问题
I’m integrating Spring Security Auth0 into a Spring web app using the 1.3.2.RELEASE BOM. I had been using the provided auth0-security-context.xml file to configure authentication, which worked and looks like this:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<bean id="auth0EntryPoint" class="com.auth0.spring.security.auth0.Auth0AuthenticationEntryPoint" />
<!-- all urls starting with unsecured are -->
<security:http pattern="${auth0.securedRoute}" create-session="stateless" entry-point-ref="auth0EntryPoint">
<security:intercept-url pattern="${auth0.securedRoute}" access="ROLE_USER" />
<security:custom-filter ref="auth0Filter" after="SECURITY_CONTEXT_FILTER" ></security:custom-filter>
</security:http>
<!-- Otherwise by default everything is secured -->
<security:http auto-config="true" use-expressions="true" pattern="/**" create-session="stateless" entry-point-ref="auth0EntryPoint">
<security:intercept-url pattern="/**" access='permitAll' />
</security:http>
<bean id="auth0Filter" class="com.auth0.spring.security.auth0.Auth0AuthenticationFilter">
<property name="entryPoint" ref="auth0EntryPoint"></property>
</bean>
<bean id="auth0AuthenticationProvider" class="com.auth0.spring.security.auth0.Auth0AuthenticationProvider">
<property name="clientSecret" value="${auth0.clientSecret}" ></property>
<property name="clientId" value="${auth0.clientId}" ></property>
<property name="securedRoute" value="${auth0.securedRoute}" ></property>
</bean>
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="auth0AuthenticationProvider" />
</security:authentication-manager>
</beans>
I need to customize the configuration (I need to turn off CSRF protection), so I remove the annotation that imported the above XML file, and tried to translate the above into a Java Config, using the following classes:
Auth0Configuration.java
package co.masslab.shiba;
import com.auth0.spring.security.auth0.*;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.*;
@Configuration
@ComponentScan(basePackages={"com.auth0"})
@PropertySource("classpath:auth0.properties")
public class Auth0Configuration {
@Value("${auth0.clientSecret}")
private String clientSecret;
@Value("${auth0.clientId}")
private String clientId;
@Value("${auth0.securedRoute}")
private String securedRoute;
@Bean
public Auth0AuthenticationEntryPoint auth0EntryPoint() {
return new Auth0AuthenticationEntryPoint();
}
@Bean
@Autowired
public Auth0AuthenticationFilter auth0Filter(Auth0AuthenticationEntryPoint auth0EntryPoint) {
Auth0AuthenticationFilter authFilter = new Auth0AuthenticationFilter();
authFilter.setEntryPoint(auth0EntryPoint);
return authFilter;
}
@Bean
public Auth0AuthenticationProvider auth0AuthenticationProvider() {
Auth0AuthenticationProvider authProvider = new Auth0AuthenticationProvider();
authProvider.setClientSecret(clientSecret);
authProvider.setClientId(clientId);
authProvider.setSecuredRoute(securedRoute);
return authProvider;
}
}
WebSecurityConfig.java
package co.masslab.shiba;
import com.auth0.spring.security.auth0.*;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private final static Logger log = LoggerFactory.getLogger(WebSecurityConfig.class);
@Value("${auth0.securedRoute}")
private String securedRoute;
@Autowired
private Auth0AuthenticationEntryPoint auth0EntryPoint;
@Autowired
private Auth0AuthenticationFilter auth0Filter;
@Autowired
private Auth0AuthenticationProvider auth0AuthenticationProvider;
@Override
protected void configure(HttpSecurity http) throws Exception {
log.info("Configuring HttpSecurity");
http
.authorizeRequests().antMatchers(securedRoute).hasRole("USER")
.and()
.exceptionHandling().authenticationEntryPoint(auth0EntryPoint)
.and()
.addFilterAfter(auth0Filter, SecurityContextPersistenceFilter.class)
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
log.info("Configuring AuthenticationManagerBuilder");
auth.authenticationProvider(auth0AuthenticationProvider);
}
}
All of this compiles and runs without exception, and when I don’t provide any authentication it correctly tells me that I need to do so, but when I authenticate using a valid bearer token in the authorization header, I get the message No AuthenticationProvider found for com.auth0.spring.security.auth0.Auth0JWTToken. To be completely clear, I don’t have that problem when using the auth0-security-context.xml file given at the top of this question.
What did I miss when translating from XML config to Java config?
回答1:
The secret is that the method that configures the AuthenticationManagerBuilder needs to be marked with @Autowired.
来源:https://stackoverflow.com/questions/35304856/why-isn-t-this-spring-security-authenticationprovider-found-after-being-java-con