【问题标题】:return bad credentials with return getAuthenticationManager().authenticate()使用 return getAuthenticationManager().authenticate() 返回错误的凭据
【发布时间】:2020-02-24 08:41:14
【问题描述】:

我是 Spring Security 的新手,我完成了这个教程:https://windoctor7.github.io/spring-jwt.html

但是我在数据库中修改了一些搜索用户的代码,所以我创建了一个@bean:

1º部分,拦截通话。

@Configuration
@EnableWebSecurity
@ComponentScan(basePackages = "es.....service")
public class ServiciosConfig extends WebSecurityConfigurerAdapter {

    @Bean
    public LoginFilter createLogin() throws Exception {
        return new LoginFilter("/login", authenticationManager());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests()
            .antMatchers("/login").permitAll() //permitimos el acceso a /login a cualquiera
            .anyRequest().authenticated() //cualquier otra peticion requiere autenticacion
            .and()
            // Las peticiones /login pasaran previamente por este filtro
           .addFilterBefore(createLogin(),  UsernamePasswordAuthenticationFilter.class)
            // Las demás peticiones pasarán por este filtro para validar el token
            .addFilterBefore(new JwtFilter(),
                    UsernamePasswordAuthenticationFilter.class);
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
        return source;
    }

我拦截“登录”,如果用户存在,我会在数据库中搜索:

public class LoginFilter extends AbstractAuthenticationProcessingFilter {

    private static final Logger LOGGER = LoggerFactory.getLogger(LoginFilter.class);

    @Autowired
    private RolesUserRepository rolRepository;

    @Value("${ldap.base}")
    private String base;

    public LoginFilter(String url, AuthenticationManager authManager) {
        super(new AntPathRequestMatcher(url));
        setAuthenticationManager(authManager);
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
            throws AuthenticationException, IOException, ServletException {

        // obtenemos el body de la peticion que asumimos viene en formato JSON
        InputStream body = req.getInputStream();

        // Realizamos un mapeo a nuestra clase User para tener ahi los datos
        User user = new ObjectMapper().readValue(body, User.class);

        // Finalmente autenticamos
        LOGGER.info("Buscando al usuario: " + user.getUsername() + " en la BD.");
        RolesUser rol = this.rolRepository.findByUser(user.getUsername());

        if (rol.getRol() != null) {
            LOGGER.info("El usuario: " + user.getUsername() + " es correcto.");

            List<GrantedAuthority> grantedAuths = AuthorityUtils.commaSeparatedStringToAuthorityList(rol.getRol());
            return getAuthenticationManager().authenticate(new UsernamePasswordAuthenticationToken(user.getUsername(),
                    user.getPassword(), grantedAuths));
        } else {
            throw new javax.security.sasl.AuthenticationException("Credenciales inválidas.");
        }

    }

    @Override
    protected void successfulAuthentication(HttpServletRequest req, HttpServletResponse res, FilterChain chain,
            Authentication auth) throws IOException, ServletException {
        // Si la autenticacion fue exitosa, agregamos el token a la respuesta
        JwtUtil.addAuthentication(res, auth.getName());
    }

}

用户无误,终于上线了:

return getAuthenticationManager().authenticate(new UsernamePasswordAuthenticationToken(user.getUsername(),
                        user.getPassword(), grantedAuths));

AbstractAuthenticationProcessingFilter.class 出现错误

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
        throws IOException, ServletException {

HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;

if (!requiresAuthentication(request, response)) {
    chain.doFilter(request, response);

    return;
}

if (logger.isDebugEnabled()) {
    logger.debug("Request is to process authentication");
}

Authentication authResult;

try {
    authResult = attemptAuthentication(request, response);
    if (authResult == null) {
        // return immediately as subclass has indicated that it hasn't completed
        // authentication
        return;
    }
    sessionStrategy.onAuthentication(authResult, request, response);
}
catch (InternalAuthenticationServiceException failed) {
    logger.error(
            "An internal error occurred while trying to authenticate the user.",
            failed);
    unsuccessfulAuthentication(request, response, failed);

    return;
}
catch (AuthenticationException failed) {
    // Authentication failed
    unsuccessfulAuthentication(request, response, failed);

    return;
}

// Authentication success
if (continueChainBeforeSuccessfulAuthentication) {
    chain.doFilter(request, response);
}

successfulAuthentication(request, response, chain, authResult);

}

unsuccessfulAuthentication(request, response, failed);

代码错误是org.springframework.security.authentication.BadCredentialsException: Bad credentials 没看懂,什么证件???我的用户是正确的,存在于数据库中,为什么会出现错误???我只修改 el @bean 因为我可以使用 @autowired ...谢谢...

