Skip to content

Spring 中文文档社区
Spring 中文文档社区

Mao0512 / Spring 中文文档社区
与 Fork 源项目一致

Fork自 开发云 / Spring 中文文档社区

通知 1
Star 1
Fork 0
Spring 中文文档社区
Spring 中文文档社区

体验新版 GitCode,发现更多精彩内容 >>

切换分支/标签
查找文件 普通视图历史永久链接Permalink
servlet-appendix-namespace-authentication-manager.md 6.9 KB
Newer Older
茶陵後's avatar
#18 [skip ci] spring-security  
茶陵後 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 
# Authentication Services

This creates an instance of Spring Security’s `ProviderManager` class, which needs to be configured with a list of one or more `AuthenticationProvider` instances.
These can either be created using syntax elements provided by the namespace, or they can be standard bean definitions, marked for addition to the list using the `authentication-provider` element.

## \<authentication-manager\>

Every Spring Security application which uses the namespace must have include this element somewhere.
It is responsible for registering the `AuthenticationManager` which provides authentication services to the application.
All elements which create `AuthenticationProvider` instances should be children of this element.

### \<authentication-manager\> Attributes

* **alias**This attribute allows you to define an alias name for the internal instance for use in your own configuration.

* **erase-credentials**If set to true, the AuthenticationManager will attempt to clear any credentials data in the returned Authentication object, once the user has been authenticated.
  Literally it maps to the `eraseCredentialsAfterAuthentication` property of the [`ProviderManager`](../../authentication/architecture.html#servlet-authentication-providermanager).

* **id**This attribute allows you to define an id for the internal instance for use in your own configuration.
  It is the same as the alias element, but provides a more consistent experience with elements that use the id attribute.

### Child Elements of \<authentication-manager\>

* [authentication-provider](#nsa-authentication-provider)

* [ldap-authentication-provider](ldap.html#nsa-ldap-authentication-provider)

## \<authentication-provider\>

Unless used with a `ref` attribute, this element is shorthand for configuring a `DaoAuthenticationProvider`.`DaoAuthenticationProvider` loads user information from a `UserDetailsService` and compares the username/password combination with the values supplied at login.
The `UserDetailsService` instance can be defined either by using an available namespace element (`jdbc-user-service` or by using the `user-service-ref` attribute to point to a bean defined elsewhere in the application context).

### Parent Elements of \<authentication-provider\>

* [authentication-manager](#nsa-authentication-manager)

### \<authentication-provider\> Attributes

* **ref**Defines a reference to a Spring bean that implements `AuthenticationProvider`.

If you have written your own `AuthenticationProvider` implementation (or want to configure one of Spring Security’s own implementations as a traditional bean for some reason, then you can use the following syntax to add it to the internal list of `ProviderManager`:

```
<security:authentication-manager>
  <security:authentication-provider ref="myAuthenticationProvider" />
</security:authentication-manager>
<bean id="myAuthenticationProvider" class="com.something.MyAuthenticationProvider"/>
```

* **user-service-ref**A reference to a bean that implements UserDetailsService that may be created using the standard bean element or the custom user-service element.

### Child Elements of \<authentication-provider\>

* [jdbc-user-service](#nsa-jdbc-user-service)

* [ldap-user-service](ldap.html#nsa-ldap-user-service)

* [password-encoder](#nsa-password-encoder)

* [user-service](#nsa-user-service)

## \<jdbc-user-service\>

Causes creation of a JDBC-based UserDetailsService.

### \<jdbc-user-service\> Attributes

* **authorities-by-username-query**An SQL statement to query for a user’s granted authorities given a username.

The default is

```
select username, authority from authorities where username = ?
```

* **cache-ref**Defines a reference to a cache for use with a UserDetailsService.

* **data-source-ref**The bean ID of the DataSource which provides the required tables.

* **group-authorities-by-username-query**An SQL statement to query user’s group authorities given a username.
  The default is

  ```
  select
  g.id, g.group_name, ga.authority
  from
  groups g, group_members gm, group_authorities ga
  where
  gm.username = ? and g.id = ga.group_id and g.id = gm.group_id
  ```

* **id**A bean identifier, used for referring to the bean elsewhere in the context.

* **role-prefix**A non-empty string prefix that will be added to role strings loaded from persistent storage (default is "ROLE\_").
  Use the value "none" for no prefix in cases where the default is non-empty.

* **users-by-username-query**An SQL statement to query a username, password, and enabled status given a username.
  The default is

  ```
  select username, password, enabled from users where username = ?
  ```

## \<password-encoder\>

Authentication providers can optionally be configured to use a password encoder as described in the [Password Storage](../../../features/authentication/password-storage.html#authentication-password-storage).
This will result in the bean being injected with the appropriate `PasswordEncoder` instance.

### Parent Elements of \<password-encoder\>

* [authentication-provider](#nsa-authentication-provider)

* [password-compare](#nsa-password-compare)

### \<password-encoder\> Attributes

* **hash**Defines the hashing algorithm used on user passwords.
  We recommend strongly against using MD4, as it is a very weak hashing algorithm.

* **ref**Defines a reference to a Spring bean that implements `PasswordEncoder`.

## \<user-service\>

Creates an in-memory UserDetailsService from a properties file or a list of "user" child elements.
Usernames are converted to lower-case internally to allow for case-insensitive lookups, so this should not be used if case-sensitivity is required.

### \<user-service\> Attributes

* **id**A bean identifier, used for referring to the bean elsewhere in the context.

* **properties**The location of a Properties file where each line is in the format of

  ```
  username=password,grantedAuthority[,grantedAuthority][,enabled|disabled]
  ```

### Child Elements of \<user-service\>

* [user](#nsa-user)

## \<user\>

Represents a user in the application.

### Parent Elements of \<user\>

* [user-service](#nsa-user-service)

### \<user\> Attributes

* **authorities**One of more authorities granted to the user.
  Separate authorities with a comma (but no space).
  For example, "ROLE\_USER,ROLE\_ADMINISTRATOR"

* **disabled**Can be set to "true" to mark an account as disabled and unusable.

* **locked**Can be set to "true" to mark an account as locked and unusable.

* **name**The username assigned to the user.

* **password**The password assigned to the user.
  This may be hashed if the corresponding authentication provider supports hashing (remember to set the "hash" attribute of the "user-service" element).
  This attribute be omitted in the case where the data will not be used for authentication, but only for accessing authorities.
  If omitted, the namespace will generate a random value, preventing its accidental use for authentication.
  Cannot be empty.

[XML Namespace](index.html)[Web Security](http.html)