spring - loadUserByUsername 未被调用

Question

我正在使用 spring security 3 当我输入错误的数据时，用户被重定向到登录失败链接 但是 spring security 不调用 loadUserByUsername 方法？ 那么身份验证是如何发生的并且 spring 知道凭据是错误的呢？ 或者我的配置有问题，请指导。

登录页面:

<form action="/myapp/j_spring_security_check">
                        <h:graphicImage id="graphicImage1" style="height: 322px; left: 0px; top: 0px; position: absolute" url="/resources/images/LoginImage.jpg" width="560"/>
                        <h:outputLabel for="j_username" id="outputLabel1" style="left: 48px; top: 120px; position: absolute" value="Username:"/>
                        <h:outputLabel for="j_password" id="outputLabel2" style="left: 48px; top: 168px; position: absolute" value="Password:"/>
                        <h:inputText binding="#{login.username}" id="j_username" required="true"
                            style="left: 142px; top: 118px; position: absolute; width: 237px" />
                        <h:inputSecret binding="#{login.password}" id="j_password" required="true" style="left: 142px; top: 166px; position: absolute; width: 237px"/>
                        <h:commandButton   id="loginBtn" style="left: 144px; top: 240px; position: absolute" value="Login"/>
                        <h:commandButton action="#{login.reset}" id="resetBtn" style="position: absolute; left: 360px; top: 240px" value="Reset"/>
                        <h:outputText id="errorMessage" style="left:0px;top:300px;position:absolute"/>
                        <h:message errorClass="errorMessage"  for="j_username" fatalClass="fatalMessage" id="messages1" infoClass="infoMessage" showSummary="false"
                            style="height: 43px; left: 24px; top: 288px; position: absolute; width: 523px;color:red;" warnClass="warnMessage"/>
                      </form>

安全.xml:

<beans:beans xmlns="http://www.springframework.org/schema/security"  
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
          http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.0.4.xsd">


        <global-method-security pre-post-annotations="enabled" />   

        <!--  key configuration here is an entry point to be used by security intercepts -->
        <http use-expressions="true"  auto-config="false">

        <session-management session-fixation-protection="none"/>

        <remember-me  token-validity-seconds="1209600"/>

        <!-- Exclude the login page from the security check -->
        <intercept-url pattern="/faces/login.xhtml" access="permitAll"/>

        <!-- All pages requires authentication (not anonymous user) -->
        <intercept-url pattern="/faces/**" access="isAuthenticated()" />

        <intercept-url pattern="/faces/javax.faces.resource/**" filters="none" />
        <intercept-url pattern="/faces/xmlhttp/**" filters="none" />
        <intercept-url pattern="/faces/resources/**" filters="none" />
        <intercept-url pattern="/faces/j_spring_security_check/**" filters="none" />
        <intercept-url pattern="/scripts/**" filters="none" />
        <intercept-url pattern="/images/**" filters="none" />
        <intercept-url pattern="/css/**" filters="none" />  

        <!-- Returns true if the user is not anonymous -->


        <access-denied-handler error-page="/error"/>

        <form-login default-target-url="/users"  
        always-use-default-target="true"            
            login-processing-url="/j_spring_security_check"         
            login-page="/faces/login.xhtml"
            authentication-failure-url="/faces/login.xhtml?login_error=1"                                                               
        />

        <logout logout-url="/logout" logout-success-url="/login" />     
    </http>

    <authentication-manager alias="authenticationManager">          
    <authentication-provider user-service-ref="userDetailsServiceImpl">
    </authentication-provider>
    </authentication-manager>


    </beans:beans>

3- UserDetailsS​​ervice:

@Service("userDetailsServiceImpl")
public class UserDetailsServiceImpl implements UserDetailsService {

    @Autowired
    private UserDao userDao;

    @Override
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException, DataAccessException {
        System.out.println("########## LOADING USER ##################");
        User user = userDao.findUserByEmail(username);
        return new org.springframework.security.core.userdetails.User(
                user.getEmail(), user.getPassword(), true, true, true, true,
                setUserAuthorities(user.getAuthorities()));
    }

    public Collection<GrantedAuthority> setUserAuthorities(List<Authority> auths) {

        List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
        for (Authority auth : auths)
            grantedAuthorities.add(new GrantedAuthorityImpl(auth.getName()));
        return grantedAuthorities;
    }
}

Answer 1

You remember that I told that spring security adds a lot of filters ？其中一个过滤器负责检查是否将对 j_spring_security_check 的请求转发给身份验证管理器。

但你没有那个过滤器。

如果没有理由反对，则启用自动配置:

<http use-expressions="true"  auto-config="true">

并为/j_spring_security_check添加一个拦截器

<intercept-url pattern="/j_spring_security_check" access="permitAll"/>