修改为 Saad Surya 的答案:

@Configuration
@EnableWebSecurity
@ComponentScan(basePackages = "es.....service")
public class ServiciosConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserServiceImpl userDetailService;

    @Bean
    public LoginFilter createLogin() throws Exception {
        return new LoginFilter("/login", authenticationManager());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().antMatchers("/login").permitAll() // permitimos el acceso a /login a
                                                                                    // cualquiera
                .anyRequest().authenticated() // cualquier otra peticion requiere autenticacion
                .and()
                // Las peticiones /login pasaran previamente por este filtro
                .addFilterBefore(createLogin(), UsernamePasswordAuthenticationFilter.class)
                // Las demás peticiones pasarán por este filtro para validar el token
                .addFilterBefore(new JwtFilter(), UsernamePasswordAuthenticationFilter.class);
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());
        return source;
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
        .userDetailsService(userDetailService);
    }

所以,我删除了 LoginFilter 的逻辑:

public class LoginFilter extends AbstractAuthenticationProcessingFilter {

    public LoginFilter(String url, AuthenticationManager authManager) {
        super(new AntPathRequestMatcher(url));
        setAuthenticationManager(authManager);
    }

    @Override
    public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res)
            throws AuthenticationException, IOException, ServletException {

        // obtenemos el body de la peticion que asumimos viene en formato JSON
        InputStream body = req.getInputStream();

        // Realizamos un mapeo a nuestra clase User para tener ahi los datos
        User user = new ObjectMapper().readValue(body, User.class);

        return getAuthenticationManager().authenticate(
                    new UsernamePasswordAuthenticationToken(
                            user.getUser(),
                            user.getPwd(),
                            Collections.emptyList()
                    )
            );

    }

现在我直接返回 getAuthenticationManager...

我使用 userDetailsS​​ervice 接口检查凭据并返回 obj userDetails 和 el user 和 rol 以创建令牌 jwt。

@Service
public class UserServiceImpl implements UserDetailsService {
    private static final Logger LOGGER = LoggerFactory.getLogger(UserServiceImpl.class);
    @Autowired 
    private RolesUserRepository repository;

    public void UserService(RolesUserRepository repository) {
            this.repository = repository;
        }

    @Override
    public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
        RolesUser rolUser = repository.findByUser(userName);
        if(rolUser.getRol() != null) {
          LOGGER.info("El usuario: " + userName + " es: " + rolUser.getRol());
          List<GrantedAuthority> grantedAuths = AuthorityUtils.commaSeparatedStringToAuthorityList(rolUser.getRol());
          return new MyUserPrincipal(grantedAuths,"",userName);
        }else {
            throw new AuthenticationException("Las credenciales son incorrectas.") {
            };
        }
    }

}

我的类在存储库中签入用户并创建 MyUserPrincipal()

public class MyUserPrincipal implements UserDetails {

    /**
     * 
     */
    private static final long serialVersionUID = 1L;

    private List<GrantedAuthority> grantedAuths;
    private String password;
    private String userName;

    public MyUserPrincipal(List<GrantedAuthority> grantedAuths, String password, String userName) {
        this.grantedAuths = grantedAuths;
        this.password = password;
        this.userName = userName;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        return this.grantedAuths;
    }

    @Override
    public String getPassword() {
        return this.password;
    }

    @Override
    public String getUsername() {
        return this.userName;
    }

    @Override
    public boolean isAccountNonExpired() {
        // TODO Auto-generated method stub
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        // TODO Auto-generated method stub
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        // TODO Auto-generated method stub
        return true;
    }

    @Override
    public boolean isEnabled() {
        // TODO Auto-generated method stub
        return true;
    }

}

具有实现 UserDetails 的类。注意因为我修改了 isEnabled,isCredentialsNonExpired,isAccountNonLocked,isAccountNonExpired 为真。

Okkk,通过这一切,我启动了我的应用程序,但我得到了同样的错误: “身份验证失败:凭据错误”,

不同的是,现在我得到了类中的错误

AbstractUserDetailsAuthenticationProvider, Line 171.
        catch (AuthenticationException exception) {
            if (cacheWasUsed) {
                // There was a problem, so try again after checking
                // we're using latest data (i.e. not from the cache)
                cacheWasUsed = false;
                user = retrieveUser(username,
                        (UsernamePasswordAuthenticationToken) authentication);
                preAuthenticationChecks.check(user);
                additionalAuthenticationChecks(user,
                        (UsernamePasswordAuthenticationToken) authentication);
            }

【问题讨论】:

    标签: java spring spring-security


    【解决方案1】:

    您可以实现UserDetailsService 并通过覆盖WebSecurityConfigurerAdapterconfigure(AuthenticationManagerBuilder) 方法来配置它,而不是为LoginFilter 创建一个bean

    public class UserService implements UserDetailsService {
        private UserRepository repository;
        public UserService(UserRepository repository) {
            this.repository = repository;
        }
    
        @Override
        public UserDetails loadUserByUsername(String username) {
            // you call to repository to get user
        }
    
    }
    

    public class SecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        private UserService userDetailService;
    
        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth
                    .userDetailsService(userDetailService);
        }
    }
    

    【讨论】:

    • 最后我用 String password = "123"; 解决了这个问题PasswordEncoder passwordEncoder = (PasswordEncoder) new BCryptPasswordEncoder(); String encodedPassword = ((BCryptPasswordEncoder) passwordEncoder).encode(password);返回新的 MyUserPrincipal(grantedAuths,encodedPassword,userName);现在我需要解决如何获取密码。谢谢。
    猜你喜欢
    • 1970-01-01
    • 2015-02-19
    • 2020-05-11
    • 1970-01-01
    • 1970-01-01
    • 2018-06-02
    • 2012-10-20
    • 1970-01-01
    • 2020-05-19
    相关资源
    最近更新 更多