Java 如何使用 Hibernate/JPA2 实现 Spring Security 用户/权限?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3696680/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Howto implement Spring Security User/Authorities with Hibernate/JPA2?
提问by Ta Sas
I am trying to implement DAOs to work with Spring Security database authentication in Hibernate/JPA2. Spring uses following relations and associations in order to represent user & roles:
我正在尝试实现 DAO 以在 Hibernate/JPA2 中使用 Spring Security 数据库身份验证。Spring 使用以下关系和关联来表示用户和角色:
repesented as postgresql create query:
表示为 postgresql 创建查询:
CREATE TABLE users
(
username character varying(50) NOT NULL,
"password" character varying(50) NOT NULL,
enabled boolean NOT NULL,
CONSTRAINT users_pkey PRIMARY KEY (username)
);
CREATE TABLE authorities
(
username character varying(50) NOT NULL,
authority character varying(50) NOT NULL,
CONSTRAINT fk_authorities_users FOREIGN KEY (username)
REFERENCES users (username) MATCH SIMPLE
ON UPDATE NO ACTION ON DELETE NO ACTION
);
Using the on-board implementations of GrantedAuthorities, UserDetailsServiceand UserDetailsmanager, everything is fine. However, I am not satisfied with the JDBC implementation of Spring and would like to write my own ones. In order to do so, I tried to create a representation of the relations by following business objects:
使用GrantedAuthorities,UserDetailsService和的板载实现UserDetailsmanager,一切都很好。但是,我对Spring的JDBC实现并不满意,想自己写一个。为此,我尝试通过以下业务对象来创建关系的表示:
The user entity:
用户实体:
@Entity
@Table(name = "users", uniqueConstraints = {@UniqueConstraint(columnNames = {"username"})})
public class AppUser implements UserDetails, CredentialsContainer {
private static final long serialVersionUID = -8275492272371421013L;
@Id
@Column(name = "username", nullable = false, unique = true)
private String username;
@Column(name = "password", nullable = false)
@NotNull
private String password;
@OneToMany(
fetch = FetchType.EAGER, cascade = CascadeType.ALL,
mappedBy = "appUser"
)
private Set<AppAuthority> appAuthorities;
@Column(name = "accountNonExpired")
private Boolean accountNonExpired;
@Column(name = "accountNonLocked")
private Boolean accountNonLocked;
@Column(name = "credentialsNonExpired")
private Boolean credentialsNonExpired;
@OneToOne(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
@JoinColumn(name = "personalinformation_fk", nullable = true)
@JsonIgnore
private PersonalInformation personalInformation;
@Column(name = "enabled", nullable = false)
@NotNull
private Boolean enabled;
public AppUser(
String username,
String password,
boolean enabled,
boolean accountNonExpired,
boolean credentialsNonExpired,
boolean accountNonLocked,
Collection<? extends AppAuthority> authorities,
PersonalInformation personalInformation
) {
if (((username == null) || "".equals(username)) || (password == null)) {
throw new IllegalArgumentException("Cannot pass null or empty values to constructor");
}
this.username = username;
this.password = password;
this.enabled = enabled;
this.accountNonExpired = accountNonExpired;
this.credentialsNonExpired = credentialsNonExpired;
this.accountNonLocked = accountNonLocked;
this.appAuthorities = Collections.unmodifiableSet(sortAuthorities(authorities));
this.personalInformation = personalInformation;
}
public AppUser() {
}
@JsonIgnore
public PersonalInformation getPersonalInformation() {
return personalInformation;
}
@JsonIgnore
public void setPersonalInformation(PersonalInformation personalInformation) {
this.personalInformation = personalInformation;
}
// Getters, setters 'n other stuff
And the authority entity as an implementation of GrantedAuthorities:
权威实体作为 GrantedAuthorities 的实现:
@Entity
@Table(name = "authorities", uniqueConstraints = {@UniqueConstraint(columnNames = {"id"})})
public class AppAuthority implements GrantedAuthority, Serializable {
//~ Instance fields ================================================================================================
private static final long serialVersionUID = 1L;
@Id
@GeneratedValue(strategy = GenerationType.TABLE)
@Column(name = "id", nullable = false)
private Integer id;
@Column(name = "username", nullable = false)
private String username;
@Column(name = "authority", nullable = false)
private String authority;
// Here comes the buggy attribute. It is supposed to repesent the
// association username<->username, but I just don't know how to
// implement it
@ManyToOne(fetch = FetchType.EAGER, cascade = CascadeType.ALL)
@JoinColumn(name = "appuser_fk")
private AppUser appUser;
//~ Constructors ===================================================================================================
public AppAuthority(String username, String authority) {
Assert.hasText(authority,
"A granted authority textual representation is required");
this.username = username;
this.authority = authority;
}
public AppAuthority() {
}
// Getters 'n setters 'n other stuff
My problem is the @ManyToOneassoc. of AppAuthorities: It is supposed to be "username", but trying and doing so throws an error, because I've got to typify that attribute as String... while Hibernate expects the associated entity. So what I tryied is actually providing the correct entity and creating the association by @JoinColumn(name = "appuser_fk"). This is, of course, rubbish, because in order to load the User, I will have the foreign key in username, while Hibernate searches for it in appuser_fk, which will always be empty.
