问题描述
我正在研究基于Spring Security Java的配置.
I am working on Spring Security Java-based configuration.
我已经创建了自己的 MyAuthenticationProvider
,我想在 ProviderManager
( AuthenticationManager
的单个实例)中注册.
I have created my own MyAuthenticationProvider
which I want to register in the ProviderManager
(single instance of AuthenticationManager
).
我发现 ProviderManager
有一个提供程序列表,可以在其中注册我的单个 MyAuthenticationProvider
.
I have found that ProviderManager
has a list of providers to which I can register my single MyAuthenticationProvider
.
这是我的配置的一部分:
Here is the part of my Configuration:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(MyAuthenticationProvider);
}
}
我发现 AuthenticationManagerBuilder
具有 parentAuthenticationManager
, defaultUserDetailsService
和许多其他字段.
I found out that AuthenticationManagerBuilder
has parentAuthenticationManager
, defaultUserDetailsService
and many other fields.
我的问题是:
- 此
@Autowired
注释从何处添加AuthenticationManagerBuilder
身份验证?在应用程序上下文中是否已经创建了AuthenticationManagerBuilder
? - 正在注入的
AuthenticationManagerBuilder
的默认状态是什么?默认状态下,我是说会在AuthenticationManagerBuilder
中注册一些parentAuthenticationManager
,authenticationProvider
吗? - 如果我要添加
auth.authenticationProvider(MyAuthenticationProvider)
,这是否意味着我要在AuthenticationManagerBuilder
中添加一个提供程序? -
这是什么意思?摘自Spring文档
- Where is this
@Autowired
annotation addingAuthenticationManagerBuilder
auth from? Is theAuthenticationManagerBuilder
already created in the application context? - What would be the default state of
AuthenticationManagerBuilder
which is being injected? By default state I mean will there be someparentAuthenticationManager
,authenticationProvider
s already registered in theAuthenticationManagerBuilder
? - If I am adding
auth.authenticationProvider(MyAuthenticationProvider)
, does this mean that I am adding one more provider in theAuthenticationManagerBuilder
? What does this mean? Taken from Spring Documentation
推荐答案
答案1:
@EnableWebSecurity
用 @EnableGlobalAuthentication
...
@EnableGlobalAuthentication
@Configuration
public @interface EnableWebSecurity {
...
和 @EnableGlobalAuthentication
导入 AuthenticationConfiguration
:
...
@Import(AuthenticationConfiguration.class)
@Configuration
public @interface EnableGlobalAuthentication {
}
在 AuthenticationConfiguration
中,您将看到已声明 AuthenticationManagerBuilder
bean:
In AuthenticationConfiguration
, you'll see that an AuthenticationManagerBuilder
bean is declared:
...
@Bean
public AuthenticationManagerBuilder authenticationManagerBuilder(
ObjectPostProcessor<Object> objectPostProcessor, ApplicationContext context) {
...
}
当您 @Autowire
一个 AuthenticationManagerBuilder
时,这就是您将获得的.您可以使用多种方法轻松配置内存,jdbc,ldap,...身份验证.
When you @Autowire
an AuthenticationManagerBuilder
, this is the one that you will get. You have several methods at your disposal to easily configure in-memory, jdbc, ldap,... authentication.
背景:
Spring Security Java配置经历了多个阶段,以无缝地将您的配置与 ApplicationContext
合并.一个合并在一起的地方是 WebSecurityConfigurerAdapter
.
The Spring Security Java config goes through several stages to seamlessly incorporate your configurations with the ApplicationContext
.One place where this comes together is in the getHttp()
method in WebSecurityConfigurerAdapter
.
例如,这是节选:
AuthenticationManager authenticationManager = authenticationManager();
authenticationBuilder.parentAuthenticationManager(authenticationManager);
让您了解如何非直截了当"配置顺序为,上面的authenticationManager变量将为:
To give you an idea of how "not-straightforward" the sequence of configuration is, the authenticationManager variable above will be either:
- 您通过覆盖
configure(AuthenticationManagerBuilder auth)
添加的身份验证管理器 - OR:您在通过AuthenticationConfiguration 对
- OR:在上下文中找到的AuthenticationManager bean
AuthenticationManagerBuilder
bean进行 @Autowired
的方法中添加的身份验证管理器- The authentication manager you added by overriding
configure(AuthenticationManagerBuilder auth)
- OR: The authentication manager you added in the method that
@Autowired
theAuthenticationManagerBuilder
bean from AuthenticationConfiguration - OR: an AuthenticationManager bean found in the context
如果查看 AuthenticationConfiguration
,您会发现默认情况下, InitializeUserDetailsBeanManagerConfigurer
将应用于 AuthenticationManagerBuilder
bean.只要它在上下文中找到 UserDetailsService
bean,并且没有添加其他提供程序,它将添加 DaoAuthenticationProvider
.这就是为什么在 Spring Security参考,仅提供@Bean UserDetailsService
bean就足够了.
If you look at AuthenticationConfiguration
, you'll see that by default, the InitializeUserDetailsBeanManagerConfigurer
is applied to the AuthenticationManagerBuilder
bean. As long as it finds a UserDetailsService
bean in the context and no other provider has been added, it will add a DaoAuthenticationProvider
. This is why in the Spring Security reference, only providing a @Bean UserDetailsService
bean is sufficient.
但是,一旦您像添加身份验证提供程序一样,"default"(默认)提供者尚未注册.
But once you add an authentication provider as you did, the "default" provider is not registered.
这篇关于Spring Security如何添加/配置AuthenticationManagerBuilder?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!