首页 文章

在将spring security 3.0升级到spring security 3.1时,Spring安全性无法正常工作

提问于
浏览
0

我已成功将spring security 3.0集成到Web应用程序中并运行良好,现在我要将spring security 3.0升级到3.1并且我在CustomAuthenticationManager上遇到问题每当我尝试登录时,CustomAuthenticationManager都会被调用两次 . 因此,第一次用户成功验证并返回usernamePasswordAuthenticationToken,但此类再次被调用,此时主体返回正确的值,但凭据返回null,因此用户获得身份验证失败并再次重定向到登录页面,这就是我无法登录的原因 .

CustomAuthenticationManger:

public class CustomAuthenticationProvider implements AuthenticationProvider {
    @Autowired
    private ILoginService loginService;
    public Authentication authenticate(Authentication authentication)
            throws AuthenticationException {
        UsernamePasswordAuthenticationToken usernamePassswordAuthenticationToken = new UsernamePasswordAuthenticationToken(
                authentication.getPrincipal(), authentication.getCredentials());
        if (loginService.authenticateUser((String) authentication.getPrincipal())) {
            if (loginService.validateUserIdAndPass((String) authentication.getPrincipal(), (String) authentication.getCredentials())) {
                usernamePassswordAuthenticationToken.setAuthenticated(false);
            } else
                throw new BadCredentialsException(
                        "Username/Password does not match");
        } else
            throw new BadCredentialsException(
                    "Username/Password does not match");
        return usernamePassswordAuthenticationToken;
    }
    public boolean supports(Class<? extends Object> authentication) {
        return authentication.equals(UsernamePasswordAuthenticationToken.class);
    }
}

My ApplicationContextSecurity.xml:

<global-method-security pre-post-annotations="enabled">     
    </global-method-security>  
    <beans:bean id="myAccessDecisionManager"
        class="com.app.common.security.repository.MyAccessDecisionManager"> 
    </beans:bean> 

    <http auto-config="true" once-per-request="true"
        access-decision-manager-ref="myAccessDecisionManager" access-denied-page="/jsp/errorPage.jsp">

        <intercept-url pattern="/*.app"  access="ROLE_ANONYMOUS"/>  

         <form-login login-page="/login.app" login-processing-url="/j_spring_security_check"
            default-target-url="/login/validate.app"
            authentication-failure-url="/login.app?login_error=1" />
        <logout logout-url="/j_spring_security_logout"
            logout-success-url="/login.app" invalidate-session="true" /> 
        <session-management invalid-session-url="/login.app"
            session-fixation-protection="newSession">
            <concurrency-control max-sessions="100"
                error-if-maximum-exceeded="false" />
        </session-management>
    </http>

    <authentication-manager>
        <authentication-provider ref="customAuthenticationProvider"></authentication-provider>
    </authentication-manager>

    <beans:bean id="customAuthenticationProvider"
        class="com.app.common.security.repository.CustomAuthenticationProvider">        
    </beans:bean>

请告诉我我错在哪里 .

java spring spring-mvc spring-security

1 回答

  • 0

    从Spring 3.0.3(及更高版本)开始,默认 AuthenticationManager ProviderManager 在验证尝试后清除凭据(SEC-1493) . 您必须是旧版本(Spring Security 3.0.3之前版本) .

    您的 CustomAuthenticationProvider 也有缺陷,因为您应该在成功验证后将身份验证设置为 true (否则延迟 AbstractSecurityInterceptor 的拦截器将重新尝试身份验证 .

    链接

    回复于

相关问题