManager,authenticationProviders already registered in theAuthenticationManagerBuilder? - If I am adding
auth.authenticationProvider(MyAuthenticationProvider), does this mean that I am adding one more provider in theAuthenticationManagerBuilder? What does this mean? Taken from Spring Documentation
The name of the configureGlobal method is not important. However, it is important to only configure AuthenticationManagerBuilder in a class annotated with either @EnableWebSecurity, @EnableWebMvcSecurity, @EnableGlobalMethodSecurity, or @EnableGlobalAuthentication. Doing otherwise has unpredictable results.
- 这个
@Autowired注释AuthenticationManagerBuilder从哪里添加身份验证?是否AuthenticationManagerBuilder已经在应用程序上下文中创建? AuthenticationManagerBuilder正在注入的默认状态是什么?默认状态下我的意思是会有一些parentAuthenticationManager,authenticationProviders 已经注册在AuthenticationManagerBuilder?- 如果我添加
auth.authenticationProvider(MyAuthenticationProvider),这是否意味着我在 中添加了一个提供者AuthenticationManagerBuilder? 这是什么意思?取自 Spring 文档
configureGlobal 方法的名称并不重要。但是,重要的是只在用@EnableWebSecurity、@EnableWebMvcSecurity、@EnableGlobalMethodSecurity 或@EnableGlobalAuthentication 注释的类中配置AuthenticationManagerBuilder。否则会产生不可预测的结果。
回答by NatFar
Answer for 1:
回答1:
@EnableWebSecurityis meta-annotated with @EnableGlobalAuthentication
@EnableWebSecurity元注释为 @EnableGlobalAuthentication
...
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
...
and @EnableGlobalAuthenticationimports AuthenticationConfiguration:
和@EnableGlobalAuthentication进口AuthenticationConfiguration:
...
@Import(AuthenticationConfiguration.class)
@Configuration
public @interface EnableGlobalAuthentication {
}
In AuthenticationConfiguration, you'll see that an AuthenticationManagerBuilderbean is declared:
在 中AuthenticationConfiguration,您将看到声明了一个AuthenticationManagerBuilderbean:
...
@Bean
public AuthenticationManagerBuilder authenticationManagerBuilder(
ObjectPostProcessor<Object> objectPostProcessor, ApplicationContext context) {
...
}
When you @Autowirean AuthenticationManagerBuilder, this is the one that you will get. You have several methods at your disposal to easily configure in-memory, jdbc, ldap,... authentication.
当你@Autowire是AuthenticationManagerBuilder,这就是你会得到的。您可以使用多种方法轻松配置内存中、jdbc、ldap、...身份验证。
Answer for 2:
回答2:
Background:
背景:
The Spring Security Java config goes through several stages to seamlessly incorporate your configurations with the ApplicationContext.One place where this comes together is in the getHttp()method in WebSecurityConfigurerAdapter.
Spring Security Java 配置经历了几个阶段以将您的配置与ApplicationContext.a 中的getHttp()方法结合在一起WebSecurityConfigurerAdapter。
For example, this is an excerpt:
例如,这是一个摘录:
AuthenticationManager authenticationManager = authenticationManager();
authenticationBuilder.parentAuthenticationManager(authenticationManager);
To give you an idea of how "not-straightforward" the sequence of configuration is, the authenticationManager variable above will be either:
为了让您了解配置序列的“不直接”程度,上面的 authenticationManager 变量将是:
- The authentication manager you added by overriding
configure(AuthenticationManagerBuilder auth) - OR: The authentication manager you added in the method that
@AutowiredtheAuthenticationManagerBuilderbean from AuthenticationConfiguration - OR: an AuthenticationManager bean found in the context
- 您通过覆盖添加的身份验证管理器
configure(AuthenticationManagerBuilder auth) - OR:您在AuthenticationConfiguration中
@Autowired的AuthenticationManagerBuilderbean的方法中添加的身份验证管理器 - 或:在上下文中找到的 AuthenticationManager bean
By default state I mean will there be some [...] authenticationProviders already registered in the
AuthenticationManagerBuilder
默认状态下我的意思是会有一些 [...] authenticationProviders 已经注册在
AuthenticationManagerBuilder
If you look at AuthenticationConfiguration, you'll see that by default, the InitializeUserDetailsBeanManagerConfigureris applied to the AuthenticationManagerBuilderbean. As long as it finds a UserDetailsServicebean in the context and no other provider has been added, it will add a DaoAuthenticationProvider. This is why in the Spring Security reference, only providing a @Bean UserDetailsServicebean is sufficient.
如果您查看AuthenticationConfiguration,您会看到默认情况下,InitializeUserDetailsBeanManagerConfigurer应用于AuthenticationManagerBuilderbean。只要它UserDetailsService在上下文中找到一个bean 并且没有添加其他提供者,它就会添加一个DaoAuthenticationProvider. 这就是为什么在Spring Security 参考中,只提供一个 @Bean UserDetailsServicebean 就足够了。
But once you add an authentication provider as you did, the "default" provider is not registered.
但是,一旦您添加了身份验证提供程序,就不会注册“默认”提供程序。
回答by Jonathan Oliveira
Answer for 3:
答案3:
Yes. The code of AuthenticationManagerBuilder adds your provider:
是的。AuthenticationManagerBuilder 的代码添加了您的提供者:
public AuthenticationManagerBuilder authenticationProvider(AuthenticationProvider authenticationProvider) {
this.authenticationProviders.add(authenticationProvider);
return this;
}
Answer for 4 is simple:
4 的答案很简单:
It means that, once you have one of that annotations, you can name your method as you wish:
这意味着,一旦您拥有其中一个注释,您就可以根据需要命名您的方法:
@Configuration
@EnableWebSecurity //or @EnableWebMvcSecurity or @EnableGlobalMethodSecurity....
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void myCoolMethodName(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(MyAuthenticationProvider);
}
}
"Doing otherwise has unpredictable results"
“否则会产生不可预测的结果”
If you keep the name but not the annotations, it may not work.
如果您保留名称但不保留注释,则可能不起作用。
