2

我创建了一个使用 spring security 进行身份验证的 spring MVC 应用程序,这里是 spring-security.xml

<http use-expressions="true">
    <form-login login-page="/homepage.jsp" default-target-url="/homepage.jsp" authentication-failure-url="/homepage.jsp?login-success=false" />
    <logout logout-success-url="/homepage.jsp" />
</http>
<authentication-manager alias="authenticationManager" > 
   <authentication-provider>
    <password-encoder hash="sha" />
    <jdbc-user-service data-source-ref="marketDataSource" 

       users-by-username-query="
          select email_address, password, '1' 
          from user where email_address=?" 

        authorities-by-username-query="
          select email_address, 'ROLE_USER' from user 
          where email_address=?" 
      />
   </authentication-provider>
</authentication-manager>

当一个新用户尝试注册时,他填写注册并按提交,这将创建一个新用户,如果注册成功完成,我尝试使用此方法对注册用户进行身份验证:

private void authenticateUserAndSetSession(User user, HttpServletRequest request) {

List<GrantedAuthority> grantedAuthorities = new ArrayList<GrantedAuthority>();
grantedAuthorities.add(new GrantedAuthorityImpl("ROLE_USER"));
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(
    user.getEmailAddress(), user.getPasswordSha(), grantedAuthorities);

request.getSession();

token.setDetails(new WebAuthenticationDetails(request));
try {
  Authentication authenticatedUser = authenticationManager
      .authenticate(token);
  SecurityContextHolder.getContext().setAuthentication(authenticatedUser);
} catch (Exception e) {
  e.printStackTrace();
}

}

我检查了这个帖子Auto login after successful registration做以前的方法,但是当我尝试使用它时,它会抛出 Bad Credential Exception,这个解决方案有什么问题?

4

1 回答 1

0

我曾经遇到过类似的问题。在遗留代码中,密码是手动散列的。

更好的选择是使用纯密码存储 User 类的对象(可能是纯表单绑定)并在以后清除它。清除凭证也是 spring-security 的责任(接口org.springframework.security.core.CredentialsContainer)。如果不可能删除编码器的标签或使用纯文本编码器<password-encoder hash="plaintext"/>

于 2014-01-29T06:31:10.177 回答