Java 从Spring 3.0.x迁移到3.1.x时出现BadCredentialsException
我们已经从3.0.7 spring security迁移到3.1.2,我们的一个测试使用内存配置,但在错误的凭证上失败Java 从Spring 3.0.x迁移到3.1.x时出现BadCredentialsException,java,spring,spring-security,Java,Spring,Spring Security,我们已经从3.0.7 spring security迁移到3.1.2,我们的一个测试使用内存配置,但在错误的凭证上失败 <bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <property name="userDetailsService" ref="daoUserDeta
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="daoUserDetailsService" />
</bean>
<bean id="daoUserDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
Edward = koala, READ_ONLY
</value>
</property>
</bean>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="daoUserDetailsService" />
</bean>
<bean id="daoUserDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
Edward = koala, READ_ONLY
</value>
</property>
</bean>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="daoUserDetailsService" />
</bean>
<bean id="daoUserDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
Edward = koala, READ_ONLY
</value>
</property>
</bean>
您知道如何解决此问题,或者是否有一个修补程序挂起此问题吗?查看您的配置,这可能是一个空白解析问题,但通过在
DaoAuthenticationProvider中设置断点进行调试应该很容易。additionalAuthenticationChecks<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="daoUserDetailsService" />
</bean>
<bean id="daoUserDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
Edward = koala, READ_ONLY
</value>
</property>
</bean>
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="daoUserDetailsService" />
</bean>
<bean id="daoUserDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
Edward = koala, READ_ONLY
</value>
</property>
</bean>
<security:user-service id="daoUserDetailsService">
<security:user name="Edward" password="koala" authorities="READ_ONLY" />
</security:user-service>
得到同样的结果。当然,您还必须访问应用程序上下文文件。以下答案基于Guy Korland的评论(2012年8月16日20:40),他在评论中进行了进一步调试:
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="daoUserDetailsService" />
</bean>
<bean id="daoUserDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
Edward = koala, READ_ONLY
</value>
</property>
</bean>
从Spring 3.1开始,擦除凭据的默认值从“false”更改为“true”,这就是为什么从缓存中取出密码时密码会被清空。它还解释了为什么您的测试用例在Spring3.1之前通过。从缓存中检索的类是UserDetails,一旦Spring验证了未加密的密码,它就不再使用它,所以它会将其作为安全措施删除。对于简单的测试场景,您可以将擦除凭据值重写为“false”,但如果您确实依赖于验证后未加密的值,那么可以考虑找到更安全的解决方案。谢谢,但似乎不是问题。按照建议进行调试时,我看到以下内容:AbstractUserDetailsAuthenticationProvider 126:UserDetails user=this.userCache.getUserFromCache(用户名);返回密码设置为null的UserDetails…是否使用命名空间进行了尝试?如果不是,那么听起来你可能看到了。你所说的“类似结果”是什么意思?正如Jira问题所解释的那样,如果您使用的是名称空间,您不应该看到空密码问题,因为当它返回
UserDetails<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="daoUserDetailsService" />
</bean>
<bean id="daoUserDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
<property name="userMap">
<value>
Edward = koala, READ_ONLY
</value>
</property>
</bean>