Java Spring身份验证,如何为坏凭证定制responeText
Mu身份验证服务是Java Spring身份验证,如何为坏凭证定制responeText,java,spring,authentication,Java,Spring,Authentication,Mu身份验证服务是 @Service public class UserDetailsServiceImpl implements UserDetailsService { @Autowired UserRepository userRepository; @Override public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException, ResourceNot
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
@Autowired
UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException, ResourceNotFoundException {
Optional<User> optionalUser = userRepository.findByUsername(s);
if (optionalUser.isPresent()) {
User user = optionalUser.get();
if (!user.isActive()) {
throw new UsernameNotFoundException("User is not active.");
}
List<SimpleGrantedAuthority> grantedAuthorities = new ArrayList<>();
grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_USER"));
if (user.isKeyUser()) grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_KEYUSER"));
if (user.isAdmin()) grantedAuthorities.add(new SimpleGrantedAuthority("ROLE_ADMIN"));
UserDetails userDetails = new org.springframework.security.core.userdetails.User(user.getUsername(), user.getPassword(), grantedAuthorities);
return userDetails;
}
else {
throw new UsernameNotFoundException("User not found");
}
}
}
如何实现这个结果?您可以覆盖spring security core.jar的message属性。为此, 创建消息属性文件并添加此属性的密钥和值对 AbstractUserDetailsAuthenticationProvider.badCredentials=无效的用户名或密码 及 然后 只需将以下代码添加到xml配置中
<bean id="messageSource"
class="org.springframework.context.support.ResourceBundleMessageSource">
<property name="basenames">
<list>
<value>mymessages</value>
</list>
</property>
</bean>
我的信息
如本文所示,您必须配置MessageSourcebean。这个bean可以配置为提供您喜欢的消息。常用的方法是使用包含消息的属性文件
@Bean
public MessageSource messageSource() {
ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
messageSource.addBasenames("classpath:org/springframework/security/messages");
return messageSource;
}
请跟随博文深入了解主题只是一个意见:您应该返回“错误的凭据”或更好的“用户和密码的错误组合”。不要公开用户未找到或未激活的信息。您可以将其用于日志记录,但是最终用户应该不知道他是否为现有用户尝试组合。。。
@Bean
public MessageSource messageSource() {
ReloadableResourceBundleMessageSource messageSource = new ReloadableResourceBundleMessageSource();
messageSource.addBasenames("classpath:org/springframework/security/messages");
return messageSource;
}