spring-security Spring安全性在没有WebSecurityConfigurerAdapter的情况下公开多个身份验证管理器

w80xi6nr  于 2022-11-11  发布在  Spring
关注(0)|答案(1)|浏览(156)

既然WebSecurityConfigurerAdapter已经被弃用,我正尝试更新我的代码,以使用新的方法来设置基于off的身份验证:https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter
我目前使用ldap身份验证和内存身份验证。在我的应用程序中,我需要将AuthenticationManagers公开为每一个的bean。我的旧代码是通过创建两个单独的WebSecurityConfigurerAdapter来完成的:

@Configuration
@Order(1)
public class APIWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth
            .inMemoryAuthentication()
            .withUser(ApiRolesUsers.API_VIEW_ALL).password("{noop}" + apiKeyStore.getKeyByUserName(ApiRolesUsers.API_VIEW_ALL)).roles(ApiRolesUsers.API_VIEW_ALL)
            .and()
            .withUser(ApiRolesUsers.API_UPDATE_ALL).password("{noop}" + apiKeyStore.getKeyByUserName(ApiRolesUsers.API_UPDATE_ALL)).roles(ApiRolesUsers.API_UPDATE_ALL)
            .and()
            .withUser(ApiRolesUsers.API_EDL_UPDATE).password("{noop}" + apiKeyStore.getKeyByUserName(ApiRolesUsers.API_EDL_UPDATE)).roles(ApiRolesUsers.API_EDL_UPDATE);
        }
...
        @Bean( name = "apiAuthenticationManager")
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }
...
}

@Configuration
    @Order(2)
    public class FormLoginWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

        @Autowired
        @Override
        public void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth
            .ldapAuthentication()
            .userSearchBase(ldapUserSearchBase)
            .userSearchFilter(ldapUserSearchFilter)
            .groupSearchBase(ldapGroupSearchBase)
            .contextSource(ldapContextSource);
...
        @Bean( name = "authenticationManager")
        public AuthenticationManager authenticationManagerBean() throws Exception {
            return super.authenticationManagerBean();
        }
...
}

从那里,我可以自动连接“authenticationManager”和“apiAuthenticationManager”。我可以在没有WebSecurityConfigurerAdapter的情况下以新格式重新创建“authenticationManager”部分,其中:

@Bean(name = "authenticationManager")
    AuthenticationManager ldapAuthenticationManager(
            LdapContextSource contextSource) {
        LdapBindAuthenticationManagerFactory factory = 
                new LdapBindAuthenticationManagerFactory(contextSource);
        factory.setUserSearchBase(ldapUserSearchBase);
        factory.setUserSearchFilter(ldapUserSearchFilter);
        return factory.createAuthenticationManager();
    }

基于新的Spring文档,我能够使用以下内容创建内存中的零件:

//How do I expose AuthenticationManager for this???
    public InMemoryUserDetailsManager inMemoryUserDetailsManager(AuthenticationConfiguration providerManager) {

        UserDetails apiViewAll = User.builder()
                .username(ApiRolesUsers.API_VIEW_ALL)
                .password("{noop}" + apiKeyStore.getKeyByUserName(ApiRolesUsers.API_VIEW_ALL))
                .roles(ApiRolesUsers.API_VIEW_ALL)
                .build();

        UserDetails updateAll = User.builder()
                .username(ApiRolesUsers.API_UPDATE_ALL)
                .password("{noop}" + apiKeyStore.getKeyByUserName(ApiRolesUsers.API_UPDATE_ALL))
                .roles(ApiRolesUsers.API_UPDATE_ALL)
                .build();

        UserDetails edlUpdate = User.builder()
                .username(ApiRolesUsers.API_EDL_UPDATE)
                .password("{noop}" + apiKeyStore.getKeyByUserName(ApiRolesUsers.API_EDL_UPDATE))
                .roles(ApiRolesUsers.API_EDL_UPDATE)
                .build();

        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager(apiViewAll, updateAll, edlUpdate);

        return manager;
    }

在上面我需要公开相关的AuthenticationManager,WebSecurityConfigurerAdapter能够在他们弃用它之前完成它。

@Bean(name = "apiAuthenticationManager") {
public AuthenticationManager authenticationManager(AuthenticationConfiguration 
     authenticationConfiguration) throws Exception {
     return authenticationConfiguration.getAuthenticationManager();
}

有人知道我如何在不使用WebSecurityConfigurerAdapter的情况下实现和公开这两个AuthenticationManager吗

ftf50wuq

ftf50wuq1#

您可以自行建构AuthenticationManager,例如:

@Bean
AuthenticationManager apiAuthenticationManager(InMemoryUserDetailsManager users) {
    DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
    provider.setUserDetailsService(users);
    return new ProviderManager(provider);
}

相关问题