SEC-2868: Simplify custom UserDetailsService Java Config
Exposing a UserDetailsService as a bean is now all that is necessary for Java based configuration. Additionally, an optional PasswordEncoder bean can be used to configure password encoding.
This commit is contained in:
parent
35393098f8
commit
bac980cbcb
|
@ -68,6 +68,11 @@ public class AuthenticationConfiguration {
|
|||
return new EnableGlobalAuthenticationAutowiredConfigurer(context);
|
||||
}
|
||||
|
||||
@Bean
|
||||
public static InitializeUserDetailsBeanManagerConfigurer initializeUserDetailsBeanManagerConfigurer(ApplicationContext context) {
|
||||
return new InitializeUserDetailsBeanManagerConfigurer(context);
|
||||
}
|
||||
|
||||
public AuthenticationManager getAuthenticationManager() throws Exception {
|
||||
if (authenticationManagerInitialized) {
|
||||
return authenticationManager;
|
||||
|
|
|
@ -0,0 +1,88 @@
|
|||
/*
|
||||
* Copyright 2002-2015 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.config.annotation.authentication.configuration;
|
||||
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.core.Ordered;
|
||||
import org.springframework.core.annotation.Order;
|
||||
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.authentication.configurers.GlobalAuthenticationConfigurerAdapter;
|
||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||
import org.springframework.security.crypto.password.PasswordEncoder;
|
||||
|
||||
/**
|
||||
* Lazily initializes the global authentication with a
|
||||
* {@link UserDetailsService} if it is not yet configured and there is only a
|
||||
* single Bean of that type. Optionally, if a {@link PasswordEncoder} is defined
|
||||
* will wire this up too.
|
||||
*
|
||||
* @author Rob Winch
|
||||
* @since 4.1
|
||||
*/
|
||||
@Order(Ordered.LOWEST_PRECEDENCE - 5000)
|
||||
class InitializeUserDetailsBeanManagerConfigurer extends GlobalAuthenticationConfigurerAdapter {
|
||||
|
||||
private final ApplicationContext context;
|
||||
|
||||
/**
|
||||
* @param context
|
||||
*/
|
||||
public InitializeUserDetailsBeanManagerConfigurer(ApplicationContext context) {
|
||||
this.context = context;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void init(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth.apply(new InitializeUserDetailsManagerConfigurer());
|
||||
}
|
||||
|
||||
class InitializeUserDetailsManagerConfigurer extends GlobalAuthenticationConfigurerAdapter {
|
||||
@Override
|
||||
public void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
if (auth.isConfigured()) {
|
||||
return;
|
||||
}
|
||||
UserDetailsService userDetailsService = getBeanOrNull(UserDetailsService.class);
|
||||
if(userDetailsService == null) {
|
||||
return;
|
||||
}
|
||||
|
||||
PasswordEncoder passwordEncoder = getBeanOrNull(PasswordEncoder.class);
|
||||
|
||||
DaoAuthenticationProvider provider = new DaoAuthenticationProvider();
|
||||
provider.setUserDetailsService(userDetailsService);
|
||||
if(passwordEncoder != null) {
|
||||
provider.setPasswordEncoder(passwordEncoder);
|
||||
}
|
||||
|
||||
auth
|
||||
.authenticationProvider(provider);
|
||||
}
|
||||
|
||||
/**
|
||||
* @return
|
||||
*/
|
||||
private <T> T getBeanOrNull(Class<T> type) {
|
||||
String[] userDetailsBeanNames = context.getBeanNamesForType(type);
|
||||
if(userDetailsBeanNames.length != 1) {
|
||||
return null;
|
||||
}
|
||||
|
||||
return context.getBean(userDetailsBeanNames[0], type);
|
||||
}
|
||||
}
|
||||
}
|
|
@ -16,13 +16,7 @@
|
|||
package org.springframework.security.config.annotation.authentication.configuration;
|
||||
|
||||
import org.springframework.aop.framework.ProxyFactoryBean
|
||||
import org.springframework.beans.BeansException
|
||||
import org.springframework.beans.factory.annotation.Autowired
|
||||
import org.springframework.beans.factory.config.BeanPostProcessor
|
||||
import org.springframework.beans.factory.config.ConfigurableListableBeanFactory
|
||||
import org.springframework.beans.factory.support.BeanDefinitionRegistry
|
||||
import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor
|
||||
import org.springframework.context.ApplicationContext
|
||||
import org.springframework.context.annotation.Bean
|
||||
import org.springframework.context.annotation.Configuration
|
||||
import org.springframework.context.annotation.Import
|
||||
|
@ -41,11 +35,13 @@ import org.springframework.security.config.annotation.configuration.ObjectPostPr
|
|||
import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
|
||||
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity
|
||||
import org.springframework.security.core.AuthenticationException
|
||||
import org.springframework.security.core.authority.AuthorityUtils
|
||||
import org.springframework.security.core.context.SecurityContextHolder
|
||||
import org.springframework.security.core.userdetails.User
|
||||
import org.springframework.security.core.userdetails.UserDetailsService
|
||||
