如何使用Spring-security以编程方式登录用户？

Question

我需要以编程方式登录通过Facebook API进行身份验证的用户.原因是每个用户(例如购物车)都有多个项目相关联,因此一旦用户使用Facebook API进行身份验证,我需要使用spring安全性登录用户以便能够访问他/她的购物车.

基于我的研究,有很多方法可以实现它,但我无法部署任何方法,因为我从我的代码发送登录请求,另一个问题是有些人创建了用户对象,但他们没有解释如何创建它.

那些创建用户对象但没有解释如何的人.

从第一个例子:这个答案

  Authentication auth = 
  new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());

从第二个例子:这一个

  34.User details = new User(username);
  35.token.setDetails(details);

从第三个例子:这一个

  Authentication authentication = new UsernamePasswordAuthenticationToken(user, null,
  AuthorityUtils.createAuthorityList("ROLE_USER"));

另一个例子就是这里,它没有帮助,因为我需要从我自己的代码登录用户而不是从浏览器登录; 因此我不知道如何填充HttpServletRequest对象.

protected void automatedLogin(String username, String password, HttpServletRequest request) {

mycode的

...
if(isAuthenticatedByFB())
{
    login(username);
    return "success";
}
else{
    return "failed";
}

Answer 1

不幸的是,在Spring安全性中似乎没有"完全"支持程序化登录.以下是我成功完成的方法:

@Autowired AuthenticationSuccessHandler successHandler;
@Autowired AuthenticationManager authenticationManager;  
@Autowired AuthenticationFailureHandler failureHandler;

public void login(HttpServletRequest request, HttpServletResponse response, String username, String password) {
    UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
    token.setDetails(new WebAuthenticationDetails(request));//if request is needed during authentication
    Authentication auth;
    try {
        auth = authenticationManager.authenticate(token);
    } catch (AuthenticationException e) {
        //if failureHandler exists  
        try {
            failureHandler.onAuthenticationFailure(request, response, e);
        } catch (IOException | ServletException se) {
            //ignore
        }
        throw e;
    }
    SecurityContext securityContext = SecurityContextHolder.getContext();
    securityContext.setAuthentication(auth);
    successHandler.onAuthenticationSuccess(request, response, auth);//if successHandler exists  
    //if user has a http session you need to save context in session for subsequent requests
    HttpSession session = request.getSession(true);
    session.setAttribute("SPRING_SECURITY_CONTEXT", securityContext);
}

更新基本上相同的是由Spring完成的RememberMeAuthenticationFilter.doFilter()

Answer 2

此代码来自Grails 的 Spring Security Core -Plugin，它是在 Apache 2.0 许可证下发布的。我添加导入只是为了指出确切的类型。原作者是伯特·贝克威斯。

import org.springframework.security.core.userdetails.UserCache;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;

...

public static void reauthenticate(final String username, final String password) {
    UserDetailsService userDetailsService = getBean("userDetailsService");
    UserCache userCache = getBean("userCache");

    UserDetails userDetails = userDetailsService.loadUserByUsername(username);
    SecurityContextHolder.getContext().setAuthentication(new UsernamePasswordAuthenticationToken(
            userDetails, password == null ? userDetails.getPassword() : password, userDetails.getAuthorities()));
    userCache.removeUserFromCache(username);
}

getBean方法仅提供应用程序上下文中的 bean。