Java Spring Security 5身份验证失败
我正在尝试使用SpringSecurity5进行身份验证Java Spring Security 5身份验证失败,java,spring-boot,spring-security,Java,Spring Boot,Spring Security,我正在尝试使用SpringSecurity5进行身份验证 @Configuration @ComponentScan(basePackages = { "com.lashes.studio.security" }) @EnableWebSecurity public class CustomSecurityService extends WebSecurityConfigurerAdapter { @Autowired private AuthenticationSuccess
@Configuration
@ComponentScan(basePackages = { "com.lashes.studio.security" })
@EnableWebSecurity
public class CustomSecurityService extends WebSecurityConfigurerAdapter {
@Autowired
private AuthenticationSuccessHandler myAuthenticationSuccessHandler;
@Autowired
private AuthenticationFailureHandler authenticationFailureHandler;
@Autowired
private LogoutSuccessHandler myLogoutSuccessHandler;
@Autowired
private MyUserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(SecurityUtils.passwordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/", "/mail.js/**", "/font-awesome/**", "/css/**", "/js/**", "/img/**", "/fonts/**",
"/login*", "/login*", "/logout*", "/signin/**", "/signup/**", "/customLogin",
"/user/registration*", "/registrationConfirm*", "/expiredAccount*", "/registration*",
"/badUser*", "/user/resendRegistrationToken*", "/forgetPassword*", "/user/resetPassword*",
"/user/changePassword*", "/adminlogin/**", "/eauthenticationmanagerbuildermailError*",
"/admin/**", "/admin/js/**", "/resources/**", "/old/user/registration*", "/successRegister*")
.permitAll()
.antMatchers("/invalidSession").anonymous()
.antMatchers("/user/updatePassword*", "/user/savePassword*", "/updatePassword*")
.hasAuthority("CHANGE_PASSWORD_PRIVILEGE").and().formLogin().loginPage("/login")
.defaultSuccessUrl("/admin/homepage.html").failureUrl("/login?error=true")
//.successHandler(myAuthenticationSuccessHandler).failureHandler(authenticationFailureHandler).permitAll()
.and().sessionManagement().invalidSessionUrl("/invalidSession.html").maximumSessions(1)
.sessionRegistry(sessionRegistry()).and().sessionFixation().none().and().logout()
.logoutSuccessHandler(myLogoutSuccessHandler).invalidateHttpSession(false)
.logoutSuccessUrl("/logout.html?logSucc=true").deleteCookies("JSESSIONID").permitAll().and()
.rememberMe().rememberMeServices(rememberMeServices()).key("theKey");
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
@Bean
public RememberMeServices rememberMeServices() {
CustomRememberMeServices rememberMeServices = new
CustomRememberMeServices("theKey", userDetailsService,
new InMemoryTokenRepositoryImpl());
return rememberMeServices;
}
}
我的userdetails服务是
@Service("userDetailsService")
@Transactional
public class MyUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Autowired
private LoginAttemptService loginAttemptService;
@Autowired
private HttpServletRequest request;
public MyUserDetailsService() {
super();
}
// API
@Override
public UserDetails loadUserByUsername(final String email) throws UsernameNotFoundException {
final String ip = getClientIP();
if (loginAttemptService.isBlocked(ip)) {
throw new RuntimeException("blocked");
}
try {
final User user = userRepository.findByEmail(email);
if (user == null) {
throw new UsernameNotFoundException("No user found with username: " + email);
}
org.springframework.security.core.userdetails.User u = new org.springframework.security.core.userdetails.User(user.getEmail(), user.getPassword(), user.isEnabled(), true, true, true, getAuthorities(user.getRoles()));
return u;
} catch (final Exception e) {
throw new RuntimeException(e);
}
}
// UTIL
private final Collection<? extends GrantedAuthority> getAuthorities(final Collection<Role> roles) {
return getGrantedAuthorities(getPrivileges(roles));
}
private final List<String> getPrivileges(final Collection<Role> roles) {
final List<String> privileges = new ArrayList<String>();
final List<Privilege> collection = new ArrayList<Privilege>();
for (final Role role : roles) {
collection.addAll(role.getPrivileges());
}
for (final Privilege item : collection) {
privileges.add(item.getName());
}
return privileges;
}
private final List<GrantedAuthority> getGrantedAuthorities(final List<String> privileges) {
final List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (final String privilege : privileges) {
authorities.add(new SimpleGrantedAuthority(privilege));
}
return authorities;
}
private final String getClientIP() {
final String xfHeader = request.getHeader("X-Forwarded-For");
if (xfHeader == null) {
return request.getRemoteAddr();
}
return xfHeader.split(",")[0];
}
}
编辑::添加
public class SecurityUtils {
@Bean
public static PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
// return new BCryptPasswordEncoder();
}
}
我不太清楚认证过程。请阅读有关身份验证流的简要说明。
除此之外,我猜我的密码编码器可能有问题。因此,我不确定是否使用了正确的编码器
在哪里检查输入字段中的密码和数据库中的编码密码 在您的登录页面中,我没有看到
csrf令牌
字段。我在您的安全配置中没有看到http.csrf().disable()
,因此我怀疑Spring security会因为缺少令牌而拒绝登录帖子
例如,JSP可以有标记
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
/admin/**
和许可证
-这是一个有趣的选择。目前这不是一个问题。请阅读有关身份验证流程的简要说明-呃,您是否希望有人能为您撰写这篇文章?我建议您阅读一篇教程,Spring提供了非常全面的文档,您不需要编写它。仅仅帮助发现问题已经是一个很大的帮助。
public class SecurityUtils {
@Bean
public static PasswordEncoder passwordEncoder() {
return PasswordEncoderFactories.createDelegatingPasswordEncoder();
// return new BCryptPasswordEncoder();
}
}
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>