SPRING IN ACTION 第4版笔记-第九章Securing web applications-008-使用非关系型数据库时如何验证用户(自定义UserService)

一、

1.定义接口

Suppose that you need to authenticate against users in a non-relational database such
as Mongo or Neo4j. In that case, you’ll need to implement a custom implementation
of the UserDetailsService interface.

public interface UserDetailsService {
UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}

2.实现接口

All you need to do is implement the loadUserByUsername() method to find a user
given the user’s username. loadUserByUsername() then returns a UserDetails object
representing the given user. The following listing shows an implementation of
UserDetailsService that looks up a user from a given implementation of Spitter-
Repository

package spittr.security;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.
SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.
UserDetailsService;
import org.springframework.security.core.userdetails.
UsernameNotFoundException;
import spittr.Spitter;
import spittr.data.SpitterRepository;

public class SpitterUserService implements UserDetailsService {

private final SpitterRepository spitterRepository;

public SpitterUserService(SpitterRepository spitterRepository) {
this.spitterRepository = spitterRepository;
}

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Spitter spitter = spitterRepository.findByUsername(username);
if (spitter != null) {
List < GrantedAuthority > authorities = new ArrayList < GrantedAuthority > ();
authorities.add(new SimpleGrantedAuthority("ROLE_SPITTER"));
return new User(
spitter.getUsername(),
spitter.getPassword(),
authorities);
}
throw new UsernameNotFoundException("User '" + username + "' not found.");
}
}

What’s interesting about SpitterUserService is that it has no idea how the user data
is persisted. The SpitterRepository it’s given could look up the Spitter from a rela-
tional database, from a document database, from a graph database, or it could just
make it up. SpitterUserService doesn’t know or care what underlying data storage is
used. It just fetches the Spitter object and uses it to create a User object. ( User is a
concrete implementation of UserDetails .)

3.配置service

To use SpitterUserService to authenticate users, you can configure it in your
security configuration with the userDetailsService() method:

@Autowired
SpitterRepository spitterRepository;
@Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth
.userDetailsService(new SpitterUserService(spitterRepository));
}

The userDetailsService() method (like jdbcAuthentication() , ldapAuthentication ,
and inMemoryAuthentication() ) configures a configuration store. But instead of using
one of Spring’s provided user stores, it takes any implementation of UserDetailsService .
Another option worth considering is that you could change Spitter so that it
implements UserDetailsService . By doing that, you could return the Spitter
directly from the loadUserByUsername() method without copying its values into a
User object.