【发布时间】:2015-03-18 18:31:13
【问题描述】:
我在 Spring Security 3.1 中有一个 Web 应用程序登录表单。登录表单调用 j_spring_security_check onsubmit 并且我有一个自定义身份验证管理器,它使用 github rest api 来验证登录。这样做的问题是,当登录信息被记录在服务器上时,它们是以纯文本形式记录的。
发布我的 security-context.xml 文件
<!-- Custom bean: Auth Manager -->
<beans:bean id="customAuthmanager" class="com.RRCenter.securityMisc.AuthManager">
</beans:bean>
<!-- Failed login bean -->
<beans:bean id="failedLogin" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler" p:defaultFailureUrl="/reuiweb/login?fail=true"></beans:bean>
<!-- Successful login bean -->
<beans:bean id="successLogin" class="org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler" p:defaultTargetUrl="/reuiweb/certifybundles?login=true"></beans:bean>
<!-- <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="passwordEncoder" ref="passwordEncoder"/>
</beans:bean> -->
<!-- <beans:bean id="passwordEncoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<beans:constructor-arg name="strength" value="11" />
</beans:bean> -->
<!-- Actual auth manager -->
<beans:bean id="customAuthFilter"
class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
p:authenticationManager-ref="customAuthmanager"
p:authenticationFailureHandler-ref="failedLogin"
p:authenticationSuccessHandler-ref="successLogin"
p:authenticationDetailsSource-ref="myAuthDetailsSource"
></beans:bean>
<!-- p:authenticationProvider-ref="daoAuthenticationProvider" -->
<!-- Auth Details Bean -->
<beans:bean id="myAuthDetailsSource" class="com.RRCenter.securityMisc.MyAuthDetailsSource"/>
<!-- Successful login bean -->
<beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"
p:loginFormUrl="/reuiweb/login" />
<security:authentication-manager />
<!-- Test users -->
<security:http auto-config="false" request-matcher="ant" disable-url-rewriting="true" entry-point-ref="authenticationEntryPoint">
<!-- Enables the 9xxx ports -->
<security:port-mappings>
<security:port-mapping http="80" https="443"/>
<security:port-mapping http="8080" https="8443"/>
<security:port-mapping http="9080" https="9443"/>
</security:port-mappings>
<security:http-basic authentication-details-source-ref="myAuthDetailsSource" />
<!-- Session management -->
<security:session-management invalid-session-url="/reuiweb/login">
<security:concurrency-control max-sessions="99" expired-url="/reuiweb/login" />
</security:session-management>
<!-- Security schema -->
ty:intercept-url pattern="/j_spring_security_check" requires-channel="https"/>
<security:intercept-url pattern="/reuiweb/certifyProvider" access="ROLE_USER,ROLE_ADMIN"/>
<security:intercept-url pattern="/**" access="ROLE_ANONYMOUS, ROLE_USER, ROLE_ADMIN"/>
<security:logout invalidate-session="true" logout-success-url="/reuiweb/allJobs" logout-url="/reuiweb/logout"/>
<security:custom-filter ref="customAuthFilter" position="FORM_LOGIN_FILTER"/>
</security:http>
我在堆栈溢出中阅读了几个答案,其中提到我必须使用用户详细信息服务以及密码编码器 bean
<bean id="authProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="customUserService" />
<property name="passwordEncoder" ref="encoder" />
</bean>
但是 daoAuthentication 提供程序适用于登录密码存储在数据库中的情况。您能否告诉我在 REST API 服务提供身份验证时如何实现 userdetailsservice?
【问题讨论】:
-
@holmis83 服务器记录它处理的每个页面。检查页面 j_spring_security_check 的日志时,正在记录以下信息-------> /reuiweb/j_spring_security_check?j_OTP=******(提交的表单值)&submit=Submit&j_password={password in plain text }&j_username={用户名的提交表单值}
-
谁将这些行写入日志?你的应用程序?还是服务器本身,比如 apache 日志?
-
那好像是登录页面有问题。看起来怎么样?
-
@IgorArtamonov 服务器自己记录它。就像 apache 日志一样!但是,如果我们对密码进行 cud 编码并将其传递给服务器,那么服务器会记录编码后的密码,对吗?
-
@holmis83 登录页面是一个带有 3 个文本框和一个提交按钮的表单,该按钮调用 j_spring_security_check 按钮作为表单操作
标签: java spring spring-mvc spring-security spring-3