我正在尝试在登录过程中添加用户ip验证。如果用户的IP地址不在数据库中,则应用程序应拒绝身份验证。
问题:给定下面的设置,结果是auth.authenticationProvider()不会替换默认的DaoAuthenticationProvider,而是将UserIpAuthenticationProvider添加为列表中的第一个AuthenticationProvider。
如果用户名/密码组合不正确,则框架最终会两次调用UserDetailsService.loadUserByUsername(),一次是从UserIpAuthenticationProvider,另一次是从内部DaoAuthenticationProvider,后者抛出最终的BadCredentialsException()。
问题:是否可以在Spring Boot中进行任何设置,以便Spring Security不会添加其自己的内部实例DaoAuthenticationProvider,而仅使用我的UserIpAuthenticationProvider,后者已经具有所有必需的功能(也许通过某种方式替换了AuthenticationManagerBuilder能够覆盖userDetailsService()方法?)。
public <T extends UserDetailsService> DaoAuthenticationConfigurer<AuthenticationManagerBuilder,T> userDetailsService(
T userDetailsService) throws Exception {
this.defaultUserDetailsService = userDetailsService;
return apply(new DaoAuthenticationConfigurer<AuthenticationManagerBuilder,T>(userDetailsService));
}
配置:在我的理解中,UserDetailsService应该提供有关用户的所有必要详细信息,以便AuthenticationProvider可以确定身份验证是否成功。
由于所有必需的信息都是从数据库中加载的,因此扩展DaoAuthenticationProvider并在重写的AdditionalAuthenticationChecks()方法中添加附加验证似乎是很自然的(白名单的IP列表在数据库中,因此它们作为用户对象的一部分加载到了数据库中)。 IpAwareUser)。
@Named
@Component
class UserIpAuthenticationProvider extends DaoAuthenticationProvider {
@Inject
public UserIpAuthenticationProvider(UserDetailsService userDetailsService)
{
...
}
@SuppressWarnings("deprecation")
protected void additionalAuthenticationChecks(UserDetails userDetails,
UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
super.additionalAuthenticationChecks(userDetails, authentication);
WebAuthenticationDetails details = (WebAuthenticationDetails) authentication.getDetails();
IpAwareUser ipAwareUser = (IpAwareUser) userDetails;
if (!ipAwareUser.isAllowedIp(details.getRemoteAddress()))
{
throw new DisabledException("Login restricted from ip: " + details.getRemoteAddress());
}
}
}
这被注入到SecurityConfiguration中:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.addFilter(authenticationFilter);
http.authorizeRequests()
.antMatchers("/", "/javascript/**", "/css/**").permitAll()
.antMatchers("...").access("...")
.anyRequest().authenticated()
.and().formLogin().loginPage("/").permitAll()
.and().logout().invalidateHttpSession(true).deleteCookies("JSESSIONID").permitAll()
.and().csrf().disable()
;
}
@Inject
private UserDetailsService userDetailsService;
@Inject
private UserIpAuthenticationProvider userIpAuthenticationProvider;
@Inject
private JsonUsernamePasswordAuthenticationFilter authenticationFilter;
@Bean
public JsonUsernamePasswordAuthenticationFilter authenticationFilter() {
return new JsonUsernamePasswordAuthenticationFilter();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(userIpAuthenticationProvider);
auth.userDetailsService(userDetailsService);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
@Bean
public AuthenticationSuccessHandler authenticationSuccessHandler() throws Exception {
return new JsonAuthenticationSuccessHandler();
}
@Bean
public AuthenticationFailureHandler authenticationFailureHandler() throws Exception {
return new JsonAuthenticationFailureHandler();
}
}
和应用程序配置:
@Configuration
@EnableAutoConfiguration
@ComponentScan(basePackageClasses = {SecurityConfiguration.class, DataController.class, DaoService.class})
public class Application extends SpringBootServletInitializer {
@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
return application;
}
}
任何对此的指导将不胜感激。
最佳答案
定义自己的DaoAuthenticationProvider
@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
return new UserIpAuthenticationProvider();
}
应该替换Spring Boot默认实例(不是bean类型是DaoAuthenticationProvider,而不是 UserIpAuthenticationProvider)