Spring 4.1和Spring Security 3.2:我们实现了一个自定义身份验证提供程序,如果用户输入的密码不正确,则会抛出BadCredentialsException。抛出BadCredentialsException时,将调用ProviderManager.authenticate方法,该方法再次调用自定义身份验证中的authenticate方法。抛出LockedException时,不会再次调用自定义身份验证提供程序中的authenicate方法。我们计划保留登录尝试次数,因此我们不希望将authenticate方法调用两次。有谁知道为什么自定义身份验证类中的authenticate方法将被调用两次?
WebConfig:
@Configuration
@EnableWebMvcSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
@Autowired
private AMCiUserDetailsService userDetailsService;
@Autowired
private CustomImpersonateFailureHandler impersonateFailureHandler;
@Autowired
private LoginFailureHandler loginFailureHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/jsp/*.css","/jsp/*.js","/images/**").permitAll()
.antMatchers("/login/impersonate*").access("hasRole('ADMIN') or hasRole('ROLE_PREVIOUS_ADMINISTRATOR')")
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.jsp")
.defaultSuccessUrl("/jsp/Home.jsp",true)
.loginProcessingUrl("/login.jsp")
.failureHandler(loginFailureHandler)
.permitAll()
.and()
.logout()
.logoutSuccessUrl("/login.jsp?msg=1")
.permitAll()
.and()
.addFilter(switchUserFilter())
.authenticationProvider(customAuthenticationProvider);
http.exceptionHandling().accessDeniedPage("/jsp/SecurityViolation.jsp"); //if user not authorized to a page, automatically forward them to this page.
http.headers().addHeaderWriter(new XFrameOptionsHeaderWriter(XFrameOptionsMode.SAMEORIGIN));
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
//Used for the impersonate functionality
@Bean CustomSwitchUserFilter switchUserFilter() {
CustomSwitchUserFilter filter = new CustomSwitchUserFilter();
filter.setUserDetailsService(userDetailsService);
filter.setTargetUrl("/jsp/Impersonate.jsp?msg=0");
filter.setSwitchUserUrl("/login/impersonate");
filter.setExitUserUrl("/logout/impersonate");
filter.setFailureHandler(impersonateFailureHandler);
return filter;
}
}
定制认证提供商:
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
@Autowired(required = true)
private HttpServletRequest request;
@Autowired
private AMCiUserDetailsService userService;
@Autowired
private PasswordEncoder encoder;
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName().trim();
String password = ((String) authentication.getCredentials()).trim();
if (StringUtils.isEmpty(username) || StringUtils.isEmpty(password)) {
throw new BadCredentialsException("Login failed! Please try again.");
}
UserDetails user;
try {
user = userService.loadUserByUsername(username);
//log successful attempt
auditLoginBean.setComment("Login Successful");
auditLoginBean.insert();
} catch (Exception e) {
try {
//log unsuccessful attempt
auditLoginBean.setComment("Login Unsuccessful");
auditLoginBean.insert();
} catch (Exception e1) {
// TODO Auto-generated catch block
}
throw new BadCredentialsException("Please enter a valid username and password.");
}
if (!encoder.matches(password, user.getPassword().trim())) {
throw new BadCredentialsException("Please enter a valid username and password.");
}
if (!user.isEnabled()) {
throw new DisabledException("Please enter a valid username and password.");
}
if (!user.isAccountNonLocked()) {
throw new LockedException("Account locked. ");
}
Collection<? extends GrantedAuthority> authorities = user.getAuthorities();
List<GrantedAuthority> permlist = new ArrayList<GrantedAuthority>(authorities);
return new UsernamePasswordAuthenticationToken(user, password, permlist);
}
public boolean supports(Class<? extends Object> authentication) {
return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
}
原因是您添加了两次身份验证提供程序,一次在configure(HttpSecurity)中,一次在configure(AuthenticationManagerBuilder)中。这将创建一个ProviderManager有两个项目,都是你的提供者。
处理身份验证时,将按顺序询问提供程序,直到成功为止,除非抛出LockedException或类似状态异常,否则循环将中断。
可能有一个你不会覆盖configure(AuthenticationManagerBuilder)的情况,但仍然有同样的AuthenticationProver的authenticate方法被调用两次,就像Phil在他接受的答案中的评论中提到的那样。
这是为什么?
原因是当你没有覆盖configure(AuthenticationManagerBuilder)并拥有一个AuthenticationProvider bean时,它将由Spring Security注册,你不需要做任何其他事情。
但是,当configure(AuthenticationManagerBuilder)覆盖时,Spring Security将调用它,并且不会尝试单独注册任何提供程序。如果你很好奇,你可以看看related method。如果你覆盖disableLocalConfigureAuthenticationBldr,configure(AuthenticationManagerBuilder)是真的。
所以,简单地说,如果你只想注册一个自定义AuthenticationProvider然后不要覆盖configure(AuthenticationManagerBuilder),不要在authenticationProvider(AuthenticationProvider)中调用configure(HttpSecurity),只需通过注释AuthenticationProviver来制作你的@Component实现bean,你就可以了。