spring - 如何将用户名/密码移出 spring-security-context.xml？

Question

我在我的一个项目中使用 Spring Security。该网络应用程序要求用户登录。因此，我在 spring-security-context.xml 文件中添加了一些用户名和密码，如下所示：

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="user_1" password="password_1" authorities="ROLE_USER" />
            <user name="user_2" password="password_2" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>
</authentication-manager>

我的问题是，如何将这些用户名-密码对移动到不同的文件（如某些属性文件）而不是将它们保存在 spring-security-context.xml 中？以及如何读取该文件属性文件？

Answer 1

您可以将用户名和密码存储在单独的 .properties 文件中。

<user-service id="userDetailsService" properties="users.properties"/> 

users.properties 应具有以下格式：

jimi=jimispassword,ROLE_USER,ROLE_ADMIN,enabled
bob=bobspassword,ROLE_USER,enabled

如果你想将它存储在数据库中，我建议你阅读这篇文章：http ://www.mkyong.com/spring-security/spring-security-form-login-using-database/

参考：Spring Security In-Memory Authentication

Answer 2

您可以使用PropertyPlaceholderConfigurer- 将它们放在属性文件中，然后使用 EL 引用它们：

http://static.springsource.org/spring/docs/3.1.x/spring-framework-reference/html/beans.html#beans-factory-placeholderconfigurer

Answer 3

您可以找到将它们移动到数据库或 LDAP 的方法。Spring Security 肯定支持两者。

Answer 4

我已经尝试了建议的方法最后我做了以下似乎工作得很好

在您的 web xml 中添加了这些更改

<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> 

<servlet-mapping>
<servlet-name>service</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping> 

在您的 spring-security xml 中添加这些更改

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:user-service>
<security:user name="${resource.service.authentication.name}"
authorities="${resource.service.authentication.authorities}"
password="${resource.service.authentication.password}"/>
</security:user-service>
</security:authentication-provider>
</security:authentication-manager>

将这些更改添加到您的应用程序上下文 xml 中，或者如果您有 property-loader xml 更好

<bean id="propertyConfigurer"
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
<property name="placeholderPrefix" value="${" />
<property name="placeholderSuffix" value="}" />
<property name="locations">
<list>
<value>classpath:resourceservice.properties</value>
</list>
</property>
</bean>

然后将这些更改添加到您的属性文件 resourceservice.properties

memberservice.authentication.name=usename
memberservice.authentication.authorities=AUTHORISED
memberservice.authentication.password=password

在使用 Jersey 的资源中添加这些更改

@PUT
@Path("{accountId}")
@Consumes("application/xml")
@PreAuthorize("hasRole('AUTHORISED')")
public Response methodName

Answer 5

这适用于我使用属性文件进行 Spring 安全身份验证和授权：

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:mvc="http://www.springframework.org/schema/mvc" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"

    xsi:schemaLocation="
        http://www.springframework.org/schema/beans     
        http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
        http://www.springframework.org/schema/context 
        http://www.springframework.org/schema/context/spring-context-3.2.xsd
        http://www.springframework.org/schema/mvc
        http://www.springframework.org/schema/mvc/spring-mvc-3.2.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <mvc:annotation-driven />

    <bean id="webPropertyConfigurer"
        class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="ignoreResourceNotFound" value="true" />
        <property name="ignoreUnresolvablePlaceholders" value="true" />
        <property name="locations">
            <list>
                <value>classpath:abc.properties</value>
            </list>
        </property>
    </bean>

    <bean
        class="org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor" />

    <security:http auto-config="true" use-expressions="true">
        <security:intercept-url pattern="/stat/login" access="permitAll"/>
        <security:intercept-url pattern="/stat/summary" access="hasRole('ROLE_ADMIN')" />

        <security:form-login login-page="/stat/login"
            default-target-url="/stat/summary" authentication-failure-url="/stat/loginError" /> 
    </security:http>
    <!-- Username and password used from xml -->
    <!-- <security:authentication-manager>
        <security:authentication-provider>
            <security:user-service>
                <security:user name="xyz" password="xyz" authorities="ROLE_ADMIN" />
            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager> -->

    <security:authentication-manager>
        <security:authentication-provider>
             <security:user-service>
        <security:user name="${stat.user}" password="${stat.pwd}" authorities="ROLE_ADMIN" />
        </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager> 
</beans>

abc.properties文件：

stat.user=xyz
stat.pwd=xyz

web.xmlspring-security 实现的入口：

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy
    </filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Answer 6

您可以简单地在Spring Security Configuration 中添加 Bean：

@Bean
public UserDetailsService userDetailsService() {
   Properties users = PropertiesLoaderUtils.loadAllProperties("users.properties");
   return new InMemoryUserDetailsManager(users);
}

和users.properties看起来像：

admin={noop}password,ROLE_USER,ROLE_ADMIN,enabled
bob={noop}password,ROLE_USER,enabled
123={noop}123,ROLE_USER,enabled