Caching UserDetails
Spring Security 提供使用 <<`CachingUserDetailsService`,servlet-authentication-caching-user-details-service>> 缓存 UserDetails
的支持。或者,你可以使用 Spring 框架的 <<`@Cacheable`,servlet-authentication-caching-user-details-cacheable>> 注解。在任何情况下,你都需要 disable credential erasure 以便验证从缓存中检索到的密码。
CachingUserDetailsService
Spring Security 的 CachingUserDetailsService
会实现 UserDetailsService,以提供缓存 UserDetails
的支持。CachingUserDetailsService
通过委托到提供的 UserDetailsService
来为 UserDetails
提供缓存支持。然后将结果存储在 UserCache
中,以减少后续调用中的计算。
以下示例简单地定义了一个 @Bean
,该 @Bean
封装了 UserDetailsService
和一个用于缓存 UserDetails
的 UserCache
的具体实现:
CachingUserDetailsService
@Bean
-
Java
-
Kotlin
@Bean
public CachingUserDetailsService cachingUserDetailsService(UserCache userCache) {
UserDetailsService delegate = ...;
CachingUserDetailsService service = new CachingUserDetailsService(delegate);
service.setUserCache(userCache);
return service;
}
@Bean
fun cachingUserDetailsService(userCache: UserCache): CachingUserDetailsService {
val delegate: UserDetailsService = ...
val service = CachingUserDetailsService(delegate)
service.userCache = userCache
return service
}
@Cacheable
另一种方法是使用 Spring Framework 的{spring-framework-reference-url}integration.html#cache-annotations-cacheable[@Cacheable
] 在您的`UserDetailsService`实现中按`username`缓存`UserDetails`。这种方法的好处是配置更简单,尤其是当您已经在应用程序中的其他位置使用缓存时。
以下示例假定已配置缓存,并通过 @Cacheable
为 loadUserByUsername
提供注释:
UserDetailsService
annotated with @Cacheable
-
Java
-
Kotlin
@Service
public class MyCustomUserDetailsImplementation implements UserDetailsService {
@Override
@Cacheable
public UserDetails loadUserByUsername(String username) {
// some logic here to get the actual user details
return userDetails;
}
}
@Service
class MyCustomUserDetailsImplementation : UserDetailsService {
@Cacheable
override fun loadUserByUsername(username: String): UserDetails {
// some logic here to get the actual user details
return userDetails
}
}
Disable Credential Erasure
无论您使用 <<`CachingUserDetailsService`,servlet-authentication-caching-user-details-service>> 或 <<`@Cacheable`,servlet-authentication-caching-user-details-cacheable>>, 您都需要禁用 credential erasure,以便 UserDetails
包含将从缓存中检索时验证的 password
。以下示例通过配置 Spring Security 提供的 AuthenticationManagerBuilder
,禁用全局 AuthenticationManager
的证书删除:
AuthenticationManager
-
Java
-
Kotlin
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// ...
return http.build();
}
@Bean
public UserDetailsService userDetailsService() {
// Return a UserDetailsService that caches users
// ...
}
@Autowired
public void configure(AuthenticationManagerBuilder builder) {
builder.eraseCredentials(false);
}
}
import org.springframework.security.config.annotation.web.invoke
@Configuration
@EnableWebSecurity
class SecurityConfig {
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
// ...
return http.build()
}
@Bean
fun userDetailsService(): UserDetailsService {
// Return a UserDetailsService that caches users
// ...
}
@Autowired
fun configure(builder: AuthenticationManagerBuilder) {
builder.eraseCredentials(false)
}
}