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
|
||||
import org.springframework.security.crypto.password.PasswordEncoder
|
||||
import org.springframework.security.provisioning.InMemoryUserDetailsManager
|
||||
|
||||
class AuthenticationConfigurationTests extends BaseSpringSpec {
|
||||
|
@ -366,4 +362,65 @@ class AuthenticationConfigurationTests extends BaseSpringSpec {
|
|||
|
||||
static class BootGlobalAuthenticationConfigurerAdapter extends GlobalAuthenticationConfigurerAdapter { }
|
||||
}
|
||||
|
||||
def 'SEC-2868: Allow Configure UserDetailsService'() {
|
||||
setup:
|
||||
UserDetailsService uds = Mock()
|
||||
UserDetailsServiceBeanConfig.UDS = uds
|
||||
loadConfig(UserDetailsServiceBeanConfig)
|
||||
AuthenticationManager am = context.getBean(AuthenticationConfiguration).getAuthenticationManager()
|
||||
when:
|
||||
am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"))
|
||||
then:
|
||||
1 * uds.loadUserByUsername("user") >> new User("user","password",AuthorityUtils.createAuthorityList("ROLE_USER"))
|
||||
when:
|
||||
am.authenticate(new UsernamePasswordAuthenticationToken("user", "invalid"))
|
||||
then:
|
||||
1 * uds.loadUserByUsername("user") >> new User("user","password",AuthorityUtils.createAuthorityList("ROLE_USER"))
|
||||
thrown(AuthenticationException.class)
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@Import([AuthenticationConfiguration, ObjectPostProcessorConfiguration])
|
||||
static class UserDetailsServiceBeanConfig {
|
||||
static UserDetailsService UDS
|
||||
|
||||
@Bean
|
||||
UserDetailsService userDetailsService() {
|
||||
UDS
|
||||
}
|
||||
}
|
||||
|
||||
def 'SEC-2868: Allow Configure UserDetailsService with PasswordEncoder'() {
|
||||
setup:
|
||||
UserDetailsService uds = Mock()
|
||||
UserDetailsServiceBeanWithPasswordEncoderConfig.UDS = uds
|
||||
loadConfig(UserDetailsServiceBeanWithPasswordEncoderConfig)
|
||||
AuthenticationManager am = context.getBean(AuthenticationConfiguration).getAuthenticationManager()
|
||||
when:
|
||||
am.authenticate(new UsernamePasswordAuthenticationToken("user", "password"))
|
||||
then:
|
||||
1 * uds.loadUserByUsername("user") >> new User("user",'$2a$10$FBAKClV1zBIOOC9XMXf3AO8RoGXYVYsfvUdoLxGkd/BnXEn4tqT3u',AuthorityUtils.createAuthorityList("ROLE_USER"))
|
||||
when:
|
||||
am.authenticate(new UsernamePasswordAuthenticationToken("user", "invalid"))
|
||||
then:
|
||||
1 * uds.loadUserByUsername("user") >> new User("user",'$2a$10$FBAKClV1zBIOOC9XMXf3AO8RoGXYVYsfvUdoLxGkd/BnXEn4tqT3u',AuthorityUtils.createAuthorityList("ROLE_USER"))
|
||||
thrown(AuthenticationException.class)
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@Import([AuthenticationConfiguration, ObjectPostProcessorConfiguration])
|
||||
static class UserDetailsServiceBeanWithPasswordEncoderConfig {
|
||||
static UserDetailsService UDS
|
||||
|
||||
@Bean
|
||||
UserDetailsService userDetailsService() {
|
||||
UDS
|
||||
}
|
||||
|
||||
@Bean
|
||||
PasswordEncoder passwordEncoder() {
|
||||
new BCryptPasswordEncoder()
|
||||
}
|
||||
}
|
||||
}
|
|
@ -374,6 +374,7 @@ This will give you access to the entire project history (including all releases
|
|||
** <<method-security-meta-annotations,Method Security Meta Annotations>>
|
||||
* <<el-access-web-path-variables,Path Variables in Web Security Expressions>>
|
||||
* <<test-method-withanonymoususer,@WithAnonymousUser>>
|
||||
* <<jc-authentication-userdetailsservice,Simplified UserDetailsService Java Configuration>>
|
||||
|
||||
=== What's new in Spring Security 4.0
|
||||
|
||||
|
@ -912,6 +913,33 @@ cn: admin
|
|||
uniqueMember: uid=admin,ou=people,dc=springframework,dc=org
|
||||
----
|
||||
|
||||
[[jc-authentication-userdetailsservice]]
|
||||
==== UserDetailsService
|
||||
|
||||
You can define custom authentication by exposing a custom `UserDetailsService` as a bean.
|
||||
For example, the following will customize authentication assuming that `SpringDataUserDetailsService` implements `UserDetailsService`:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@Bean
|
||||
public SpringDataUserDetailsService springDataUserDetailsService() {
|
||||
return new SpringDataUserDetailsService();
|
||||
}
|
||||
----
|
||||
|
||||
You can also customize how passwords are encoded by exposing a `PasswordEncoder` as a bean.
|
||||
For example, if you use bcrypt you can add a bean definition as shown below:
|
||||
|
||||
[source,java]
|
||||
----
|
||||
@Bean
|
||||
public BCryptPasswordEncoder passwordEncoder() {
|
||||
return new BCryptPasswordEncoder();
|
||||
}
|
||||
----
|
||||
|
||||
==== LDAP Authentication
|
||||
|
||||
=== Multiple HttpSecurity
|
||||
|
||||
We can configure multiple HttpSecurity instances just as we can have multiple `<http>` blocks. The key is to extend the `WebSecurityConfigurationAdapter` multiple times. For example, the following is an example of having a different configuration for URL's that start with `/api/`.
|
||||
|
|
Loading…
Reference in New Issue