我的问题是@ManyToOne协会。of AppAuthorities:它应该是“用户名”,但是尝试这样做会引发错误,因为我必须将该属性典型化为String...而 Hibernate 需要关联实体。所以我尝试的实际上是提供正确的实体并通过@JoinColumn(name = "appuser_fk"). 这当然是垃圾,因为为了加载用户,我将在 中使用外键username,而 Hibernate 在 中搜索它appuser_fk,它总是为空的。
So here is my question: any suggestion on how to modify the above metioned code in order to get a correct JPA2 implementation of the data model?
所以这是我的问题:关于如何修改上述代码以获得数据模型的正确 JPA2 实现的任何建议?
Thanks
谢谢
采纳答案by axtavt
You AppAuthoritydoesn't need usernameat all. Spring Security can't depend on it because it depends on the GrantedAuthorityinterfacewhich doesn't have any methods to access username.
你AppAuthority根本不需要username。Spring Security 不能依赖它,因为它依赖于没有任何方法访问用户名的GrantedAuthority接口。
But the better practice is to decouple your domain model from Spring Security. When you have a custom UserDetailsService, you don't need to mimic neither Spring Security's default database schema nor its object model. Your UserDetailsServicecan load your own AppUserand AppAuthorityand then create UserDetailsand GrantedAuthoritys based on them. This leads to cleaner design with better separation of concerns.
但更好的做法是将域模型与 Spring Security 分离。当你有一个 custom 时UserDetailsService,你不需要模仿 Spring Security 的默认数据库模式或其对象模型。您UserDetailsService可以加载自己的AppUser,AppAuthority然后基于它们创建UserDetails和GrantedAuthoritys。这导致更清晰的设计和更好的关注点分离。
回答by Stephen C
This looks like the classic Hibernate problem of using a domain-specific key. A possible fix would be to create a new primary key field; e.g. userId intfor the Usersand Authoritiesentities / tables, remove Authorities.userName, and change Users.userNameto a unique secondary key.
这看起来像是使用域特定键的经典 Hibernate 问题。一个可能的解决方法是创建一个新的主键字段;例如userId int,对于Users和Authorities实体/表,删除Authorities.userName并更改Users.userName为唯一的辅助键。
回答by Kumar Sambhav
There is one more way that decouples the UserDetailsService from JPA/Hibernate.
还有一种方法可以将 UserDetailsService 与 JPA/Hibernate 分离。
You can model your User and Authority class as you like and use this while defining userDetailsService in configuration:-
您可以根据需要为 User 和 Authority 类建模,并在配置中定义 userDetailsService 时使用它:-
<sec:jdbc-user-service data-source-ref="webDS"
id="userDetailsService"
users-by-username-query="SELECT USER_NAME,PASSWORD,TRUE FROM CUSTOMER WHERE USER_NAME=?"
authorities-by-username-query="SELECT c.USER_NAME,r.ROLE_NAME from CUSTOMER c
JOIN CUSTOMER_ROLE cr ON c.CUSTOMER_ID = cr.CUSTOMER_ID
JOIN ROLE r ON cr.ROLE_ID = r.ROLE_ID
WHERE USER_NAME=?" />
This way you can define fine tuned SQL query to fetch user and roles from your database. All you need to take care of is the table and column name.
通过这种方式,您可以定义微调的 SQL 查询以从数据库中获取用户和角色。您需要处理的只是表名和列名。
