【问题标题】:Spring Rest API User Authentication for One TimeSpring Rest API 用户认证一次
【发布时间】:2015-10-14 22:27:47
【问题描述】:

我正在制作 Rest API。我必须进行一次用户身份验证。登录 api 后,他们不会发出任何其他请求。我正在使用 Spring Security 进行 MVC 身份验证。

else if(!customerWithEmail.getPassword().equals(passwordEncoder.encode(password))){
        map.put("ERROR CODE", "04 - Wrong Password");
        //Doesnt work for sure.
        //TODO email password auth.
        return map;
    }

我的用户名和密码验证有问题。我在其他模块中使用 BCrypt 和 UserDetails。

我们的客户有静态 IP 地址,他们无法登录,只能在数据库中记录 IP 地址。但电子邮件密码检查将有利于未来。

@RestController
@RequestMapping(value = "/api")
public class ApiController {

@Autowired
private CustomerDao customerDao;

@Autowired
private PasswordEncoder passwordEncoder;

@RequestMapping(value = "/login", method = RequestMethod.GET)
public @ResponseBody Map customerLogin(@RequestParam(value = "email") String email, @RequestParam(value = "password") String password,
                  HttpServletRequest request) {

    Map map = new HashMap();
    try {

        String customerIpAddress = request.getRemoteAddr();
        Customer customerWithEmail = customerDao.getUserByEmail(email);
        Customer customerWithIpAddress = customerDao.getUserByIpAddress(customerIpAddress);


        if (customerWithEmail == null) {
            map.put("ERROR CODE", "01 - User Not Found");
            return map;
        } else if (customerWithIpAddress == null) {
            map.put("ERROR CODE", "02 - IP Address Not Found");
            return map;
        } else if (!customerWithEmail.equals(customerWithIpAddress)) {
            map.put("ERROR CODE", "03 - User and IP Address Does Not Match");
            return map;
        }else if(!customerWithEmail.getPassword().equals(passwordEncoder.encode(password))){
            map.put("ERROR CODE", "04 - Wrong Password");
            //Doesnt work for sure.
            //TODO email password auth.
            return map;
        }
        else {
            map.put("Email", customerWithEmail.getEmail());
            map.put("Name", customerWithEmail.getName());
            map.put("Surname", customerWithEmail.getSurname());
            map.put("Company", customerWithEmail.getCompanyName());
            return map;
        }
    } catch (Exception e) {
        map.put("ERROR CODE", "05 - See Details");
        map.put("Error", e.toString());
        return map;
    }

}
}

我的业务逻辑是真的吗?我的事情不是。

【问题讨论】:

  • 为什么不能检查用户名和密码是否匹配?
  • 我使用密码参数,但这是customerWithEmail.getPassword().equals(passwordEncoder.encode(password)) 不能正常工作。

标签: spring rest spring-security


【解决方案1】:

您不能使用encodeequals,因为 BCrypt 使用的是随机盐。而是:

if (!passwordEncoder.matches(password, customerWithEmail.getPassword()))

【讨论】:

    猜你喜欢
    • 2019-05-19
    • 1970-01-01
    • 2011-11-03
    • 2017-09-14
    • 2015-07-07
    • 2016-01-09
    • 2021-08-26
    • 1970-01-01
    • 1970-01-01
    相关资源
    最近更新 更多