英文:
Springboot security authorities missing in other part of the code
问题
在我的 Spring Boot 应用程序中,
成功登录后,我在上下文中设置了身份验证详细信息(包括用户角色在权限中):
// 执行身份验证
Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
authenticationRequest.getUsername(),
authenticationRequest.getPassword()
)
);
SecurityContextHolder.getContext().setAuthentication(authentication);
但是当我尝试在代码的其他部分再次使用以下行访问角色时,权限为 null。否则,它包含了所有其他的安全细节。
我漏掉了什么?
SecurityContextHolder.getContext().getAuthentication().getAuthorities()
英文:
In my spring boot application,
After successful login I set the authentication details (with user roles in authorities) in the context
// Perform the authentication
Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
authenticationRequest.getUsername(),
authenticationRequest.getPassword()
)
);
SecurityContextHolder.getContext().setAuthentication(authentication);
But when I try to access the roles again in other parts of the code with below line the authorities are null. Otherwise, it has all other security details in it.
What am I missing?
SecurityContextHolder.getContext().getAuthentication().getAuthorities()
答案1
得分: 0
我认为在创建 UsernamePasswordAuthenticationToken
时,你应该像这样添加角色:
new UsernamePasswordAuthenticationToken(
authenticationRequest.getUsername(),
authenticationRequest.getPassword(),
roles
)
这是你应该使用的方法签名:
UsernamePasswordAuthenticationToken(Object principal, Object credentials,
Collection<? extends GrantedAuthority> authorities)
英文:
I think that you should add the roles when creating the UsernamePasswordAuthenticationToken
, like this:
new UsernamePasswordAuthenticationToken(
authenticationRequest.getUsername(),
authenticationRequest.getPassword(),
roles
)
This is the signature of the method you should use:
UsernamePasswordAuthenticationToken(Object principal, Object credentials,
Collection<? extends GrantedAuthority> authorities)
答案2
得分: 0
登录成功后,我会在上下文中设置身份验证详细信息(包括用户在权限中的角色)。
在成功验证后,不应该像你提到的那样在上下文中设置身份验证详细信息,比如角色。我将解释基本流程:
- 认证请求带有用户名和密码参数。
- UsernamePasswordAuthenticationFilter 将检索凭据并创建 UsernamePasswordAuthenticationToken(用户名,密码),然后将其传递给 authenticationmanager。
- authenticationmanager 委派给适当的认证提供程序,该提供程序支持 UsernamePasswordAuthenticationToken 认证请求对象。(您可以拥有自己的认证提供程序实现。)
- 支持认证提供程序将通过输入的用户名从数据库中检索用户详细信息(包括权限,尚未进行身份验证),并将提交的密码与检索到的用户密码进行比较。如果成功,则将用户详细信息连同权限一起传递给 UsernamePasswordAuthenticationToken,该令牌将使用类似以下的 3 个参数构造:
new UsernamePasswordAuthenticationToken(userDetails, null, roles)
,在构造函数中将身份验证标志设置为 true。 - 认证管理器使用该令牌填充安全上下文(步骤 4)。
因此,成功登录隐含地表示角色也存在。您是否已经在认证提供程序或认证管理器中注册了 userDetailsService 实现?很乐意为您提供更多帮助...
英文:
> After successful login I set the authentication details (with user roles in authorities) in the context
You should not set authentication details like roles as you mention after successful authentication in the context. I will explain basic flow:
- Authentication request comes with username and password parameters.
- UsernamePasswordAuthenticationFilter will retrieve credentials and create UsernamePasswordAuthenticationToken(username,password), and gives to authenticationmanager.
- authenticationmanager delegates to appropriate authentication provider which supports UsernamePasswordAuthenticationToken authentication request object.(You can have your own authentication provider implementation.)
- Supporting authentication provider will retrieve user details(including authorities, not authenticated yet) by entered username from let's say DB and compares submitted password to retrieved user's password.If success then user details along with authorities is passed to UsernamePasswordAuthenticationToken which would be constructed with 3 arguments like:
new UsernamePasswordAuthenticationToken(userDetails,null,roles)
which in the constructor sets authentication flag to true. - Authentication manager popultates security context with that token(step 4)
So successful login indicates implicitly that roles are there too.
Do you have userDetailsService implementation registered with authentication provider or authentication manager? Would be glad to help you more...
专注分享java语言的经验与见解,让所有开发者获益!
评论