Java 身份验证失败:密码与存储值不匹配(请参阅更新2)
在我当前的spring项目中,我有以下安全配置:Java 身份验证失败:密码与存储值不匹配(请参阅更新2),java,spring,spring-mvc,spring-security,Java,Spring,Spring Mvc,Spring Security,在我当前的spring项目中,我有以下安全配置: @Configuration @ComponentScan(value="com.spring.loja") @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private UserDetailsService userDetailsService; @Autowired
@Configuration
@ComponentScan(value="com.spring.loja")
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private SocialUserDetailsService socialUserDetailsService;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public void configure(WebSecurity web) throws Exception {
DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
handler.setPermissionEvaluator(new CustomPermissionEvaluator());
web.expressionHandler(handler);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/resources/**", "/erro/**", "/categoria/**", "/produto/**", "/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/entrar").permitAll()
.loginProcessingUrl("/login").permitAll()
.usernameParameter("login")
.passwordParameter("senha")
.defaultSuccessUrl("/admin")
.failureUrl("/entrar?erro=login").permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/erro/403")
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/").permitAll()
.and()
.apply(new SpringSocialConfigurer());
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return super.authenticationManagerBean();
}
}
当我运行应用程序并尝试登录时,系统返回到登录页面,即使使用了正确的登录密码(我确信)
有人能看出这里出了什么问题吗
更新
我也试过这个,有同样的问题。在我看来,此配置无法访问我的userDetailsService类,应通过此类中的autowired属性检索该类:
@Configuration
@ComponentScan(value="com.spring.loja")
@EnableGlobalMethodSecurity(prePostEnabled=true)
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private SocialUserDetailsService socialUserDetailsService;
@Autowired
private PasswordEncoder passwordEncoder;
@Autowired
private AuthenticationManagerBuilder auth;
@Override
public void configure(WebSecurity web) throws Exception {
DefaultWebSecurityExpressionHandler handler = new DefaultWebSecurityExpressionHandler();
handler.setPermissionEvaluator(new CustomPermissionEvaluator());
web.expressionHandler(handler);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf()
.disable()
.authorizeRequests()
.antMatchers("/resources/**", "/erro/**", "/categoria/**", "/produto/**", "/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/entrar").permitAll()
.loginProcessingUrl("/login").permitAll()
.usernameParameter("login")
.passwordParameter("senha")
.defaultSuccessUrl("/admin")
.failureUrl("/entrar?erro=login").permitAll()
.and()
.exceptionHandling()
.accessDeniedPage("/erro/403")
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/").permitAll()
.and()
.apply(new SpringSocialConfigurer());
}
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder);
}
@Bean
@Override
public AuthenticationManager authenticationManagerBean() throws Exception {
return auth.getOrBuild();
}
}
更新2
配置log4j后,我发现错误是密码与存储值不匹配。问题是,我确保数据库中存储的密码编码为MD5,我的PasswordEncoder bean如下:
@Component
public class BCryptPasswordEncoder implements PasswordEncoder {
@Override
public String encode(CharSequence arg0) {
try {
return getMD5Hex((String) arg0);
} catch (NoSuchAlgorithmException e) {
return "NoSuchAlgorithmException";
}
}
@Override
public boolean matches(CharSequence arg0, String arg1) {
return arg0.equals(encode(arg1));
}
public static String getMD5Hex(final String inputString) throws NoSuchAlgorithmException {
MessageDigest md = MessageDigest.getInstance("MD5");
md.update(inputString.getBytes());
byte[] digest = md.digest();
return convertByteToHex(digest);
}
private static String convertByteToHex(byte[] byteData) {
StringBuilder sb = new StringBuilder();
for (int i = 0; i < byteData.length; i++) {
sb.append(Integer.toString((byteData[i] & 0xff) + 0x100, 16).substring(1));
}
return sb.toString();
}
}
@组件
公共类BCryptPasswordEncoder实现PasswordEncoder{
@凌驾
公共字符串编码(字符序列arg0){
试一试{
返回getMD5Hex((字符串)arg0);
}捕获(无算法异常){
返回“nosuchalgorithexception”;
}
}
@凌驾
公共布尔匹配(字符序列arg0,字符串arg1){
返回arg0.equals(encode(arg1));
}
公共静态字符串getMD5Hex(最终字符串inputString)引发NoSuchAlgorithmException{
MessageDigest md=MessageDigest.getInstance(“MD5”);
md.update(inputString.getBytes());
字节[]摘要=md.digest();
返回转换为tetohex(摘要);
}
专用静态字符串convertByteToHex(字节[]byteData){
StringBuilder sb=新的StringBuilder();
for(int i=0;i
我明确告诉你我想使用MD5。这里怎么了
注:我也注意到应用程序没有使用SEcurityConfig类(问题中的第二个列表)中定义的authenticationManager bean,org.springframework.security.crypto.password.PasswordEncoder匹配方法have signature
boolean matches(CharSequence rawPassword, String encodedPassword);
这意味着arg0是用户输入的密码,arg1是您保存在DB中的编码密码。
因此,实施应该是合理的
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return encodedPassword.equals(encode(rawPassword));
}
您正在matches方法中再次编码编码的密码,因为您使用的参数序列不正确。
使用有意义的名称而不是arg0、arg1是一种很好的做法,以避免混淆。您可以为spring security提供调试日志吗?@coder您建议如何获取它们?目前您的应用程序中配置了日志记录?@coder否,我尝试过log4j一次,但无法将其设置为我的系统。@coder在配置log4j之后,我发现我的问题是密码与存储值不匹配。我的问题是,我确信存储的值是用MD5编码的。我只是更新了问题以包含我的密码编码器。你知道这里出了什么问题吗?