獲得認證的用戶

Question

我正在實施一個使用Spring安全性oauth2的項目，一切都很完美，現在我想開始深入挖掘基礎知識。我想檢查提出請求的用戶是否爲資源的實際用戶所有者，最終結果將爲：

/private/users/{uuid}/clients返回指定用戶的所有客戶端。

所以我的控制器現在看起來像這樣：

@RestController 
public class HomeController { 

    @Autowired 
    private UserService userService; 

    @GetMapping(value = "/") 
    public String index() { 
     return "Hello world"; 
    } 

    @GetMapping(value = "/private") 
    public String privateTest(Principal principal) { 
     User user = userService.get(principal.getName()); 
     return user.getUuid(); 
    } 

} 

編輯：完整的安全代碼（工作）爲更好的解釋。

ResourceServerConfig

@Configuration 
@EnableResourceServer 
public class ResourceServerConfig extends ResourceServerConfigurerAdapter { 

    @Override 
    public void configure(HttpSecurity http) throws Exception { 
     http.headers().frameOptions().disable().and() 
       .authorizeRequests() 
       .antMatchers("/","/home","/register","/login").permitAll() 
       .antMatchers("/private/**").authenticated(); 
    } 
} 

CustomUserDetails與getter和setter關閉過程

public class CustomUserDetails implements UserDetails { 

    private Collection<? extends GrantedAuthority> authorities; 
    private String password; 
    private String username; 
    private String uuid; 

    public CustomUserDetails(User user) { 
     this.username = user.getUsername(); 
     this.password = user.getPassword(); 
     this.uuid = user.getUuid(); 
     this.authorities = translate(user.getRoles()); 
    } 
} 

AuthorizationServerConfig

@Configuration 
@EnableAuthorizationServer 
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter { 

    @Autowired 
    private AuthenticationManager authenticationManager; 

    @Override 
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { 
     endpoints.authenticationManager(authenticationManager); 
    } 
    @Override 
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception { 
     clients.inMemory().withClient("my-trusted-client") 
       .authorizedGrantTypes("client_credentials", "password") 
       .authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT").scopes("read","write","trust") 
       .resourceIds("oauth2-resource").accessTokenValiditySeconds(5000).secret("secret"); 
    } 

    @Override 
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { 
     security.checkTokenAccess("isAuthenticated()"); 
    } 
} 

主要

@SpringBootApplication 
public class DummyOauthApplication { 

    @Autowired 
    private PasswordEncoder passwordEncoder; 

    public static void main(String[] args) { 
     SpringApplication.run(DummyOauthApplication.class, args); 
    } 

    @Autowired 
    public void authenticationManager(AuthenticationManagerBuilder builder, UserRepository repository, UserService service) throws Exception { 
     //Setup a default user if db is empty 
     if (repository.count() == 0) { 
      service.save(new User("user", "password", UUID.randomUUID().toString(), Arrays.asList(new Role("USER"), new Role("ACTUATOR")))); 
     } 
     builder.userDetailsService(userDetailsService(repository)).passwordEncoder(passwordEncoder); 
    } 
    private UserDetailsService userDetailsService(final UserRepository repository) { 
     return username -> new CustomUserDetails(repository.findByUsername(username)); 
    } 
} 

因此，使用我實現的方式。我可以得到實際的用戶，但每次調用端點時都會隱含數據庫查詢。獲取用戶並與用戶uuid匹配。

我想找到另一種方式，我可以得到用戶，然後比較，如果該UUID = user.getUuid（）

在此先感謝。

Answer 1

經過一段時間，犯了很多錯誤，我已經成功地找到一個解決方案，我離開這裏。 CustomUserDetails可以在問題中看到，從那裏你可以很容易地獲得uuid並與請求的相匹配。

public static CustomUserDetails getCurrentUser() { 
    SecurityContext securityContext = SecurityContextHolder.getContext(); 
    Authentication authentication = securityContext.getAuthentication(); 
    if (authentication != null) { 
     if (authentication.getPrincipal() instanceof CustomUserDetails) { 
      return (CustomUserDetails) authentication.getPrincipal(); 
     } 
    } 
    throw new IllegalStateException("User not found!"); 
} 

編輯：如果你想返回用戶，你做這樣的事

public class CustomUserDetails implements UserDetails { 

    private Collection<? extends GrantedAuthority> authorities; 
    private String password; 
    private String username; 
    private User user; 

    public CustomUserDetails(User user) { 
     this.username = user.getUsername(); 
     this.password = user.getPassword(); 
     this.user = user; 
     this.authorities = translate(user.getRoles()); 
    } 
} 

，然後在utils的什麼的，

public static User getCurrentUser() { 
     SecurityContext securityContext = SecurityContextHolder.getContext(); 
     Authentication authentication = securityContext.getAuthentication(); 
     if (authentication != null) { 
      if (authentication.getPrincipal() instanceof CustomUserDetails) { 
       CustomUserDetails userDetails = (CustomUserDetails) authentication.getPrincipal(); 
       return userDetails.getUser(); 
      } 
     } 
     throw new IllegalStateException("User not found!"); 
    } 

感謝所有的努力。

Answer 2

實現自定義身份驗證提供和存儲用戶的細節爲主要

Spring Security Authentication Provider