检查用户登录前的数据。

huangapple go评论76阅读模式
英文:

Check user data before login

问题

我有HTTP身份验证。

public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

....

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and().csrf().disable()
        .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
        .authorizeRequests()
        .antMatchers("/api/auth/**").permitAll()
        .anyRequest().authenticated();

    http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
....
}

所以,我在数据库中有关于用户(userStatus)的一些数据,他正在尝试进行身份验证。我想在身份验证之前检查它,并且如果用户状态类似于"REFUSED",则抛出异常。

当然,userStatus位于另一个类Profile中(一对一关系)。

public class User {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private long id;

    @Column(nullable = false)
    private String username;

    @Column(nullable = false)
    private String password;

    @NotBlank
    @Size(max = 50)
    @Email
    private String email;

    @OneToOne(mappedBy = "user", cascade = CascadeType.ALL)
    private VerificationToken verificationToken;

    @Setter
    @OneToOne(cascade = CascadeType.PERSIST, mappedBy = "user")
    private Profile profile;
....
}

public class Profile {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    @Column(name = "id", updatable = false, nullable = false)
    private Long id;

    @OneToOne(cascade = CascadeType.REMOVE)
    @JoinColumn(name = "id_user", unique = true)
    private User user;

    @NonNull
    String firstName;

    @NonNull
    String secondName;

    String userStatus ;

    @NonNull
    String phone;
...
}

我听说过AspectJ或者可能是@PreAuthorize,但如何将它们集成到/login API中?

英文:

I have http auth.


public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

....

@Override
	protected void configure(HttpSecurity http) throws Exception {
		http.cors().and().csrf().disable()
			.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
			.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
			.authorizeRequests()
            .antMatchers("/api/auth/**").permitAll()
			.anyRequest().authenticated();

		http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
	}
....
}

So, I have some data in a database about a user (userStatus), who trying to auth. I want to check it before auth, and throw an exception if user status is something like "REFUSED".

Of course userStatus located in another class Profile (one to one relationship)

public class User {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    private long id;

    @Column(nullable = false)
    private String username;

    @Column(nullable = false)
    private String password;

    @NotBlank
    @Size(max = 50)
    @Email
    private String email;

    @OneToOne(mappedBy = "user", cascade = CascadeType.ALL)
    private VerificationToken verificationToken;

    @Setter
    @OneToOne(cascade = CascadeType.PERSIST, mappedBy = "user")
    private Profile profile;
....
}

public class Profile {

    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    @Column(name = "id", updatable = false, nullable = false)
    private Long id;

    @OneToOne(cascade = CascadeType.REMOVE)
    @JoinColumn(name = "id_user",unique = true)
    private User user;

    @NonNull
    String firstName;

    @NonNull
    String secondName;

    String userStatus ;

    @NonNull
    String phone;
...
}

I hear about aspectJs or maybe @PreAuthorize, but how to integrate them into /login api?

答案1

得分: 1

有另一种方法可以通过覆盖UsernamePasswordAuthenticationFilter#attemptAuthentication(例如:CustomUsernamePasswordAuthentication)来实现这一点,并在那里放置您的自定义逻辑(在您的情况下,您应该将您的服务作为新类构造函数的参数传递,因为过滤器不会意识到Spring组件)。

英文:

There is another way to achieve this by overriding UsernamePasswordAuthenticationFilter#attemptAuthentication (E.g: CustomUsernamePasswordAuthentication) and put your custom logic there (in your case, you should pass your service as parameter of the new class contructor as filter will not aware of spring component)

答案2

得分: 0

可以使用Spring AOP中的**@Aspect@Before建议轻松完成。定义您的连接点**以拦截特定的API调用。

从这里获取帮助

英文:

Can be done easily with @Aspect and using @Before advice from spring AOP. Define you join-points to intercepts specific api calls.

Take help from here

huangapple
  • 本文由 发表于 2020年8月13日 16:26:14
  • 转载请务必保留本文链接:https://go.coder-hub.com/63391072.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定