Spring Security 4 @AuthenticationPrincipal 为空，core.annotation.AuthenticationPrincipal 但不是 web.bind.a

Posted 2023-02-27

【中文标题】Spring Security 4 @AuthenticationPrincipal 为空，core.annotation.AuthenticationPrincipal 但不是 web.bind.annotation.AuthenticationPrincipal

【英文标题】：Spring Security 4 @AuthenticationPrincipal empty with core.annotation.AuthenticationPrincipal but not web.bind.annotation.AuthenticationPrincipal

【发布时间】：2016-07-12 20:27:52

【问题描述】：

我刚刚从 Spring Security 3 升级到 4，我在控制器中的 @AuthenticationPrincipal 注释输入参数现在是空的。我设法通过使用已弃用的org.springframework.security.web.bind.annotation.AuthenticationPrincipal 来解决它，但是当使用org.springframework.security.core.annotation 包中的那个时，它是空的。

如果我这样做也可以：User activeUser = (User) ((Authentication) principal).getPrincipal();

我尽可能地遵循了迁移指南。

这是我的spring-security.xml：

<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
    http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-4.0.xsd">

<!-- enable use-expressions -->
<http auto-config="false" use-expressions="true">
    <intercept-url pattern="/secure/admin**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_SUPER_ADMIN')" />
    <intercept-url pattern="/secure/admin/**" access="hasAnyRole('ROLE_ADMIN', 'ROLE_SUPER_ADMIN')" />
    <intercept-url pattern="/secure/user**" access="isAuthenticated()" />
    <intercept-url pattern="/secure/user/**" access="isAuthenticated()" />
    <intercept-url pattern="/**" access="permitAll" />

    <form-login login-page="/login"
        authentication-success-handler-ref="redirectRoleStrategy"
        authentication-failure-url="/login?error"
        username-parameter="username"
        password-parameter="password"
        login-processing-url="/auth/login_check" />

    <logout logout-success-url="/login?logout" delete-cookies="JSESSIONID" />
    <csrf disabled="true" />
</http>

<beans:bean id='userDetailsService' class='com.myproject.security.UserDetailsServiceImpl' />

<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>

<beans:bean id='authenticationManager' class='org.springframework.security.authentication.ProviderManager'>
    <beans:constructor-arg>
        <beans:list>
            <beans:ref bean='authenticationProvider' />
        </beans:list>
    </beans:constructor-arg>
</beans:bean>

<!-- Select users and user_roles from database -->
<authentication-manager>
    <authentication-provider user-service-ref='userDetailsService'>
        <password-encoder ref="encoder" />
    </authentication-provider>
</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="10" />
</beans:bean>

<beans:bean id="redirectRoleStrategy" class="com.myproject.security.RoleBasedAuthenticationSuccessHandler">
    <beans:property name="roleUrlMap">
        <beans:map>
            <beans:entry key="ROLE_ADMIN" value="/secure/admin"/>
            <beans:entry key="ROLE_SUPER_ADMIN" value="/secure/admin"/>
        </beans:map>
    </beans:property>
</beans:bean>

【问题讨论】：

你的 Spring MVC 配置是什么样的？

***.com/questions/36219009/…的可能重复

【参考方案1】：

我刚刚想通了。它确实是Spring Security deprecated @AuthenticationPrincipal 的副本。不幸的是，从来没有找到那个帖子。

我变了

<mvc:annotation-driven>
    <mvc:argument-resolvers>
        <bean class="org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver" />
    </mvc:argument-resolvers>
</mvc:annotation-driven>

到

<mvc:annotation-driven>
    <mvc:argument-resolvers>
        <bean class="org.springframework.security.web.method.annotation.AuthenticationPrincipalArgumentResolver" />
    </mvc:argument-resolvers>
</mvc:annotation-driven>

在我的 applicationContext.xml 中。