Authentication Services

这将创建一个 Spring Security ProviderManager 类实例,该实例需要配置一个或多个 AuthenticationProvider 实例的列表。可以使用名称空间提供的语法元素创建这些实例,也可以是标准 Bean 定义,使用 authentication-provider 元素标记为添加到列表中。

This creates an instance of Spring Security’s ProviderManager class, which needs to be configured with a list of one or more AuthenticationProvider instances. These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the authentication-provider element.

<authentication-manager>

使用名称空间的每个 Spring Security 应用程序都必须在某处包含此元素。它负责注册为应用程序提供身份验证服务的 AuthenticationManager。创建 AuthenticationProvider 实例的所有元素都应该是该元素的子元素。

Every Spring Security application which uses the namespace must have include this element somewhere. It is responsible for registering the AuthenticationManager which provides authentication services to the application. All elements which create AuthenticationProvider instances should be children of this element.

<authentication-manager> Attributes

  • *alias*此属性允许您定义用于自己配置中的内部实例的别名。

  • alias This attribute allows you to define an alias name for the internal instance for use in your own configuration.

  • *erase-credentials*如果设置为 true,则在用户经过身份验证后,AuthenticationManager 将尝试清除返回的 Authentication 对象中的所有凭据数据。它实际上映射到 ProviderManager的 `eraseCredentialsAfterAuthentication`属性。

  • erase-credentials If set to true, the AuthenticationManager will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated. Literally it maps to the eraseCredentialsAfterAuthentication property of the ProviderManager.

  • *observation-registry-ref*用于 `FilterChain`和相关组件的 `ObservationRegistry`的引用。

  • observation-registry-ref A reference to the ObservationRegistry used for the FilterChain and related components

  • *id*此属性允许您定义用于自己配置中的内部实例的 ID。它与 alias 元素相同,但是会为使用 id 属性的元素提供更一致的体验。

  • id This attribute allows you to define an id for the internal instance for use in your own configuration. It is the same as the alias element, but provides a more consistent experience with elements that use the id attribute.

Child Elements of <authentication-manager>

<authentication-provider>

除非与 ref 属性一起使用,否则此元素是配置 DaoAuthenticationProvider 的简写。DaoAuthenticationProviderUserDetailsService 加载用户信息,并将用户名/密码组合与登录时提供的值进行比较。UserDetailsService 实例可以通过使用可用的名称空间元素 (jdbc-user-service 或使用 user-service-ref 属性指向上文环境中其他地方定义的 Bean 来定义。

Unless used with a ref attribute, this element is shorthand for configuring a DaoAuthenticationProvider. DaoAuthenticationProvider loads user information from a UserDetailsService and compares the username/password combination with the values supplied at login. The UserDetailsService instance can be defined either by using an available namespace element (jdbc-user-service or by using the user-service-ref attribute to point to a bean defined elsewhere in the application context).

Parent Elements of <authentication-provider>

<authentication-provider> Attributes

  • *ref*定义对实现 `AuthenticationProvider`的 Spring Bean 的引用。

  • ref Defines a reference to a Spring bean that implements AuthenticationProvider.

如果您已经编写了自己的 AuthenticationProvider 实现(或出于某种原因想要将 Spring Security 自己的实现之一配置为传统 Bean,那么您可以使用以下语法将其添加到 ProviderManager 的内部列表中:

If you have written your own AuthenticationProvider implementation (or want to configure one of Spring Security’s own implementations as a traditional bean for some reason, then you can use the following syntax to add it to the internal list of ProviderManager:

<security:authentication-manager>
  <security:authentication-provider ref="myAuthenticationProvider" />
</security:authentication-manager>
<bean id="myAuthenticationProvider" class="com.something.MyAuthenticationProvider"/>

  • *user-service-ref*对实现 UserDetailsService 的 Bean 的引用,此 Bean 可能使用标准 Bean 元素或自定义用户服务元素创建。

  • user-service-ref A reference to a bean that implements UserDetailsService that may be created using the standard bean element or the custom user-service element.

Child Elements of <authentication-provider>

<jdbc-user-service>

导致基于 JDBC 的 UserDetailsService 创建。

Causes creation of a JDBC-based UserDetailsService.

<jdbc-user-service> Attributes

  • *authorities-by-username-query*对于给定的用户名,查询用户授权的 SQL 语句。

  • authorities-by-username-query An SQL statement to query for a user’s granted authorities given a username.

默认值为

The default is

select username, authority from authorities where username = ?

