我正在 Java EE 应用程序(Spring/Struts/Hibernate)中实现 spring Security。我的自定义 DaoAuthenticationProvider
有点问题。
@Override
public void configure(AuthenticationManagerBuilder pAuth) throws Exception {
pAuth.authenticationProvider(mAuthenticationProvider)
.userDetailsService(mUserDetailsService)
.passwordEncoder(new Md5PasswordEncoder());
}
这是在我的 SecurityConfig
(扩展 WebSecurityConfigurerAdapter
)类中。
当我调试应用程序时,我可以看到在我的自定义 DaoAuthenticationProvider
中未设置密码编码器(PlainTextPasswordEncoder
而不是 Md5),为什么?
之后我尝试在构造函数中手动设置这个值:
public LimitLoginAuthenticationProvider() {
setPasswordEncoder(new Md5PasswordEncoder());
setUserDetailsService(mUserDetailsService);
}
当我调试它时,我看到了正确的值。
但在这两种情况下,如果我这样做:
@Override
public Authentication authenticate(Authentication pAuthentication) {
Authentication lAuth = super.authenticate(pAuthentication);
return lAuth;
}
指示用户是否经过身份验证的 lAuth
属性为真,无论密码是什么...
有人知道答案吗?
编辑:LimitLoginAuthenticationProvider
实现
@Component("authenticationProvider")
public class LimitLoginAuthenticationProvider extends DaoAuthenticationProvider {
@Autowired
private IUserDao mUserDao;
@Autowired
@Qualifier("userDetailsService")
UserDetailsService mUserDetailsService;
public LimitLoginAuthenticationProvider() {
setPasswordEncoder(new Md5PasswordEncoder());
}
@Autowired
@Qualifier("userDetailsService")
@Override
public void setUserDetailsService(UserDetailsService userDetailsService) {
super.setUserDetailsService(userDetailsService);
}
@Override
public Authentication authenticate(Authentication pAuthentication) {
Authentication lAuth = super.authenticate(pAuthentication);
return lAuth;
}
@Override
@Transactional(readOnly = true)
protected void additionalAuthenticationChecks(UserDetails pUserDetails,
UsernamePasswordAuthenticationToken pAuthentication)
throws AuthenticationException {
try {
User lUser = mUserDao.findUserByLogin(pAuthentication.getName());
if (lUser.getStatus() >= 3) {
logger.debug("User account is locked");
throw new LockedException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.locked",
"User account is locked"));
}
} catch (DaoException e) {
}
}
}
最佳答案
好吧,我想我误解了 DaoAuthenticationProvider
的目标。
我想我必须自己检查密码:
PasswordEncoder lPasswordEncoder = getPasswordEncoder();
if (!lPasswordEncoder.isPasswordValid(lUser.getPassword(),
pAuthentication.getCredentials().toString(), null)) {
throw new BadCredentialsException("Wrong password for user "
+ lUser.getLogin());
}
(我错了吗?)
关于java - 自定义 DaoAuthenticationProvider 不检查密码,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/31265287/