如何将用户名/密码移出 spring-security-context.xml?

【问题标题】:How to move username/passwords out of spring-security-context.xml?如何将用户名/密码移出 spring-security-context.xml?
【发布时间】:2012-06-19 23:16:15
【问题描述】:

我在我的一个项目中使用 Spring Security。该网络应用程序要求用户登录。因此,我在 spring-security-context.xml 文件中添加了一些用户名和密码,如下所示:

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user_1" password="password_1" authorities="ROLE_USER" />
            <user name="user_2" password="password_2" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

我的问题是,如何将这些用户名-密码对移动到不同的文件(如某些属性文件)而不是将它们保存在 spring-security-context.xml 中?以及如何读取该文件属性文件?

【问题讨论】:

    标签: spring spring-mvc spring-security


    【解决方案1】:

    您可以将用户名和密码存储在单独的 .properties 文件中。

    <user-service id="userDetailsService" properties="users.properties"/>

    users.properties 应具有以下格式:

    jimi=jimispassword,ROLE_USER,ROLE_ADMIN,enabled
bob=bobspassword,ROLE_USER,enabled

    如果你想将它存储在数据库中,我建议你阅读这篇文章:http://www.mkyong.com/spring-security/spring-security-form-login-using-database/

    参考:Spring Security In-Memory Authentication

    【讨论】:

      【解决方案2】:

      您可以使用PropertyPlaceholderConfigurer - 将它们放在属性文件中,然后使用 EL 引用它们:

      http://static.springsource.org/spring/docs/3.1.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer

      【讨论】:

        【解决方案3】:

        您可以找到将它们移动到数据库或 LDAP 的方法。 Spring Security 肯定支持两者。

        【讨论】:

        • 任何链接/示例?抱歉,我对 Spring 很陌生。
        【解决方案4】:

        我已经尝试了建议的方法,最后我做了以下似乎效果很好

        在您的 web xml 中添加了这些更改

        <filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> 

<servlet-mapping>
<servlet-name>service</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

        在您的 spring-security xml 中添加这些更改

        <security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="${resource.service.authentication.name}"
authorities="${resource.service.authentication.authorities}"
password="${resource.service.authentication.password}"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>

        将这些更改添加到您的应用程序上下文 xml 中,或者如果您有属性加载器 xml,甚至 更好

        <bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="placeholderPrefix" value="${" />
<property name="placeholderSuffix" value="}" />
<property name="locations">
<list>
<value>classpath:resourceservice.properties</value>
</list>
</property>
</bean>

        然后将这些更改添加到您的属性文件 resourceservice.properties

        memberservice.authentication.name=usename
memberservice.authentication.authorities=AUTHORISED
memberservice.authentication.password=password

        在使用 Jersey 的资源中添加这些更改

        @PUT
@Path("{accountId}")
@Consumes("application/xml")
@PreAuthorize("hasRole('AUTHORISED')")
public Response methodName

        【讨论】:

          【解决方案5】:

          这适用于我使用属性文件进行 Spring 安全认证和授权:

          <beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"

    xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.2.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <mvc:annotation-driven />

    <bean id="webPropertyConfigurer"
        class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="ignoreResourceNotFound" value="true" />
        <property name="ignoreUnresolvablePlaceholders" value="true" />
        <property name="locations">
            <list>
                <value>classpath:abc.properties</value>
            </list>
        </property>
    </bean>

    <bean
        class="org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor" />

    <security:http auto-config="true" use-expressions="true">
        <security:intercept-url pattern="/stat/login" access="permitAll"/>
        <security:intercept-url pattern="/stat/summary" access="hasRole('ROLE_ADMIN')" />

        <security:form-login login-page="/stat/login"
            default-target-url="/stat/summary" authentication-failure-url="/stat/loginError" /> 
    </security:http>
    <!-- Username and password used from xml -->
    <!-- <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <security:user name="xyz" password="xyz" authorities="ROLE_ADMIN" />
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager> -->

    <security:authentication-manager>
        <security:authentication-provider>
             <security:user-service>
        <security:user name="${stat.user}" password="${stat.pwd}" authorities="ROLE_ADMIN" />
        </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager> 
</beans>

          abc.properties 文件:

          stat.user=xyz
stat.pwd=xyz

          spring-security 实现的web.xml 入口:

          <filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

          【讨论】:

            【解决方案6】:

            您可以在 Spring Security 配置中简单地添加 Bean:

            @Bean
public UserDetailsService userDetailsService() {
   Properties users = PropertiesLoaderUtils.loadAllProperties("users.properties");
   return new InMemoryUserDetailsManager(users);
}

            users.properties 看起来像:

            admin={noop}password,ROLE_USER,ROLE_ADMIN,enabled
bob={noop}password,ROLE_USER,enabled
123={noop}123,ROLE_USER,enabled

            【讨论】:

              猜你喜欢
              • 2011-12-12
              • 2012-02-08
              • 2015-07-25
              • 2011-01-29
              • 2020-01-21
              • 2019-03-23
              • 2013-12-30
              • 2016-04-30
              相关资源
              最近更新 更多
              热门标签
              Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode