search

spring-attic / spring-security-oauth

Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications.
http://github.com/spring-projects/spring-security-oauth
Apache License 2.0
4.7k stars 4.04k forks source link

Why I take principal from authentication is always a string??? #1454

Open Yvan0329 opened 6 years ago

Yvan0329 commented 6 years ago

I get token with password authorization, but I don't know why I always get principal from authentication. getPrincipal () as a string, not a UserDetails object

`public class ResourceServerConfigurer extends ResourceServerConfigurerAdapter { private final TcsfAccessDeniedHandler tcsfAccessDeniedHandler; private final ResourceAuthExceptionEntryPoint resourceAuthExceptionEntryPoint;

private final DataSource dataSource;

private PcSecurityExpressionHandler pcSecurityExpressionHandler;

@Override
public void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers("/actuator/**", "/user/info/*", "/log/**", "/v2/api-docs", "/authentication/form").permitAll()
            .anyRequest().access("@rbacService.hasPermission(request,authentication)")
            .and().csrf().disable();
}

@Override
public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
    resources.authenticationEntryPoint(resourceAuthExceptionEntryPoint)
            .accessDeniedHandler(tcsfAccessDeniedHandler)
            .expressionHandler(pcSecurityExpressionHandler);
}

@Bean
public PasswordEncoder passwordEncoder() {
    return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}

}`

` @Component("rbacService") public class RbacPermissionImpl implements RbacService {

private AntPathMatcher antPathMatcher = new AntPathMatcher();

@Override
public boolean hasPermission(HttpServletRequest request, Authentication authentication) {

    Authentication authentication1 = SecurityContextHolder.getContext().getAuthentication();
    Object principal1 = authentication1.getPrincipal();
    Object principal = authentication.getPrincipal();
    boolean haspermission = false;
    if (null != principal && principal instanceof UserDetails) {
        String userName = ((UserDetails) principal).getUsername();
        Set<String> url = new HashSet<>();
        url.add("/open/test");
        url.add("/user/test");
        for (String s : url) {
            if (antPathMatcher.match(s, request.getRequestURI())) {
                haspermission = true;
                break;
            }
        }
    }
    return haspermission;
}

} `

Yvan0329 commented 6 years ago

I think someone can get userdeatils objects like this, but I can't get them out. I don't know why.

Alfishan commented 5 years ago

hey @yankee42 any update on this? I also get string instead of a custom object.