用户名和密码未与Spring中的身份验证映射
我正在使用Spring 4.3.1.RELEASE版本,它是自定义身份验证登录应用程序。但我面临问题
首先看看代码
CustomAuthenticationProvider.java
@Component
@Qualifier(value = "customAuthenticationProvider")
public class CustomAuthenticationProvider implements AuthenticationProvider{
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String username = authentication.getName();
String password = (String) authentication.getCredentials();
User user = new User();
user.setUsername(username);
user.setPassword(password);
Role r = new Role();
r.setName("ROLE_ADMIN");
List<Role> roles = new ArrayList<Role>();
roles.add(r);
Collection<? extends GrantedAuthority> authorities = roles;
return new UsernamePasswordAuthenticationToken(user, password, authorities);
}
public boolean supports(Class<?> arg0) {
return true;
}
}
SecurityConfiguration.java
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(customAuthenticationProvider);
}
//.csrf() is optional, enabled by default, if using WebSecurityConfigurerAdapter constructor
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/admin/**").access("hasRole('ROLE_USER')")
.and()
.formLogin()
.loginPage("/login").failureUrl("/login?error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl("/login?logout")
.and()
.csrf();
}
}
的login.jsp 这是我的登录页面
<form name="loginForm" novalidate ng-submit="ctrl.login(user)">
<div class="form-group" ng-class="{'has-error': loginForm.username.$invalid}">
<input class="form-control" name="username" id="username" type="text"
placeholder="Username" required ng-model="user.username" />
<span class="help-block"
ng-show="loginForm.username.$error.required">Required</span>
</div>
<div class="form-group" ng-class="{'has-error': loginForm.password.$invalid}">
<input class="form-control" name="password" id="password" type="password"
placeholder="Password" required ng-model="user.password" />
<span class="help-block"
ng-show="loginForm.password.$error.required">Required</span>
</div>
<div class="form-group">
<button type="submit" class="btn btn-primary pull-right"
value="Login" title="Login" ng-disabled="!loginForm.$valid">
<span>Login</span>
</button>
</div>
</form>
在CustomAuhtenticationProvider类中的authenticate()
- authentication.getCredentials();
- authentication.getName();
两者都给出空字符串,但我需要用户名和密码。
这是我的AngularJS服务
Service.js
function loginUser(user) {
var config = {
headers: {
'csrf_token': csrfToken
}
}
var deferred = $q.defer();
$http.post("/login", user,config)
.then(
function (response) {
deferred.resolve(response.data);
},
function(errResponse){
console.error('Error while creating User');
deferred.reject(errResponse);
}
);
return deferred.promise;
}
1 个答案:
答案 0 :(得分:0)
您正在将身份验证凭据作为JSON发送,并且您正在使用尝试从HttpServletRequest参数检索身份验证凭据的默认UsernamePasswordAuthenticationFilter。
它们将始终为null。您必须构建自己的自定义过滤器,该过滤器从请求正文中收到的json而不是http params中获取身份验证凭据。
查看this
编辑:事实是您没有获得从Angular控制器发送的登录凭据。原因可能是,如果您在请求正文中将它们作为json发送,则不能依赖于默认的UsernamePasswordAuthenticationFilter,因为它尝试构建读取HttpServletRequest参数的Authentication对象。
public class UsernamePasswordAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
public Authentication attemptAuthentication(HttpServletRequest request,
HttpServletResponse response) throws AuthenticationException {
if (postOnly && !request.getMethod().equals("POST")) {
throw new AuthenticationServiceException(
"Authentication method not supported: " + request.getMethod());
}
String username = obtainUsername(request);
String password = obtainPassword(request);
...
}
/**
* Enables subclasses to override the composition of the password, such as by
* including additional values and a separator.
* <p>
* This might be used for example if a postcode/zipcode was required in addition to
* the password. A delimiter such as a pipe (|) should be used to separate the
* password and extended value(s). The <code>AuthenticationDao</code> will need to
* generate the expected password in a corresponding manner.
* </p>
*
* @param request so that request attributes can be retrieved
*
* @return the password that will be presented in the <code>Authentication</code>
* request token to the <code>AuthenticationManager</code>
*/
protected String obtainPassword(HttpServletRequest request) {
return request.getParameter(passwordParameter);
}
/**
* Enables subclasses to override the composition of the username, such as by
* including additional values and a separator.
*
* @param request so that request attributes can be retrieved
*
* @return the username that will be presented in the <code>Authentication</code>
* request token to the <code>AuthenticationManager</code>
*/
protected String obtainUsername(HttpServletRequest request) {
return request.getParameter(usernameParameter);
}
您应该扩展此过滤器,覆盖attemptAuthentication()方法,以避免在恢复此凭据时调用obtainUsername和obtainPassword。相反,编写一个自定义方法,您将在其中读取ServletRequest's InputStream并使用您以前使用的json库解析对象。我通常使用jackson this way
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?