java - Spring security - 具有多个身份验证提供者的记住我身份验证

标签 java spring authentication spring-security remember-me

我在我的 Web 应用程序中使用 Spring security 3.2.0。

我有两个安全角色:凭据存储在数据库中的用户和凭据存储在配置文件中的管理员。

在我打开记住我身份验证之前它工作正常。这是我的 security.xml 配置:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xsi:schemaLocation="http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
   http://www.springframework.org/schema/security
   http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <security:global-method-security secured-annotations="enabled"/>

    <security:http auto-config="true">
        <security:remember-me key="myAppKey" user-service-ref="adminSrv"/>
        <security:remember-me key="myAppKey" user-service-ref="jdbcUserSrv"/>
        <security:form-login login-page="/login" default-target-url="/"
            authentication-failure-url="/loginfailed" />
        <security:logout logout-success-url="/logout"/>
    </security:http>

    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource" id="jdbcUserSrv"
                                        users-by-username-query="/* SQL query */"
                                        authorities-by-username-query="/* Another SQL query */"
                    />
        </security:authentication-provider>
        <security:authentication-provider>
            <security:user-service id="adminSrv">
                <security:user name="admin" authorities="ROLE_ADMIN" password="passwd"/>

            </security:user-service>
        </security:authentication-provider>
    </security:authentication-manager>
</beans>

当我以管理员身份登录时一切正常。

当我尝试以用户身份登录时,它会在 j_spring_security_check 上抛出异常:

HTTP ERROR 500

Problem accessing /mercury/j_spring_security_check. Reason:

    user1
Caused by:

org.springframework.security.core.userdetails.UsernameNotFoundException: user1
    at org.springframework.security.provisioning.InMemoryUserDetailsManager.loadUserByUsername(InMemoryUserDetailsManager.java:113)
    at org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices.onLoginSuccess(TokenBasedRememberMeServices.java:178)
    at org.springframework.security.web.authentication.rememberme.AbstractRememberMeServices.loginSuccess(AbstractRememberMeServices.java:262)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.java:324)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.successfulAuthentication(AbstractAuthenticationProcessingFilter.java:298)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:235)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
    at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
    at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
    at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
    at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
    at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    at org.mortbay.jetty.Server.handle(Server.java:326)
    at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
    at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:943)
    at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
    at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
    at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:410)
    at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

但是,如果它已成功通过身份验证,并且如果我打开我的应用程序索引页面,它会显示为“user1”登录。

如果 jdbcUserSrv 的 remember-me 配置在 adminSrv 的配置之前进行,则“admin”用户会出现错误。

当前配置在没有 remember-me 选项的情况下工作正常,但我需要启用它们。

请告诉我如何避免这些错误。

最佳答案

拥有两个记住我的元素只是相互覆盖。拥有多个 UserDetailsS​​ervice 实例也会给您带来麻烦。例如,我假设您可能拥有与您的用户相关联的数据。如果在内存和jdbc UserDetailsS​​ervice实例中都存在一个名为admin的用户,那怎么知道数据属于哪个admin用户呢?因此,最好使用单个 UserDetailsS​​ervice。

或者,您可以创建一个委托(delegate)给多个 UserDetailsS​​ervice 实例的 UserDetailsS​​ervice。例如:

public class DelegatingUserDetailsService implements UserDetailsService {
    private final List<UserDetailsService> userDetailsServices;

    public DelegatingUserDetailsService(
            List<UserDetailsService> userDetailsServices) {
        this.userDetailsServices = userDetailsServices;
    }

    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException {
        RuntimeException last = null;
        for(UserDetailsService uds : userDetailsServices) {
            try {
                return uds.loadUserByUsername(username);
            } catch(RuntimeException error) {
                last = error;
            }
        }
        throw last;
    }
}

然后你可以让 remember-me 改用它:

<bean id="delegateUds" class="DelegatingUserDetailsService">
     <constructor-arg>
         <list>
             <ref bean="jdbcUserSrv"/>
             <ref bean="adminSrv"/>
         </list>
     </constructor-arg>
</bean>
<security:http auto-config="true">
    <security:remember-me key="myAppKey" user-service-ref="delegateUds"/>
    <security:form-login login-page="/login" default-target-url="/"
        authentication-failure-url="/loginfailed" />
    <security:logout logout-success-url="/logout"/>
</security:http>

关于java - Spring security - 具有多个身份验证提供者的记住我身份验证,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/22167784/

上一篇:java - 摆脱 Collections.unmodifyingList() 产生的警告

下一篇:java - 在 java 中创建 Base64 字符串时内存不足?

相关文章:

java - 使用 Java 从 MySQL 获取随机字符串

java - 从 XML 文件获取信息

spring - 调用init方法失败;嵌套异常是 java.lang.IllegalStateException : No query specified on getOne

database - 在 Hibernate 中将字符串数组添加到数据库

angularjs - 身份验证后不会调用卫星器

java - JPA:命名查询中的错误

java - log4j 和夏令时

java - Ehcache 与 Spring + Jersey

authentication - 无法使用 OAuth 2 查询 Google Analytics 报告 API

javascript - Passport-js 如何创建自定义策略

©2024 IT工具网  联系我们