在开发web应用程序时,安全性是一个重要的考虑因素。为了保护用户数据和防止未经授权的访问,我们需要使用一种可靠的身份验证和授权机制。spring security是一个功能强大且广泛使用的安全框架,它提供了一套完整的解决方案来保护我们的应用程序。在本文中,我们将探讨如何在spring security中获取经过身份验证和未经过身份验证的用户的用户信息。php小编百草将向您展示如何利用spring security的功能,获取用户信息以及在不同服务之间共享用户信息的方法。无论您是初学者还是有经验的开发人员,本文都将为您提供有关spring security的详细信息,并帮助您提升应用程序的安全性。
问题内容
我有一个 spring rest 服务,我想将它用于经过身份验证和未经身份验证的用户。如果用户经过身份验证,我想从 securitycontextholder.getcontext().getauthentication() 获取用户信息。
- 如果我使用
.antmatchers("/app/rest/question/useroperation/list/**").permitall()在 ouath2 配置中,如下所示,然后我可以获取用户信息 经过身份验证的用户,但未经过身份验证的用户会出现 401 错误。 - 如果我
.antmatchers("/app/rest/question/useroperation/list/**").permitall()并忽略 websecurity 中的 urlweb.ignoring()..antmatchers("/app/rest/question/useroperation/list/**")在securityconfiguration中如下所示,然后所有用户都可以调用 服务,但我无法从 securitycontext 获取用户信息。
如何配置我的 spring security 来调用经过身份验证和未经身份验证的用户的 url,并在用户登录时从 securitycontext 获取用户信息。
@configuration
@enableresourceserver
protected static class resourceserverconfiguration extends resourceserverconfigureradapter {
@inject
private http401unauthorizedentrypoint authenticationentrypoint;
@inject
private ajaxlogoutsuccesshandler ajaxlogoutsuccesshandler;
@override
public void configure(httpsecurity http) throws exception {
http
.exceptionhandling()
.authenticationentrypoint(authenticationentrypoint)
.and()
.logout()
.logouturl("/app/logout")
.logoutsuccesshandler(ajaxlogoutsuccesshandler)
.and()
.csrf()
.requirecsrfprotectionmatcher(new antpathrequestmatcher("/oauth/authorize"))
.disable()
.headers()
.frameoptions().disable()
.sessionmanagement()
.sessioncreationpolicy(sessioncreationpolicy.stateless)
.and()
.authorizerequests()
.antmatchers("/views/**").permitall()
.antmatchers("/app/rest/authenticate").permitall()
.antmatchers("/app/rest/register").permitall()
.antmatchers("/app/rest/question/useroperation/list/**").permitall()
.antmatchers("/app/rest/question/useroperation/comment/**").authenticated()
.antmatchers("/app/rest/question/useroperation/answer/**").authenticated()
.antmatchers("/app/rest/question/definition/**").hasanyauthority(authoritiesconstants.admin)
.antmatchers("/app/rest/logs/**").hasanyauthority(authoritiesconstants.admin)
.antmatchers("/app/**").authenticated()
.antmatchers("/websocket/tracker").hasauthority(authoritiesconstants.admin)
.antmatchers("/websocket/**").permitall()
.antmatchers("/metrics/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/health/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/trace/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/dump/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/shutdown/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/beans/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/info/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/autoconfig/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/env/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/trace/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/api-docs/**").hasauthority(authoritiesconstants.admin)
.antmatchers("/protected/**").authenticated();
}
}
安全配置
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Inject
private UserDetailsService userDetailsService;
@Bean
public PasswordEncoder passwordEncoder() {
return new StandardPasswordEncoder();
}
@Inject
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder());
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring()
.antMatchers("/bower_components/**")
.antMatchers("/fonts/**")
.antMatchers("/images/**")
.antMatchers("/scripts/**")
.antMatchers("/styles/**")
.antMatchers("/views/**")
.antMatchers("/i18n/**")
.antMatchers("/swagger-ui/**")
.antMatchers("/app/rest/register")
.antMatchers("/app/rest/activate")
.antMatchers("/app/rest/question/useroperation/list/**")
.antMatchers("/console/**");
}
@EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
private static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration {
@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
return new OAuth2MethodSecurityExpressionHandler();
}
}
}解决方法
permitall() 仍然需要 authentication 对象出现在 securitycontext 中。
对于非 oauth 用户,这可以通过启用匿名访问来实现:
@override
public void configure(httpsecurity http) throws exception {
http
//some configuration
.and()
.anonymous() //allow anonymous access
.and()
.authorizerequests()
.antmatchers("/views/**").permitall()
//other security settings
匿名访问将添加额外的过滤器:anonymousauthenticationfilter到填充anonymousauthenticationtoken作为身份验证信息的过滤器链,以防securitycontext中没有authentication对象
我有这个安全配置用于通过/public/authphpcnendcphp检查authuser中文:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().authorizeRequests()
.antMatchers("/api/skills/**", "/api/profile/**", "/api/info/**").authenticated()
.antMatchers("/api/**").hasAuthority(Role.ROLE_ADMIN.getAuthority())
.antMatchers("/public/auth").permitAll()
.and().httpBasic()
.and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and().csrf().disable();
}
@GetMapping(value = "/public/auth")
private ResponseEntity<User> getAuthUser(@AuthenticationPrincipal AuthUser authUser) {
return authUser == null ?
ResponseEntity.notFound().build() :
ResponseEntity.ok(authUser.getUser());
} 
