代码之家 › 专栏 › 技术社区 › sagar limbu

Spring Security 5身份验证失败

spring-security spring-boot java

-1

sagar limbu · 技术社区 · 6 年前

我正在尝试使用SpringSecurity5进行身份验证。

@Configuration
@ComponentScan(basePackages = { "com.lashes.studio.security" })
@EnableWebSecurity
public class CustomSecurityService extends WebSecurityConfigurerAdapter {

    @Autowired
    private AuthenticationSuccessHandler myAuthenticationSuccessHandler;

    @Autowired
    private AuthenticationFailureHandler authenticationFailureHandler;

    @Autowired
    private LogoutSuccessHandler myLogoutSuccessHandler;

    @Autowired
    private MyUserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(SecurityUtils.passwordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/", "/mail.js/**", "/font-awesome/**", "/css/**", "/js/**", "/img/**", "/fonts/**",
                        "/login*", "/login*", "/logout*", "/signin/**", "/signup/**", "/customLogin",
                        "/user/registration*", "/registrationConfirm*", "/expiredAccount*", "/registration*",
                        "/badUser*", "/user/resendRegistrationToken*", "/forgetPassword*", "/user/resetPassword*",
                        "/user/changePassword*", "/adminlogin/**", "/eauthenticationmanagerbuildermailError*",
                        "/admin/**", "/admin/js/**", "/resources/**", "/old/user/registration*", "/successRegister*")
                .permitAll()

                .antMatchers("/invalidSession").anonymous()
                .antMatchers("/user/updatePassword*", "/user/savePassword*", "/updatePassword*")
                .hasAuthority("CHANGE_PASSWORD_PRIVILEGE").and().formLogin().loginPage("/login")
                .defaultSuccessUrl("/admin/homepage.html").failureUrl("/login?error=true")
                //.successHandler(myAuthenticationSuccessHandler).failureHandler(authenticationFailureHandler).permitAll()
                .and().sessionManagement().invalidSessionUrl("/invalidSession.html").maximumSessions(1)
                .sessionRegistry(sessionRegistry()).and().sessionFixation().none().and().logout()
                .logoutSuccessHandler(myLogoutSuccessHandler).invalidateHttpSession(false)
                .logoutSuccessUrl("/logout.html?logSucc=true").deleteCookies("JSESSIONID").permitAll().and()
                .rememberMe().rememberMeServices(rememberMeServices()).key("theKey");

    }


    @Bean
    public SessionRegistry sessionRegistry() {
        return new SessionRegistryImpl();
    }

    @Bean
    public RememberMeServices rememberMeServices() {
        CustomRememberMeServices rememberMeServices = new 
    CustomRememberMeServices("theKey", userDetailsService,
                new InMemoryTokenRepositoryImpl());
        return rememberMeServices;
    }
   }

我的用户详细信息服务是

@Service("userDetailsService")
@Transactional
public class MyUserDetailsService implements UserDetailsService {

    @Autowired
    private UserRepository userRepository;

    @Autowired
    private LoginAttemptService loginAttemptService;

    @Autowired
    private HttpServletRequest request;

    public MyUserDetailsService() {
        super();
    }

    // API

    @Override
    public UserDetails loadUserByUsername(final String email) throws UsernameNotFoundException {
        final String ip = getClientIP();
        if (loginAttemptService.isBlocked(ip)) {
            throw new RuntimeException("blocked");
        }

        try {
            final User user = userRepository.findByEmail(email);
            if (user == null) {
                throw new UsernameNotFoundException("No user found with username: " + email);
            }

            org.springframework.security.core.userdetails.User u =  new org.springframework.security.core.userdetails.User(user.getEmail(), user.getPassword(), user.isEnabled(), true, true, true, getAuthorities(user.getRoles()));
            return u;
        } catch (final Exception e) {
            throw new RuntimeException(e);
        }
    }

    // UTIL

    private final Collection<? extends GrantedAuthority> getAuthorities(final Collection<Role> roles) {
        return getGrantedAuthorities(getPrivileges(roles));
    }

    private final List<String> getPrivileges(final Collection<Role> roles) {
        final List<String> privileges = new ArrayList<String>();
        final List<Privilege> collection = new ArrayList<Privilege>();
        for (final Role role : roles) {
            collection.addAll(role.getPrivileges());
        }
        for (final Privilege item : collection) {
            privileges.add(item.getName());
        }

        return privileges;
    }

    private final List<GrantedAuthority> getGrantedAuthorities(final List<String> privileges) {
        final List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
        for (final String privilege : privileges) {
            authorities.add(new SimpleGrantedAuthority(privilege));
        }
        return authorities;
    }

    private final String getClientIP() {
        final String xfHeader = request.getHeader("X-Forwarded-For");
        if (xfHeader == null) {
            return request.getRemoteAddr();
        }
        return xfHeader.split(",")[0];
    }

}

我的登录表是

<form class="login100-form validate-form" th:action="@{/login}" method="post">
                    <span class="login100-form-title p-b-26">
                        Welcome
                    </span>
                    <span class="login100-form-title p-b-48">
                        <i class="zmdi zmdi-font"></i>
                    </span>

                    <div class="wrap-input100 validate-input" data-validate = "Valid email is: a@b.c">
                        <input class="input100" type="text" name="username">
                        <span class="focus-input100" data-placeholder="Email"></span>
                    </div>

                    <div class="wrap-input100 validate-input" data-validate="Enter password">
                        <span class="btn-show-pass">
                            <i class="zmdi zmdi-eye"></i>
                        </span>
                        <input class="input100" type="password" name="password">
                        <span class="focus-input100" data-placeholder="Password"></span>
                    </div>

                    <div class="container-login100-form-btn">
                        <div class="wrap-login100-form-btn">
                            <div class="login100-form-bgbtn"></div>
                            <button class="login100-form-btn" type="submit">
                                Login
                            </button>
                        </div>
                    </div>
                </form>

所以每当我试图登录点击登录按钮,我总是被重定向到失败页面,即

http://localhost:8080/login?error=true

编辑:

public class SecurityUtils {


    @Bean
    public static PasswordEncoder passwordEncoder() {
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
        // return new BCryptPasswordEncoder();
    }

}

我对认证过程不太确定。关于身份验证流程的简要说明将是很好的阅读。除此之外,我猜我的密码编码器可能有问题。所以我不确定我是否使用了正确的编码器。

在哪里检查输入字段中的密码和数据库中的编码密码?

1 回复 | 直到 6 年前

Filip Hanik VMware 6 年前

在你的登录页面上我没有看到 csrf token 字段。我不明白 http.csrf().disable() 在您的安全配置中,我怀疑spring security拒绝了登录日志,因为缺少令牌。

例如,jsp可以有

<input type="hidden"
       name="${_csrf.parameterName}"
       value="${_csrf.token}"/>

https://docs.spring.io/spring-security/site/docs/4.2.x/reference/html/csrf.html