java - 使用 Spring Security 针对数据库验证测试用户

Question

我正在使用 Spring Security 创建简单的应用程序。现在我登录有问题。在第一步中，我想接受带有密码测试的用户测试，所以我创建了这样的东西：

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p" xmlns:util="http://www.springframework.org/schema/util"
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security 
        http://www.springframework.org/schema/security/spring-security-3.1.xsd
        http://www.springframework.org/schema/util 
        http://www.springframework.org/schema/util/spring-util-3.1.xsd">

    <http pattern="/resources/**" security="none" />

    <http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
        <intercept-url pattern="/login.jsp" access="permitAll" />
        <intercept-url pattern="/logout.jsp" access="permitAll" />
        <intercept-url pattern="/**" access="isAuthenticated()" />

        <access-denied-handler error-page="/denied.jsp" />
        <logout invalidate-session="true" logout-success-url="/logout/success" logout-url="/logout" />

        <custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER" />
    </http>

    <beans:bean id="loginUrlAuthenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <beans:property name="loginFormUrl" value="/login.jsp" />
    </beans:bean>

    <beans:bean id="authenticationFilter" class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter">
        <beans:property name="authenticationManager" ref="authenticationManager" />
        <beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
        <beans:property name="authenticationFailureHandler" ref="securityLoginFailureHandler" />
        <beans:property name="authenticationSuccessHandler" ref="securityLoginSuccessHandler" />
    </beans:bean>

    <beans:bean id="securityLoginSuccessHandler" class="org.sample.web.security.SecurityLoginSuccessHandler">
        <beans:property name="defaultTargetUrl" value="/login.jsp" />
    </beans:bean>

    <beans:bean id="securityLoginFailureHandler" class="org.sample.web.security.SecurityLoginFailureHandler">
        <beans:property name="defaultFailureUrl" value="/login/failure" />
    </beans:bean>

    <authentication-manager alias="authenticationManager">
        <authentication-provider user-service-ref="customUserDetailsService">
            <password-encoder hash="md5" />
        </authentication-provider>
    </authentication-manager>
</beans:beans> 

和 customUserDeteialsService：

package org.sample.web.service;

import java.util.ArrayList;
import java.util.Collection;
import java.util.List;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.stereotype.Service;

    @Service
    public class CustomUserDetailsService implements UserDetailsService {

        protected final Logger logger = LoggerFactory.getLogger(getClass());

        public UserDetails loadUserByUsername(String username) {
            logger.error("niceeeeeeeeeeeee");
            return new User("test", "test", getAuthorities(1));
        }

        /**
         * Retrieves a collection of {@link GrantedAuthority} based on a numerical role
         * 
         * @param role
         *            the numerical role
         * @return a collection of {@link GrantedAuthority

         */
        public Collection<? extends GrantedAuthority> getAuthorities(Integer role) {
            List<GrantedAuthority> authList = getGrantedAuthorities(getRoles(role));
            return authList;
        }

        /**
         * Converts a numerical role to an equivalent list of roles
         * 
         * @param role
         *            the numerical role
         * @return list of roles as as a list of {@link String}
         */
        public List<String> getRoles(Integer role) {
            List<String> roles = new ArrayList<String>();

            if (role.intValue() == 1) {
                roles.add("ROLE_USER");
                roles.add("ROLE_ADMIN");

            } else if (role.intValue() == 2) {
                roles.add("ROLE_USER");
            }

            return roles;
        }

        /**
         * Wraps {@link String} roles to {@link SimpleGrantedAuthority} objects
         * 
         * @param roles
         *            {@link String} of roles
         * @return list of granted authorities
         */
        public static List<GrantedAuthority> getGrantedAuthorities(List<String> roles) {
            List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
            for (String role : roles) {
                authorities.add(new SimpleGrantedAuthority(role));
            }
            return authorities;
        }

    }

问题是授权仍然失败。当我调试这个时，我可以看到：

ERROR - CustomUserDetailsService   - niceeeeeeeeeeeee
DEBUG - DaoAuthenticationProvider  - Authentication failed: password does not match stored value

我做错了什么？

Answer 1

我<password-encoder hash="md5" />在你的配置中看到了。这意味着您正在使用md5在 Authentication-Provider 中对密码进行编码。因此，您也必须使用 md5 对“测试”进行编码CustomUserDetailsService：

new User("test", "encoded_password", getAuthorities(1));