我有一个spring rest服务,我想将其用于经过身份验证和未经身份验证的用户。如果用户经过身份验证,我想从SecurityContextHolder.getContext().getAuthentication()获取用户信息。

  • 如果我使用.antMatchers("/app/rest/question/useroperation/list/**").permitAll()在如下所示的ouath2配置中,那么我可以获得以下用户信息
    已验证的用户,但未验证的用户则显示401错误。
  • 如果我.antMatchers("/app/rest/question/useroperation/list/**").permitAll()并忽略WebSecurity中的urlweb.ignoring()..antMatchers("/app/rest/question/useroperation/list/**")像下面的SecurityConfiguration中一样,那么所有用户都可以调用
    服务,但我无法从SecurityContext获取用户信息。

  • 如何配置我的spring security来为经过身份验证和未经身份验证的用户调用url,并在用户登录后从SecurityContext获取用户信息。
    @Configuration
    @EnableResourceServer
    protected static class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {
    
        @Inject
        private Http401UnauthorizedEntryPoint authenticationEntryPoint;
    
        @Inject
        private AjaxLogoutSuccessHandler ajaxLogoutSuccessHandler;
    
        @Override
        public void configure(HttpSecurity http) throws Exception {
            http
                    .exceptionHandling()
                    .authenticationEntryPoint(authenticationEntryPoint)
                    .and()
                    .logout()
                    .logoutUrl("/app/logout")
                    .logoutSuccessHandler(ajaxLogoutSuccessHandler)
                    .and()
                    .csrf()
                    .requireCsrfProtectionMatcher(new AntPathRequestMatcher("/oauth/authorize"))
                    .disable()
                    .headers()
                    .frameOptions().disable()
                    .sessionManagement()
                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                    .and()
                    .authorizeRequests()
                    .antMatchers("/views/**").permitAll()
                    .antMatchers("/app/rest/authenticate").permitAll()
                    .antMatchers("/app/rest/register").permitAll()
                    .antMatchers("/app/rest/question/useroperation/list/**").permitAll()
                    .antMatchers("/app/rest/question/useroperation/comment/**").authenticated()
                    .antMatchers("/app/rest/question/useroperation/answer/**").authenticated()
                    .antMatchers("/app/rest/question/definition/**").hasAnyAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/app/rest/logs/**").hasAnyAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/app/**").authenticated()
                    .antMatchers("/websocket/tracker").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/websocket/**").permitAll()
                    .antMatchers("/metrics/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/health/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/trace/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/dump/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/shutdown/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/beans/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/info/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/autoconfig/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/env/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/trace/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/api-docs/**").hasAuthority(AuthoritiesConstants.ADMIN)
                    .antMatchers("/protected/**").authenticated();
    
        }
    
    }
    

    安全配置
    @Configuration
    @EnableWebSecurity
    public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    
    
        @Inject
        private UserDetailsService userDetailsService;
    
    
        @Bean
        public PasswordEncoder passwordEncoder() {
            return new StandardPasswordEncoder();
        }
    
        @Inject
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
                .userDetailsService(userDetailsService)
                    .passwordEncoder(passwordEncoder());
        }
    
        @Override
        public void configure(WebSecurity web) throws Exception {
            web.ignoring()
                .antMatchers("/bower_components/**")
                .antMatchers("/fonts/**")
                .antMatchers("/images/**")
                .antMatchers("/scripts/**")
                .antMatchers("/styles/**")
                .antMatchers("/views/**")
                .antMatchers("/i18n/**")
                .antMatchers("/swagger-ui/**")
                .antMatchers("/app/rest/register")
                .antMatchers("/app/rest/activate")
                .antMatchers("/app/rest/question/useroperation/list/**")
                .antMatchers("/console/**");
        }
    
    
        @EnableGlobalMethodSecurity(prePostEnabled = true, jsr250Enabled = true)
        private static class GlobalSecurityConfiguration extends GlobalMethodSecurityConfiguration {
            @Override
            protected MethodSecurityExpressionHandler createExpressionHandler() {
                return new OAuth2MethodSecurityExpressionHandler();
            }
    
        }
    }
    

    最佳答案

    permitAll()仍然需要Authentication对象出现在SecurityContext中。

    对于非oauth用户,可以通过启用匿名访问来实现:

    @Override
    public void configure(HttpSecurity http) throws Exception {
       http
    //some configuration
         .and()
            .anonymous() //allow anonymous access
         .and()
            .authorizeRequests()
               .antMatchers("/views/**").permitAll()
    //other security settings
    

    匿名访问将在过滤器链中添加其他过滤器:AnonymousAuthenticationFilter,以在身份验证信息中填充AnonymousAuthenticationToken作为防伪信息(如果Authentication中没有SecurityContext对象)

    关于java - Spring Security在身份验证和未经身份验证的用户中获得REST服务中的用户信息,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/25230861/

    10-11 22:32
    查看更多