Defining & Managing Users

김가빈·2023년 7월 27일
0

springsecurity

목록 보기
4/23

make user in memory

package com.eazybytes.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
@EnableWebSecurity
public class ProjectSecurityConfig {

	@Bean
	SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
		http.authorizeHttpRequests((requests) -> requests
				.requestMatchers("/myAccount", "/myBalance", "/myLoans", "/myCards").authenticated()
				.requestMatchers("/notices", "/contact").permitAll())
				.formLogin(Customizer.withDefaults())
				.httpBasic(Customizer.withDefaults());
				
		return http.build();
	}
	
	@Bean
	public InMemoryUserDetailsManager userDetailService() {
		
		UserDetails admin = User.withDefaultPasswordEncoder()
								.username("admin")
								.password("12345")
								.authorities("admin")
								.build();
		
		UserDetails user = User.withDefaultPasswordEncoder()
				.username("user")
				.password("12345")
				.authorities("read")
				.build();
		
		return new InMemoryUserDetailsManager(admin, user);
		
	}
}
  • and remove username & password in application.properties

Understanding User Management interfaces and Classes

  • if user enter username and password it finally handled by userdetails manager/service

1. in UserDetailsService

  • userDetailsService load user by user name
    • because of security
    • if you contact to DB by using password it could be dangerous

2. in UserDetailsManager

  • help manageing userDetail
    • create, update, delete, change password ect
    • you can do by InmemoryUserDetailsManager, JdbcUserDetailsManager, LapUserDetailsManager
    • if you just want to userExists(not use autentication), userDetailsManager class has field

all the above interfaces & classes uses an interface UserDetails
its implementation which provides core user information



in UserDetails there are just getter method(not setter)
because spring security team doesn't want to set user name, password when programming
we can just set Autenticate(setAuthenticated) type boolean to use autentication


UserDeatilsManager implements classes

  • add dependency in pom.xml
		<dependency>
			<groupId>org.springframework.ldap</groupId>
			<artifactId>spring-ldap-core</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.security</groupId>
			<artifactId>spring-security-ldap</artifactId>
		</dependency>

InMemoryUserDetailsManager


  • users type is map, so when you use createUser, deleteUser, updateUser, java find the user in this usersMap and change it
  • we just use it demoproject

JdbcUserDetailsManager

  • support perform authentication in database
  • JdbcUserDetailsManager make table automatically for handle user
  • this class define all sql sentence in field, that you need for authentication user in database
  • you need to create user table, and match up to spring security's structure

group manager

  • sometimes we need to handle group authentication
  • so jdbcUserDetailsManager implements GroupManager interface

LdapUserDetailsManager

  • it isn't commonly used
  • it stored user info in ldap server
profile
김가빈
신입 웹개발자입니다.
이전 포스트

Changing the default security configuration

다음 포스트

How to use JdbcUserDetailsManager to perform authentication

0개의 댓글