java 何时调用 loadUserByUsername?(春季安全)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10852703/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
when loadUserByUsername is invoked? (spring security)
提问by Yichaoz
I'm learning Spring Securityand I have few quick questions respect UserDetailsService:
我正在学习Spring Security,我有几个简单的问题尊重UserDetailsService:
1- When loadUserByUsernameis actually called or invoked? After authentication? Only once per login?
1- 何时loadUserByUsername实际调用或调用?认证后?每次登录只能使用一次?
2- After login, will Spring put the actual logged user into httpSession?
2- 登录后,Spring 会将实际登录的用户放入 httpSession 中吗?
3- Which is the recommended way to populate the collection of <GrantedAuthority>of UserDetails?
3- 填充 的集合的推荐方法<GrantedAuthority>是UserDetails什么?
- Eagle fetch them so when loadUserByUsername is called, the returned user already has it's "ROLES"
- Implement another custom filter like
UsernamePasswordAuthenticationFilterpopulate after success login? - Neither of above…
- Eagle 获取它们,因此当调用 loadUserByUsername 时,返回的用户已经拥有它的“ROLES”
- 实现另一个自定义过滤器,如
UsernamePasswordAuthenticationFilter成功登录后填充? - 以上都没有……
采纳答案by Shaun the Sheep
- It is typically called by an
AuthenticationProviderinstance in order to authenticate a user. For example, when a username and password is submitted, aUserdetailsServiceis called to find the password for that user to see if it is correct. It will also typically provide some other information about the user, such as the authorities and any custom fields you may want to access for a logged in user (email, for instance). That is the main usage pattern. You can grep the code to see exactly where it is called.
- 它通常由
AuthenticationProvider实例调用以对用户进行身份验证。例如,提交用户名和密码时,UserdetailsService会调用a查找该用户的密码,看是否正确。它通常还会提供有关用户的其他一些信息,例如权限和您可能希望为登录用户访问的任何自定义字段(例如,电子邮件)。这是主要的使用模式。您可以 grep 代码以查看它被调用的确切位置。
As explained in the manual:
There is often some confusion about UserDetailsService. It is purely a DAO for user data and performs no other function other than to supply that data to other components within the framework. In particular, it does not authenticate the user, which is done by the AuthenticationManager. In many cases it makes more sense to implement AuthenticationProvider directly if you require a custom authentication process.
关于 UserDetailsService 经常有一些混淆。它纯粹是用于用户数据的 DAO,除了向框架内的其他组件提供该数据外,不执行其他任何功能。特别是,它不验证用户,这是由 AuthenticationManager 完成的。在许多情况下,如果您需要自定义身份验证过程,直接实现 AuthenticationProvider 更有意义。
Yes. A
SecurityContextinstance is stored in the sessiononce the user has been authenticated.If you need to implement a custom
UserDetailsServicethen it will depend on your requirements and how they are stored. Typically you would load them at the same time as the other user information. It's not something you would likely do in a filter. As explained in the above quotation from the manual, if you are actually implementing a different authentication mechanism then you should implementAuthenticationProviderdirectly. It isn't compulsory to have aUserDetailsServicein your app. You can think of it as a strategy that is used by certain built-in features.
是的。一旦用户通过身份验证,一个
SecurityContext实例就会存储在会话中。如果您需要实现自定义,
UserDetailsService那么这将取决于您的要求以及它们的存储方式。通常,您会在加载其他用户信息的同时加载它们。这不是您可能会在过滤器中执行的操作。正如以上手册中的引文所解释的,如果您实际上正在实施不同的身份验证机制,那么您应该AuthenticationProvider直接实施。UserDetailsService在您的应用程序中有一个不是强制性的。您可以将其视为某些内置功能使用的策略。
