java - 自定义 DaoAuthenticationProvider 不检查密码

Question

我正在 Java EE 应用程序(Spring/Struts/Hibernate)中实现 spring Security。我的自定义 DaoAuthenticationProvider 有点问题。

@Override
public void configure(AuthenticationManagerBuilder pAuth) throws Exception {
    pAuth.authenticationProvider(mAuthenticationProvider)
            .userDetailsService(mUserDetailsService)
            .passwordEncoder(new Md5PasswordEncoder());
}

这是在我的 SecurityConfig(扩展 WebSecurityConfigurerAdapter)类中。 当我调试应用程序时，我可以看到在我的自定义 DaoAuthenticationProvider 中未设置密码编码器(PlainTextPasswordEncoder 而不是 Md5)，为什么？

之后我尝试在构造函数中手动设置这个值:

public LimitLoginAuthenticationProvider() {
    setPasswordEncoder(new Md5PasswordEncoder());
    setUserDetailsService(mUserDetailsService);
}

当我调试它时，我看到了正确的值。

但在这两种情况下，如果我这样做:

@Override
public Authentication authenticate(Authentication pAuthentication) {
    Authentication lAuth = super.authenticate(pAuthentication);
    return lAuth;
}

指示用户是否经过身份验证的 lAuth 属性为真，无论密码是什么... 有人知道答案吗？

---

编辑:LimitLoginAuthenticationProvider 实现

@Component("authenticationProvider")
public class LimitLoginAuthenticationProvider extends DaoAuthenticationProvider {
    @Autowired
    private IUserDao mUserDao;

    @Autowired
    @Qualifier("userDetailsService")
    UserDetailsService mUserDetailsService;

    public LimitLoginAuthenticationProvider() {
        setPasswordEncoder(new Md5PasswordEncoder());
    }

    @Autowired
    @Qualifier("userDetailsService")
    @Override
    public void setUserDetailsService(UserDetailsService userDetailsService) {
        super.setUserDetailsService(userDetailsService);
    }

    @Override
    public Authentication authenticate(Authentication pAuthentication) {
        Authentication lAuth = super.authenticate(pAuthentication);
        return lAuth;
    }

    @Override
    @Transactional(readOnly = true)
    protected void additionalAuthenticationChecks(UserDetails pUserDetails,
            UsernamePasswordAuthenticationToken pAuthentication)
            throws AuthenticationException {
        try {
            User lUser = mUserDao.findUserByLogin(pAuthentication.getName());
            if (lUser.getStatus() >= 3) {
                logger.debug("User account is locked");
                throw new LockedException(messages.getMessage(
                        "AbstractUserDetailsAuthenticationProvider.locked",
                        "User account is locked"));
            }
        } catch (DaoException e) {
        }
    }
}

Answer 1

好吧，我想我误解了 DaoAuthenticationProvider 的目标。 我想我必须自己检查密码:

PasswordEncoder lPasswordEncoder = getPasswordEncoder();
if (!lPasswordEncoder.isPasswordValid(lUser.getPassword(),
        pAuthentication.getCredentials().toString(), null)) {
    throw new BadCredentialsException("Wrong password for user "
            + lUser.getLogin());
}

(我错了吗？)