我有使用基于Java的配置来配置JdbcUserDetailsManager的spring boot webapp:
@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
protected DataSource dataSource;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.dataSource(dataSource)
.usersByUsernameQuery("select username as principal, password as credentials, true from users where username = ?")
.authoritiesByUsernameQuery("select username as principal, authority as role from authorities where username = ?")
.rolePrefix("ROLE_");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.formLogin()
.successHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.NO_CONTENT.value());
})
.failureHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.FORBIDDEN.value());
})
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.NO_CONTENT.value());
});
}
}
我可以在
configAuthentication()中设置一个断点,所以我知道该方法正在被调用。现在,我想将JdbcUserDetailsManager注入(inject)我的Application类中:@EnableAutoConfiguration
@ComponentScan
public class Application {
private Environment env;
private UserDetailsManager userDetailsManager;
@Autowired
public Application(JdbcTemplate jdbcTemplate, Environment env, UserDetailsManager userDetailsManager) {
this.env = env;
this.userDetailsManager = userDetailsManager;
...
当我尝试启动我的应用程序时,出现以下错误:
org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'application': Unsatisfied dependency expressed through constructor argument with index 2 of type [org.springframework.security.provisioning.UserDetailsManager]: : No qualifying bean of type [org.springframework.security.provisioning.UserDetailsManager] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.provisioning.UserDetailsManager] found for dependency: expected at least 1 bean which qualifies as autowire candidate for this dependency. Dependency annotations: {}
但是我知道一个事实,在调用
Application构造函数之前,实例化了JdbcUserDetailsManager。这里发生了什么?如何验证JdbcUserDetailsManager是否实际在上下文中注册?更新:通过如下更改
SecurityConfig,我可以解决此问题:@Configuration
@EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
protected DataSource dataSource;
private JdbcUserDetailsManager userDetailsManager;
@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
this.userDetailsManager = auth.jdbcAuthentication().dataSource(dataSource)
.usersByUsernameQuery(
"select username,password,enabled from users where username=?")
.authoritiesByUsernameQuery(
"select username, role from user_roles where username=?").getUserDetailsService();
}
@Bean(name = "userDetailsManager")
public JdbcUserDetailsManager getUserDetailsManager() {
return userDetailsManager;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/api/**")
.authenticated()
.and()
.formLogin()
.successHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.NO_CONTENT.value());
})
.failureHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.FORBIDDEN.value());
})
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessHandler(
(request, response, authentication) -> {
response.setStatus(HttpStatus.NO_CONTENT.value());
});
}
}
前往PlínioPantaleão,向正确的方向插入我。不幸的是,我无法授予Bounty任何评论。我还不清楚
AuthenticationManagerBuilder为什么不在上下文中自动将UserDetailsService注册为Bean。如果有人可以提供权威性答案,说明我为什么必须提供 setter/getter ,那么或可以解释如何在不使用 setter/getter 的情况下使它工作(这对我来说有点不客气),我将为该答案提供奖励。 最佳答案
Spring 会注入(inject) bean,因此您必须在上下文中拥有一个 bean 才能进行注入(inject)。
但是不要在 configAuthentication() 方法中创建 bean。在它自己的方法中创建它,然后从 configAuthentication() 方法中引用它。像这样:
@Bean
public JdbcUserDetailsManager userDetailsManager() {
JdbcUserDetailsManager manager = new JdbcUserDetailsManager();
manager.setDataSource(dataSource);
manager.setUsersByUsernameQuery(
"select username,password,enabled from users where username=?");
manager.setAuthoritiesByUsernameQuery(
"select username, role from user_roles where username=?");
manager.setRolePrefix("ROLE_");
return manager;
}
@Autowired
public void configAuthentication(AuthenticationManagerBuilder builder)
throws Exception {
builder.userDetailsService(userDetailsManager());
}
现在
userDetailsManager() 生成一个正确配置的 bean(允许注入(inject))并且您将它用于身份验证。 Spring 在这里做了一些魔法,以确保对 userDetailsManager()(或任何其他 bean 定义)的重复调用一遍又一遍地返回相同的对象,而不是每次都创建新实例。我将您的方法名称从
getUserDetailsManager() 更改为 userDetailsManager() 。这个方法是一个 bean 定义,而不是一个 getter,所以这就是原因。此外,我从 @Bean 注释中删除了名称,因为 Spring 在此处自动使用方法名称作为 bean 名称。一些额外的注释来填写一些细节:
首先,对
jdbcAuthentication() 的调用会产生一个新的 JdbcUserDetailsManager 实例,但它完全是内部的(即,不是 Spring 管理的 bean)。我们可以看出,当有多个 bean 满足一次注入(inject)时,Spring 会提示。有关详细信息,请查看 AuthenticationManagerBuilder 、 JdbcUserDetailsManagerConfigurer 和各种父类(super class)的源代码。基本上你会看到的是 jdbcAuthentication() 调用导致内部细节管理器,对 userDetailsService() 的调用替换了它。其次,调用
userDetailsService() 会丢弃 jdbcAuthentication() 配置。这是来自 AuthenticationManagerBuilder 的相关方法:public <T extends UserDetailsService>
DaoAuthenticationConfigurer<AuthenticationManagerBuilder,T>
userDetailsService(T userDetailsService) throws Exception {
this.defaultUserDetailsService = userDetailsService;
return apply(
new DaoAuthenticationConfigurer<AuthenticationManagerBuilder,T>
(userDetailsService));
}
这就是我们将
JdbcUserDetailsManager 配置从 jdbcAuthentication() 部分移到 userDetailsManager() 方法本身的原因。 ( jdbcAuthentication() 调用基本上公开了一个方便、流畅的接口(interface)来创建 JdbcUserDetailsManager ,但我们在这里不需要它,因为我们已经有了 JdbcUserDetailsManager 。)