Spring安全性从更深层访问UserDetailsService
问题内容:
我有以下UserDetailsService实现。
到目前为止,身份验证过程运行良好。
如何在“会话”中存储我的“ MyUser bean”( 已成功登录 ),以便可以在应用程序的其他区域访问它
谢谢。
@Transactional(readOnly = true)
public class CustomUserDetailsService implements UserDetailsService {
private EmployeesApi employeesApi = new EmployeesApi();
/**
* Retrieves a user record containing the user's credentials and access.
*/
public UserDetails loadUserByUsername(String userName)
throws UsernameNotFoundException, DataAccessException {
// Declare a null Spring User
UserDetails user = null;
try {
MyUser employee = employeesApi.getByUserName(userName);
user = new User(
employee.getUserName(),
employee.getPassword().toLowerCase(),
true,
true,
true,
true,
getAuthorities(1) );
} catch (Exception e) {
logger.error("Error in retrieving user");
throw new UsernameNotFoundException("Error in retrieving user");
}
}
....
问题答案:
Spring Security已经UserDetails为您在会话中存储了经过身份验证的用户。
因此,MyUser在会话中存储的最简单方法是实现一个UserDetails包含对MyUser以下内容的引用的自定义:
public class MyUserDetails extends User {
private MyUser myUser;
public MyUserDetails(..., MyUser myUser) {
super(...);
this.myUser = myUser;
}
public MyUser getMyUser() {
return myUser;
}
...
}
并从您返回UserDetailsService:
MyUser employee = employeesApi.getByUserName(userName);
user = new MyUserDetails(..., myUser);
然后,您可以MyUser通过安全上下文轻松访问:
MyUser myUser = ((MyUserDetails) SecurityContextHolder
.getContext().getAuthentication().getPrincipal()).getMyUser();
在Spring MVC控制器中:
@RequestMapping(...)
public ModelAndView someController(..., Authentication auth) {
MyUser myUser = ((MyUserDetails) auth.getPrincipal()).getMyUser();
...
}
在JSP中:
<security:authentication var = "myUser" property="principal.myUser" />
