Spring Security loadUserByUsername传递多个参数

前言

• 我们使用Spring Security做登录，一般来说都要实现UserDetailsService接口，代码如下。

public interface UserDetailsService {
	UserDetails loadUserByUsername(String username) throws UsernameNotFoundException;
}

1
2
3
4

• 是的，loadUserByUsername方法仅有一个username参数，如果我们是做SaaS平台，多渠道登录，名称允许重复的话，这可怎么玩儿。
• 下面提供2种方法。

自定义一个DaoAuthenticationProvider

• 新建CustomerDaoAuthenticationProvider.java，其实是把DaoAuthenticationProvider代码抄下来，修改了userDetailsService和UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username, authentication.getDetails());。把UsernamePasswordAuthenticationToken的details属性作为扩展参数传入新的loadUserByUsername方法。

 
import com.works.framework.web.WebUserDetailsServiceImpl;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsPasswordService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.util.Assert;

/**
 * @author Zhou Zhongqing
 * @ClassName CustomerDaoAuthenticationProvider.java
 * @description: TODO
 * @date 2022-08-11 17:33
 */
public class CustomerDaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {

 
    private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword";

    private PasswordEncoder passwordEncoder;
 
    private volatile String userNotFoundEncodedPassword;

    private WebUserDetailsServiceImpl userDetailsService;

    private UserDetailsPasswordService userDetailsPasswordService;

    public CustomerDaoAuthenticationProvider() {
        setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
    }

    @Override
    @SuppressWarnings("deprecation")
    protected void additionalAuthenticationChecks(UserDetails userDetails,
                                                  UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
        if (authentication.getCredentials() == null) {
            this.logger.debug("Failed to authenticate since no credentials provided");
            throw new BadCredentialsException(this.messages
                    .getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
        }
        String presentedPassword = authentication.getCredentials().toString();
        if (!this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
            this.logger.debug("Failed to authenticate since password does not match stored value");
            throw new BadCredentialsException(this.messages
                    .getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
        }
    }

    @Override
    protected void doAfterPropertiesSet() {
        Assert.notNull(this.userDetailsService, "A UserDetailsService must be set");
    }

    @Override
    protected UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication)
            throws AuthenticationException {
        prepareTimingAttackProtection();
        try {
            UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username, authentication.getDetails());
            if (loadedUser == null) {
                throw new InternalAuthenticationServiceException(
                        "UserDetailsService returned null, which is an interface contract violation");
            }
            return loadedUser;
        } catch (UsernameNotFoundException ex) {
            mitigateAgainstTimingAttack(authentication);
            throw ex;
        } catch (InternalAuthenticationServiceException ex) {
            throw ex;
        } catch (Exception ex) {
            throw new InternalAuthenticationServiceException(ex.getMessage(), ex);
        }
    }

    @Override
    protected Authentication createSuccessAuthentication(Object principal, Authentication authentication,
                                                         UserDetails user) {
        boolean upgradeEncoding = this.userDetailsPasswordService != null
                && this.passwordEncoder.upgradeEncoding(user.getPassword());
        if (upgradeEncoding) {
            String presentedPassword = authentication.getCredentials().toString();
            String newPassword = this.passwordEncoder.encode(presentedPassword);
            user = this.userDetailsPasswordService.updatePassword(user, newPassword);
        }
        return super.createSuccessAuthentication(principal, authentication, user);
    }

    private void prepareTimingAttackProtection() {
        if (this.userNotFoundEncodedPassword == null) {
            this.userNotFoundEncodedPassword = this.passwordEncoder.encode(USER_NOT_FOUND_PASSWORD);
        }
    }

    private void mitigateAgainstTimingAttack(UsernamePasswordAuthenticationToken authentication) {
        if (authentication.getCredentials() != null) {
            String presentedPassword = authentication.getCredentials().toString();
            this.passwordEncoder.matches(presentedPassword, this.userNotFoundEncodedPassword);
        }
    }

    /**
     * Sets the PasswordEncoder instance to be used to encode and validate passwords. If
     * not set, the password will be compared using
     * {@link PasswordEncoderFactories#createDelegatingPasswordEncoder()}
     *
     * @param passwordEncoder must be an instance of one of the {@code PasswordEncoder}
     *                        types.
     */
    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
        this.passwordEncoder = passwordEncoder;
        this.userNotFoundEncodedPassword = null;
    }

    protected PasswordEncoder getPasswordEncoder() {
        return this.passwordEncoder;
    }

    public void setUserDetailsService(WebUserDetailsServiceImpl userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    protected WebUserDetailsServiceImpl getUserDetailsService() {
        return this.userDetailsService;
    }

    public void setUserDetailsPasswordService(UserDetailsPasswordService userDetailsPasswordService) {
        this.userDetailsPasswordService = userDetailsPasswordService;
    }

}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

• security 配置。

     /**
     * 身份认证接口
     */
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(customerDaoAuthenticationProvider()).userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
    }
... 省略...
    @Bean
    public CustomerDaoAuthenticationProvider customerDaoAuthenticationProvider() {
        CustomerDaoAuthenticationProvider customerDaoAuthenticationProvider = new CustomerDaoAuthenticationProvider();
        customerDaoAuthenticationProvider.setUserDetailsService(userDetailsService);
        return customerDaoAuthenticationProvider;
    }

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

• 启动时会把我的CustomerDaoAuthenticationProvider注册进来。
  
• 登录时，进入parent的providers。
  
• 最后进入自定义的CustomerDaoAuthenticationProvider#retrieveUser方法。
  

参数都传入principal

• 我们调用authenticationManager.authenticate方法时传入UsernamePasswordAuthenticationToken。
• UsernamePasswordAuthenticationToken的第一个参数是principal，这个一般作为用户名，可以把全部参数传进去，在loadUserByUsername方法分割。就能拿到其他参数。
• 例如这样写。

  @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        String[] split = username.split(",");
        Users users = new Users();
        users.setName(split[0]);
         users.setXXX(split[1]);
        List usersList = usersService.selectUsersList(users);
        Assert.isEmpty(usersList, "没有这个用户");
        Users user = usersList.get(0);
        Assert.isTrue(Users.IS_LOCK_1.equals(user.getIsLock()), "用户已被锁定不能登录");
        return createLoginUser(user);
    }

    public WebLoginUserDetail createLoginUser(Users users) {
        WebLoginUserDetail webLoginUserDetail = mapperFacade.map(users,WebLoginUserDetail.class);
        return webLoginUserDetail;
    }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

这个比较方便，不过用username字段做其他事情怪怪的。

参考

• https://segmentfault.com/q/1010000040956141
• https://blog.csdn.net/weixin_43909881/article/details/104925068