spring - 使用 EnableWebSecurity 时 AuthenticationPrincipal 为空

Question

截至Spring Security doc: 34.1 @EnableWebMvcSecurity状态，@EnableWebMvcSecurity已替换为 @EnableWebSecurity .

但是当我尝试获取 UserDetails在 Controller 中由 @AuthenticationPrincipal ，我得到一个空对象:用户名是"" .我也试过@EnableWebMvcSecurity , 但不幸的是 UserDetails是 null .

但我可以得到 UserDetails通过传统方式，像这样:

SecurityContextHolder.getContext().getAuthentication().getPrincipal();

我的问题是，获得我的自定义 UserDetails 的正确方法是什么？ ( Account ) 当我使用 @EnableWebSecurity ?

下面是相关的源代码:

Controller :

@RequestMapping(method = RequestMethod.POST)
@Secured("ROLE_USER")
public String postRoom(@Valid @ModelAttribute Room room, BindingResult result, Model model, @AuthenticationPrincipal Account principal) {
    if (result.hasErrors()) {
        return "room_form";
    }

    Account account = accountRepository.findByUsername(principal.getUsername());
    room.setAccountId(account.getId());
    room.setLastModified(new Date());
    roomRepository.save(room);
    return "room_list";
}

安全配置:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    private DataSource dataSource;

    @Autowired
    private SecurityProperties security;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests().anyRequest().permitAll()
            .and().formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
            .and().logout().permitAll()
            .and().rememberMe()
            .and().csrf().disable();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth.jdbcAuthentication().dataSource(this.dataSource).passwordEncoder(new BCryptPasswordEncoder(8));
    }
}

和 Account.java :

@Entity
@Table(name = "users")
public class Account implements Serializable {
    @Id
    @GeneratedValue
    private Long id;

    private String username;
    private String password;
    private boolean enabled;

    @Lob
    private byte[] avatar;

// getter / setter ...
}

Answer 1

AuthenticationPrincipal is empty.
But I can get the UserDetails by the traditional way, like this:

SecurityContextHolder.getContext().getAuthentication().getPrincipal();

配置 argument-resolvers帮了我

<mvc:annotation-driven>
    <mvc:argument-resolvers>
        <bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver"/>
    </mvc:argument-resolvers>
</mvc:annotation-driven>

你也可以看到 34.2 @AuthenticationPrincipal部分

Once AuthenticationPrincipalArgumentResolver is properly configured, you can be entirely decoupled from Spring Security in your Spring MVC layer.

我如何理解这意味着您应该手动添加参数解析器。或者

By using Section 34.1, “@EnableWebMvcSecurity” you will automatically have this added to your Spring MVC configuration

还有 related question