AuthenticationManager when updating to Spring-security-3.2.0.RC2

前端 未结 2 517
梦谈多话
梦谈多话 2021-01-01 01:21

I have updated recently to spring-security-3.2.0.RC2 from RC1, and according to the blog post the QUIESCENT_POST_PROCESSOR have been removed. Before I used to create an Auth

相关标签:
2条回答
  • 2021-01-01 01:43

    You really shouldn't need to get a hold of the AuthenticationManager. From the javadoc of HttpSecurity the following should work just fine:

    @Configuration
    @EnableWebSecurity
    public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Override
        protected void configure(AuthenticationManagerBuilder auth)
                throws Exception {
            auth
                 .inMemoryAuthentication()
                      .withUser("user").password("password").roles("USER");
        }
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers("/**").hasRole("USER")
                    .and()
                .formLogin()
                    .permitAll()
                    .and()
                // Example Remember Me Configuration
                .rememberMe();
        }
    }
    

    Of course if you are using global AuthenticationManager, this will work too:

    @Configuration
    @EnableWebSecurity
    public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth)
                throws Exception {
            auth
                 .inMemoryAuthentication()
                      .withUser("user").password("password").roles("USER");
        }
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers("/**").hasRole("USER")
                    .and()
                .formLogin()
                    .permitAll()
                    .and()
                // Example Remember Me Configuration
                .rememberMe();
        }
    }
    

    The only difference is the first example isolates the AuthenticationManger to the HttpSecurity where as the second example will allow the AuthenticationManager to be used by global method security or another HttpSecurity (WebSecurityConfigurerAdapter).

    The reason this works is the .rememberMe() will automatically find the AuthenticationManager, UserDetailsService and use that when creating the RememberMeAuthenticationFilter. It also creates the appropriate RememberMeServices so there is no need to do that. Of course there are additional options on .rememberMe() if you want to customize it, so refer to the RememberMeConfigurer javadoc for additional options.

    If you REALLY need a reference to the AuthenticationManager instance you can do the following:

    @Configuration
    @EnableWebSecurity
    public class RememberMeSecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        private AuthenticationManagerBuilder auth;
    
        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth)
                throws Exception {
            auth
                 .inMemoryAuthentication()
                      .withUser("user").password("password").roles("USER");
        }
    
        @Bean
        public AuthenticationManager authenticationManager() {
            return auth.build();
        }
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers("/**").hasRole("USER")
                    .and()
                .formLogin()
                    .permitAll()
                    .and()
                // Example Remember Me Configuration
                .rememberMe();
        }
    }
    

    If you want to have multiple AuthenticationManager instances, you can do the following:

        @Autowired
        private ObjectPostProcessor<Object> opp;
    
        public AuthenticationManager authenticationManager()
                throws Exception {
            return new AuthenticationManagerBuilder(opp)
                .inMemoryAuthentication()
                   .withUser("user").password("password").roles("USER").and()
                .and()
                .build();
        }
    
        public AuthenticationManager authenticationManager2()
                throws Exception {
            return new AuthenticationManagerBuilder(opp)
                .inMemoryAuthentication()
                   .withUser("admin").password("password").roles("ADMIN").and()
                .and()
                .build();
        }
    

    NOTE This is almost the same as you had things before hand except instead of using the QUIESENT_POST_PROCESSOR you are using a real ObjectPostProcessor using the @Autowired annotation

    PS: Thanks for giving RC2 a try!

    0 讨论(0)
  • 2021-01-01 01:51

    The way to expose and get access to the AuthenticationManager bean is as follows:

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception
    {
       return super.authenticationManagerBean();
    }
    
    0 讨论(0)
提交回复
热议问题