DaoAuthenticationProvider

DaoAuthenticationProvider

我正在尝试在登录过程中添加用户ip验证。如果用户的IP地址不在数据库中,则应用程序应拒绝身份验证。

问题:给定下面的设置,结果是auth.authenticationProvider()不会替换默认的DaoAuthenticationProvider,而是将UserIpAuthenticationProvider添加为列表中的第一个AuthenticationProvider。

如果用户名/密码组合不正确,则框架最终会两次调用UserDetailsS​​ervice.loadUserByUsername(),一次是从UserIpAuthenticationProvider,另一次是从内部DaoAuthenticationProvider,后者抛出最终的BadCredentialsException()。

问题:是否可以在Spring Boot中进行任何设置,以便Spring Security不会添加其自己的内部实例DaoAuthenticationProvider,而仅使用我的UserIpAuthenticationProvider,后者已经具有所有必需的功能(也许通过某种方式替换了AuthenticationManagerBuilder能够覆盖userDetailsS​​ervice()方法?)。

public <T extends UserDetailsService> DaoAuthenticationConfigurer<AuthenticationManagerBuilder,T> userDetailsService(
        T userDetailsService) throws Exception {
    this.defaultUserDetailsService = userDetailsService;
    return apply(new DaoAuthenticationConfigurer<AuthenticationManagerBuilder,T>(userDetailsService));
}

配置:在我的理解中,UserDetailsS​​ervice应该提供有关用户的所有必要详细信息,以便AuthenticationProvider可以确定身份验证是否成功。

由于所有必需的信息都是从数据库中加载的,因此扩展DaoAuthenticationProvider并在重写的AdditionalAuthenticationChecks()方法中添加附加验证似乎是很自然的(白名单的IP列表在数据库中,因此它们作为用户对象的一部分加载到了数据库中)。 IpAwareUser)。
@Named
@Component
class UserIpAuthenticationProvider  extends DaoAuthenticationProvider {
    @Inject
    public UserIpAuthenticationProvider(UserDetailsService userDetailsService)
    {
        ...
    }

    @SuppressWarnings("deprecation")
    protected void additionalAuthenticationChecks(UserDetails userDetails,
                                                  UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
        super.additionalAuthenticationChecks(userDetails, authentication);

        WebAuthenticationDetails details = (WebAuthenticationDetails) authentication.getDetails();
        IpAwareUser ipAwareUser = (IpAwareUser) userDetails;
        if (!ipAwareUser.isAllowedIp(details.getRemoteAddress()))
        {
            throw new DisabledException("Login restricted from ip: " + details.getRemoteAddress());
        }
    }
}

这被注入到SecurityConfiguration中:
@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.addFilter(authenticationFilter);

        http.authorizeRequests()
                .antMatchers("/", "/javascript/**", "/css/**").permitAll()
                .antMatchers("...").access("...")
                .anyRequest().authenticated()
                .and().formLogin().loginPage("/").permitAll()
                .and().logout().invalidateHttpSession(true).deleteCookies("JSESSIONID").permitAll()
                .and().csrf().disable()
        ;
    }

    @Inject
    private UserDetailsService userDetailsService;

    @Inject
    private UserIpAuthenticationProvider userIpAuthenticationProvider;


    @Inject
    private JsonUsernamePasswordAuthenticationFilter authenticationFilter;

    @Bean
    public JsonUsernamePasswordAuthenticationFilter authenticationFilter() {
        return new JsonUsernamePasswordAuthenticationFilter();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(userIpAuthenticationProvider);
        auth.userDetailsService(userDetailsService);
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public AuthenticationSuccessHandler authenticationSuccessHandler() throws Exception {
        return new JsonAuthenticationSuccessHandler();
    }

    @Bean
    public AuthenticationFailureHandler authenticationFailureHandler() throws Exception {
        return new JsonAuthenticationFailureHandler();
    }
}

和应用程序配置:
@Configuration
@EnableAutoConfiguration
@ComponentScan(basePackageClasses = {SecurityConfiguration.class, DataController.class, DaoService.class})
public class Application extends SpringBootServletInitializer {

    @Override
    protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
        return application;
    }
}

任何对此的指导将不胜感激。

最佳答案

定义自己的DaoAuthenticationProvider

@Bean
public DaoAuthenticationProvider daoAuthenticationProvider() {
    return new UserIpAuthenticationProvider();
}

应该替换Spring Boot默认实例(不是bean类型是DaoAuthenticationProvider,而不是 UserIpAuthenticationProvider)

07-24 09:27