英文:
Check user data before login
问题
我有HTTP身份验证。
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
....
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers("/api/auth/**").permitAll()
.anyRequest().authenticated();
http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
....
}
所以,我在数据库中有关于用户(userStatus)的一些数据,他正在尝试进行身份验证。我想在身份验证之前检查它,并且如果用户状态类似于"REFUSED",则抛出异常。
当然,userStatus位于另一个类Profile中(一对一关系)。
public class User {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private long id;
@Column(nullable = false)
private String username;
@Column(nullable = false)
private String password;
@NotBlank
@Size(max = 50)
@Email
private String email;
@OneToOne(mappedBy = "user", cascade = CascadeType.ALL)
private VerificationToken verificationToken;
@Setter
@OneToOne(cascade = CascadeType.PERSIST, mappedBy = "user")
private Profile profile;
....
}
public class Profile {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@Column(name = "id", updatable = false, nullable = false)
private Long id;
@OneToOne(cascade = CascadeType.REMOVE)
@JoinColumn(name = "id_user", unique = true)
private User user;
@NonNull
String firstName;
@NonNull
String secondName;
String userStatus ;
@NonNull
String phone;
...
}
我听说过AspectJ或者可能是@PreAuthorize,但如何将它们集成到/login API中?
英文:
I have http auth.
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
....
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and().csrf().disable()
.exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
.authorizeRequests()
.antMatchers("/api/auth/**").permitAll()
.anyRequest().authenticated();
http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
}
....
}
So, I have some data in a database about a user (userStatus), who trying to auth. I want to check it before auth, and throw an exception if user status is something like "REFUSED".
Of course userStatus located in another class Profile (one to one relationship)
public class User {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private long id;
@Column(nullable = false)
private String username;
@Column(nullable = false)
private String password;
@NotBlank
@Size(max = 50)
@Email
private String email;
@OneToOne(mappedBy = "user", cascade = CascadeType.ALL)
private VerificationToken verificationToken;
@Setter
@OneToOne(cascade = CascadeType.PERSIST, mappedBy = "user")
private Profile profile;
....
}
public class Profile {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@Column(name = "id", updatable = false, nullable = false)
private Long id;
@OneToOne(cascade = CascadeType.REMOVE)
@JoinColumn(name = "id_user",unique = true)
private User user;
@NonNull
String firstName;
@NonNull
String secondName;
String userStatus ;
@NonNull
String phone;
...
}
I hear about aspectJs or maybe @PreAuthorize, but how to integrate them into /login api?
答案1
得分: 1
有另一种方法可以通过覆盖UsernamePasswordAuthenticationFilter#attemptAuthentication(例如:CustomUsernamePasswordAuthentication)来实现这一点,并在那里放置您的自定义逻辑(在您的情况下,您应该将您的服务作为新类构造函数的参数传递,因为过滤器不会意识到Spring组件)。
英文:
There is another way to achieve this by overriding UsernamePasswordAuthenticationFilter#attemptAuthentication (E.g: CustomUsernamePasswordAuthentication) and put your custom logic there (in your case, you should pass your service as parameter of the new class contructor as filter will not aware of spring component)
答案2
得分: 0
可以使用Spring AOP中的**@Aspect和@Before建议轻松完成。定义您的连接点**以拦截特定的API调用。
英文:
Can be done easily with @Aspect and using @Before advice from spring AOP. Define you join-points to intercepts specific api calls.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论