  • *cache-ref*定义与 UserDetailsService 一起使用的缓存的引用。

  • cache-ref Defines a reference to a cache for use with a UserDetailsService.

  • *data-source-ref*提供所需表的 DataSource 的 Bean ID。

  • data-source-ref The bean ID of the DataSource which provides the required tables.

  • *group-authorities-by-username-query*对于给定的用户名,查询用户组授权的 SQL 语句。默认值为:[source]

select
g.id, g.group_name, ga.authority
from
groups g, group_members gm, group_authorities ga
where
gm.username = ? and g.id = ga.group_id and g.id = gm.group_id

  • group-authorities-by-username-query An SQL statement to query user’s group authorities given a username. The default is[source]

select
g.id, g.group_name, ga.authority
from
groups g, group_members gm, group_authorities ga
where
gm.username = ? and g.id = ga.group_id and g.id = gm.group_id

  • *id*Bean 标识符,用于在上下文的其他位置引用 Bean。

  • id A bean identifier, used for referring to the bean elsewhere in the context.

  • *role-prefix*一个非空字符串前缀,它将添加到从持久性存储加载的角色字符串(默认值为“ROLE_”)。如果默认值非空,则使用值“none”表示没有前缀。

  • role-prefix A non-empty string prefix that will be added to role strings loaded from persistent storage (default is "ROLE_"). Use the value "none" for no prefix in cases where the default is non-empty.

  • *users-by-username-query*对于给定的用户名,查询用户名、密码和启用状态的 SQL 语句。默认值为:[source]

select username, password, enabled from users where username = ?

  • users-by-username-query An SQL statement to query a username, password, and enabled status given a username. The default is[source]

select username, password, enabled from users where username = ?

<password-encoder>

可以根据 Password Storage 中的说明,将身份验证提供程序配置为使用密码编码器。这将导致 Bean 被注入适当的 PasswordEncoder 实例。

Authentication providers can optionally be configured to use a password encoder as described in the Password Storage. This will result in the bean being injected with the appropriate PasswordEncoder instance.

Parent Elements of <password-encoder>

<password-encoder> Attributes

  • *hash*定义用于用户密码的哈希算法。我们强烈建议不要使用 MD4,因为它是一种非常弱的哈希算法。

  • hash Defines the hashing algorithm used on user passwords. We recommend strongly against using MD4, as it is a very weak hashing algorithm.

  • *ref*定义对实现 `PasswordEncoder`的 Spring Bean 的引用。

  • ref Defines a reference to a Spring bean that implements PasswordEncoder.

<user-service>

从属性文件或“用户”子元素列表创建内存中的 UserDetailsService。用户名在内部转换为小写以允许不区分大小写的查找,因此如果需要区分大小写,则不应使用此方法。

Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements. Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required.

<user-service> Attributes

  • *id*Bean 标识符,用于在上下文的其他位置引用 Bean。

  • id A bean identifier, used for referring to the bean elsewhere in the context.

  • *properties*其中每行都具有以下格式的属性文件的位置:[source]

username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

  • properties The location of a Properties file where each line is in the format of[source]

username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]

Child Elements of <user-service>

<user>

表示应用程序中的一个用户。

Represents a user in the application.

Parent Elements of <user>

<user> Attributes

  • *authorities*授予用户的一个或多个权限。以逗号分隔权限(但没有空格)。例如,“ROLE_USER,ROLE_ADMINISTRATOR”

  • authorities One of more authorities granted to the user. Separate authorities with a comma (but no space). For example, "ROLE_USER,ROLE_ADMINISTRATOR"

  • *disabled*可以设置为“true”以将帐户标记为已禁用且不可用。

  • disabled Can be set to "true" to mark an account as disabled and unusable.

  • *locked*可以设置为“true”以将帐户标记为已锁定且不可用。

  • locked Can be set to "true" to mark an account as locked and unusable.

  • *name*分配给用户的用户名。

  • name The username assigned to the user.

  • *password*分配给用户的密码。如果对应的认证程序提供支持散列,则可以对它进行散列(记住在“user-service”元素中设置“hash”属性)。如果数据不会用于认证,而仅用于访问授权时,则可以省略此属性。如果省略,该名称空间将会生成一个随机值,以防其意外用于认证。不能留空。

  • password The password assigned to the user. This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element). This attribute be omitted in the case where the data will not be used for authentication, but only for accessing authorities. If omitted, the namespace will generate a random value, preventing its accidental use for authentication. Cannot be empty.