我在我的网络项目中使用 SpringSecurity。我有保存在数据库中的实体用户。我需要在 BD 中使用用户 ID 发出请求,以从该 BD 中的其他表获取任何信息。在 Spring Security 中进行身份验证后,如何从 SecurityContextHolder 获取我的用户而不是标准 Spring 用户(此用户没有 id)?
@Entity
@Table(name = "users")
public class User{
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private int id;
@Column(name = "name")
private String name;
@Column(name = "login")
private String login;
@Column(name = "password")
private String password;
+ getters and setters
PS.抱歉我的英语:)
您将在另一个类中实现 UserDetailsService 接口和 UserDetails 接口。例如:
自定义用户详细信息服务:
@Service("customUserDetailsService")
public class CustomUserDetailsService implements UserDetailsService {
// your UserRepository for your user
private final UserRepository userRepository;
@Autowired
public CustomUserDetailsService(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username);
if (null == user || ! user.getUsername().equals(username)) {
throw new UsernameNotFoundException("No user present with username: " + username);
} else {
return new CustomUserDetails(user);
}
}
}
自定义用户详细信息:
// You want to extend your User class here
public class CustomUserDetails extends User implements UserDetails {
private static final long serialVersionUID = 1L;
private User user;
public CustomUserDetails(User user) {
super(user);
this.user = user;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
// You don't talk about UserRoles, so return ADMIN for everybody or implement roles.
return AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_ADMIN");
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
// just for example
return this.user.getActive() == true;
}
@Override
public String getUsername() {
return this.user.getUsername();
}
@Override
public String getPassword() {
return this.user.getPassword();
}
// Just an example to put some addititional Data to your logged in user
public String getUserDatabase() {
return "usertable" + Integer.toString(1 + this.user.getUserId());
}
}
在您的
User
类中,为 hibernate 创建一个空的构造函数,以及一个采用 User 实例的构造函数:
@Entity
@Table(name = "users")
public class User{
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private int id;
@Column(name = "name")
private String name;
@Column(name = "login")
private String login;
@Column(name = "password")
private String password;
public User() {}
public User(User user) {
this.id = user.getId();
this.name = user.getName();
// … the same for all properties.
}
}
在您的 WebSecurityConfig 中,
@Autowire
CustomUserDetailsService
并将其注入到身份验证流程中:
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final
UserDetailsService service;
@Autowired
public WebSecurityConfig(UserDetailsService service) {
this.service = service;
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(service).passwordEncoder(passwordEncoder());
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//left out because not related here
}
}
就是这样。您现在可以将经过身份验证的主体强制转换为每个控制器或提供程序中的 CustomUserDetails:
CustomUserDetails userDetails =
(CustomUserDetails) SecurityContextHolder
.getContext()
.getAuthentication()
.getPrincipal();