我已成功将spring security 3.0集成到Web应用程序中并运行良好,现在我要将spring security 3.0升级到3.1并且我在CustomAuthenticationManager上遇到问题每当我尝试登录时,CustomAuthenticationManager都会被调用两次 . 因此,第一次用户成功验证并返回usernamePasswordAuthenticationToken,但此类再次被调用,此时主体返回正确的值,但凭据返回null,因此用户获得身份验证失败并再次重定向到登录页面,这就是我无法登录的原因 .
CustomAuthenticationManger:
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired
private ILoginService loginService;
public Authentication authenticate(Authentication authentication)
throws AuthenticationException {
UsernamePasswordAuthenticationToken usernamePassswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
authentication.getPrincipal(), authentication.getCredentials());
if (loginService.authenticateUser((String) authentication.getPrincipal())) {
if (loginService.validateUserIdAndPass((String) authentication.getPrincipal(), (String) authentication.getCredentials())) {
usernamePassswordAuthenticationToken.setAuthenticated(false);
} else
throw new BadCredentialsException(
"Username/Password does not match");
} else
throw new BadCredentialsException(
"Username/Password does not match");
return usernamePassswordAuthenticationToken;
}
public boolean supports(Class<? extends Object> authentication) {
return authentication.equals(UsernamePasswordAuthenticationToken.class);
}
}
My ApplicationContextSecurity.xml:
<global-method-security pre-post-annotations="enabled">
</global-method-security>
<beans:bean id="myAccessDecisionManager"
class="com.app.common.security.repository.MyAccessDecisionManager">
</beans:bean>
<http auto-config="true" once-per-request="true"
access-decision-manager-ref="myAccessDecisionManager" access-denied-page="/jsp/errorPage.jsp">
<intercept-url pattern="/*.app" access="ROLE_ANONYMOUS"/>
<form-login login-page="/login.app" login-processing-url="/j_spring_security_check"
default-target-url="/login/validate.app"
authentication-failure-url="/login.app?login_error=1" />
<logout logout-url="/j_spring_security_logout"
logout-success-url="/login.app" invalidate-session="true" />
<session-management invalid-session-url="/login.app"
session-fixation-protection="newSession">
<concurrency-control max-sessions="100"
error-if-maximum-exceeded="false" />
</session-management>
</http>
<authentication-manager>
<authentication-provider ref="customAuthenticationProvider"></authentication-provider>
</authentication-manager>
<beans:bean id="customAuthenticationProvider"
class="com.app.common.security.repository.CustomAuthenticationProvider">
</beans:bean>
请告诉我我错在哪里 .
1 回答
从Spring 3.0.3(及更高版本)开始,默认
AuthenticationManager
ProviderManager
在验证尝试后清除凭据(SEC-1493) . 您必须是旧版本(Spring Security 3.0.3之前版本) .您的
CustomAuthenticationProvider
也有缺陷,因为您应该在成功验证后将身份验证设置为true
(否则延迟AbstractSecurityInterceptor
的拦截器将重新尝试身份验证 .链接
SEC-1493
ProviderManager source
AbstractSecurityInterceptor javadoc