替换 spring-security 添加的默认 RememberMeAuthenticationProvider

问题描述 投票:0回答:1

我需要提供我自己的自定义 RememberMeAuthenticationProvider 提供程序,我知道该怎么做。但默认创建的提供者仍然存在于 ProviderManager 提供者列表中。

我可以用自定义的完全替换默认的吗?

我如何添加自己的

    @Bean
    public RememberMeAuthenticationProvider rememberMeAuthenticationProvider(MessageSource messageSource) {
        var authProvider = new MyRememberMeAuthenticationProvider(REMEMBER_ME_KEY);
        authProvider.setMessageSource(messageSource);
        return authProvider;
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http,
                                           MvcRequestMatcher.Builder mvc,
                                           MessageSource messageSource) throws Exception {
        http
                .csrf(csrf -> csrf.csrfTokenRequestHandler(csrfRequestHandler)
                        .ignoringRequestMatchers(LOGIN_URI + "**"))
                .authenticationProvider(authenticationProvider)
                .authenticationProvider(rememberMeAuthenticationProvider(messageSource))
<cut>
        return http.build();
    }

但是RememberMeConfigurer无条件添加默认的

@Override
public void configure(H http) {
    RememberMeAuthenticationFilter rememberMeFilter = new RememberMeAuthenticationFilter(
            http.getSharedObject(AuthenticationManager.class), this.rememberMeServices);
    if (this.authenticationSuccessHandler != null) {
        rememberMeFilter.setAuthenticationSuccessHandler(this.authenticationSuccessHandler);
    }
    SecurityContextConfigurer<?> securityContextConfigurer = http.getConfigurer(SecurityContextConfigurer.class);
    if (securityContextConfigurer != null && securityContextConfigurer.isRequireExplicitSave()) {
        SecurityContextRepository securityContextRepository = securityContextConfigurer
            .getSecurityContextRepository();
        rememberMeFilter.setSecurityContextRepository(securityContextRepository);
    }
    rememberMeFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
    rememberMeFilter = postProcess(rememberMeFilter);
    http.addFilter(rememberMeFilter);
}

这会导致此已配置提供程序的列表

0 = {MyAuthenticationProvider@17013} 
1 = {MyRememberMeAuthenticationProvider@16992} 
2 = {AnonymousAuthenticationProvider@26592} 
3 = {RememberMeAuthenticationProvider@18312}

现在这可以工作,可能是由于顺序的原因,但我真的很想完全删除默认的。

这可能吗?

非常感谢, 迈克

java spring spring-mvc spring-security
1个回答
0
投票

我认为你可以像这样使用

BeanPostProcessor

public class MyBeanPostProcessor implements BeanPostProcessor {

 @Override
    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
        if (bean instanceof ProviderManager providerManager) {
            providerManager.getProviders().removeIf(provider -> provider.getClass() == RememberMeAuthenticationProvider.class);
        }
        return bean;
    }

}
最新问题
© www.soinside.com 2019 - 2025. All rights reserved.