我在我的应用程序中使用 Spring MVC,并且登录由 spring security 进行身份验证。我的 UserServiceImpl.java 类中有以下两个方法, public UserDetails loadUserByUsername(String userName) 抛出 UsernameNotFoundException、DataAccessException {
ApplicationTO applicationTO = null;
try
{
applicationTO = applicationService.getApplicationTO(adminDomainName);
}
catch (ApplicationPropertyException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
UserTO userTO = getUserTO(applicationTO.getApplicationId(), userName);
if (userTO == null)
{
throw new UsernameNotFoundException("user not found");
}
httpSession.setAttribute("userTO", userTO);
return buildUserFromUserEntity(userTO);
}
User buildUserFromUserEntity(UserTO userTO)
{
String username = userTO.getUsername();
String password = userTO.getPassword();
int userId = userTO.getUserId();
int applicationId = userTO.getApplicationId();
boolean enabled = userTO.isEnabled();
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
boolean accountNonLocked = true;
User user = new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, getAuthority(applicationId, userId));
return user;
}
我对 Spring 比较陌生,对 Spring Security 部分没有太多了解。在我的 spring-security.xml 文件中,我有以下内容,
<form-login login-page="/login" default-target-url="/module/user-home/welcome"
authentication-failure-url="/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/login?logout" />
<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="daoAuthenticationProvider" />
</beans:list>
</beans:property>
</beans:bean>
我的登录表单的操作设置如下:
<form id="loginForm" class="form-horizontal" role="form" name='loginForm' action="${rc.getContextPath()}/j_spring_security_check" method='POST'>
现在我试图获取用户在登录表单中输入的password的值,无论是在loadUserByUsername方法中还是通过添加一个新方法来获取UserServiceImpl.java 类。
在保存密码之前,我使用以下方法对其进行加密。 What API and algorithm to be used to encrypt and decrypt a password using java
因此在登录过程中,spring security 会将用户输入的密码与数据库中的加密密码进行比较,然后登录失败。但根据上面链接中建议的实现,有一种方法可以比较密码和加密密码以检查它们是否相同。只有当我能够访问用户输入的密码时,才有可能实现这一点。这就是我试图获取用户输入密码的原因。
最佳答案
如果需要,您可以创建自己的 AuthenticationProvider
public class CustomAuthenticationProvider implements AuthenticationProvider{
private UserDetailsService service;
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) authentication;
String username = token.getName();
String password = token.getCredentials(); // retrieve the password
// do something here
// if ok then return the authentication
return new UsernamePasswordAuthenticationToken(username, password, authorities);
}
}
并将其插入您的安全配置
<beans:bean id="customAuthenticationProvider"
class="com.xxx.CustomAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>
<beans:bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<beans:property name="providers">
<beans:list>
<beans:ref local="customAuthenticationProvider" />
</beans:list>
</beans:property>
</beans:bean>
关于java - 如何在Spring Security认证登录中获取用户输入的用户名和密码值,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/34931606/