原因：没有为 org.springframework.security.authentication.UsernamePasswordAuthenticationToken 找到 Authentica

Posted 2023-02-27

技术标签:

【中文标题】原因：没有为 org.springframework.security.authentication.UsernamePasswordAuthenticationToken 找到 AuthenticationProvider【英文标题】：Reason: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken 【发布时间】：2017-05-10 21:12:08 【问题描述】：

我已配置 spring 安全命名空间以使用我的自定义身份验证管理器进行身份验证：

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">

  <display-name>Application</display-name>

   <welcome-file-list>
        <welcome-file>index.html</welcome-file>
   </welcome-file-list>

   <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

   <servlet>
        <servlet-name>app</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextClass</param-name>
            <param-value>
                org.springframework.web.context.support.AnnotationConfigWebApplicationContext
            </param-value>
        </init-param>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
               com.me.web.controllers.controller
            </param-value>
        </init-param> 
   </servlet>

    <listener>
        <listener-class>
            com.me.web.controllers.listener
        </listener-class>
    </listener>

    <servlet-mapping>
        <servlet-name>app</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>



    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>

</web-app>

spring-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
     xmlns:context="http://www.springframework.org/schema/context"
     xmlns:security="http://www.springframework.org/schema/security"
     xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:p="http://www.springframework.org/schema/p"
     xsi:schemaLocation="
            http://www.springframework.org/schema/beans    
            http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
            http://www.springframework.org/schema/context
            http://www.springframework.org/schema/context/spring-context-4.0.xsd
            http://www.springframework.org/schema/security
            http://www.springframework.org/schema/security/spring-security-4.0.xsd
            http://www.springframework.org/schema/mvc
            http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd">

    <context:component-scan base-package="com.me.web.controllers"/>
    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/" />
        <property name="suffix" value=".jsp" />
    </bean>

    <bean id="myProvider" class="com.me.web.controllers.CustomAuthenticationProvider"> </bean>

    <security:http auto-config="true">
        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    </security:http>

    <security:authentication-manager erase-credentials="false" alias="authenticationManager">
        <security:authentication-provider ref='myProvider'/>
    </security:authentication-manager>

    <mvc:annotation-driven />
</beans>

CustomAuthenticationProvider.java

package com.me.web.controllers;

import java.util.jar.JarEntry;
import java.util.jar.JarFile;

import java.io.InputStream;
import java.util.Hashtable;
import java.util.ArrayList;
import java.util.Arrays;

import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider 

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException 
        String name = authentication.getPrincipal().toString();
        String password = authentication.getCredentials().toString();

        System.out.println("Username: " + name + ", password: " + password + "\n");

        if (name.equals("user") && password.equals("pass")) 
            return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"))));
         else 
            return null;
        
    

    @Override
    public boolean supports(Class<?> authentication) 
        System.out.println("supports method called\n");
        return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));

日志文件

INFO: Loading XML bean definitions from ServletContext resource [/WEB-INF/omdwebapp-servlet.xml]
дек 27, 2016 11:28:50 AM org.springframework.security.core.SpringSecurityCoreVersion performVersionChecks
INFO: You are running with Spring Security Core 4.0.4.RELEASE
дек 27, 2016 11:28:50 AM org.springframework.security.core.SpringSecurityCoreVersion performVersionChecks
WARNING: **** You are advised to use Spring 4.2.5.RELEASE or later with this version. You are running: 4.1.5.RELEASE
дек 27, 2016 11:28:50 AM org.springframework.security.config.SecurityNamespaceHandler <init>
INFO: Spring Security 'config' module version is 4.0.4.RELEASE
дек 27, 2016 11:28:50 AM org.springframework.security.config.http.FilterInvocationSecurityMetadataSourceParser parseInterceptUrlsForFilterInvocationRequestMap
INFO: Creating access control expression attribute 'hasRole('ROLE_USER')' for /**
дек 27, 2016 11:28:50 AM org.springframework.security.config.http.AuthenticationConfigBuilder createLoginPageFilterIfNeeded
INFO: No login page configured. The default internal one will be used. Use the 'login-page' attribute to set the URL of the login page.
дек 27, 2016 11:28:50 AM org.springframework.security.config.http.HttpSecurityBeanDefinitionParser checkFilterChainOrder
INFO: Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, Root bean: class [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 400, Root bean: class [org.springframework.security.web.header.HeaderWriterFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 500, Root bean: class [org.springframework.security.web.csrf.CsrfFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 600, Root bean: class [org.springframework.security.web.authentication.logout.LogoutFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 700, <org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0>, order = 1100, Root bean: class [org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1500, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1600, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2000, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2100, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2200, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 2300]
дек 27, 2016 11:28:51 AM org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor <init>
INFO: JSR-330 'javax.inject.Inject' annotation found and supported for autowiring
дек 27, 2016 11:28:51 AM org.springframework.security.web.DefaultSecurityFilterChain <init>
INFO: Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.SecurityContextPersistenceFilter@5ebfb059, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7ad2d3a7, org.springframework.security.web.header.HeaderWriterFilter@2745b7f0, org.springframework.security.web.csrf.CsrfFilter@522f01b4, org.springframework.security.web.authentication.logout.LogoutFilter@c18fa93, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@3beacf19, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@34c2910a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@51c04295, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25536e21, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@8634bac, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2efd0d81, org.springframework.security.web.session.SessionManagementFilter@6781a840, org.springframework.security.web.access.ExceptionTranslationFilter@714d36d6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@44b55b7]
дек 27, 2016 11:28:51 AM org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
INFO: Checking whether login URL '/login' is accessible with your configuration
дек 27, 2016 11:28:51 AM org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping registerHandlerMethod
INFO: Mapped "[/rest],methods=[POST],params=[],headers=[],consumes=[],produces=[application/json],custom=[]" onto public static void com.omd.web.controllers.OmdRestController.processPostRequest(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) throws javax.servlet.ServletException
дек 27, 2016 11:28:51 AM org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping registerHandlerMethod
INFO: Mapped "[/rest],methods=[GET],params=[],headers=[],consumes=[],produces=[application/json],custom=[]" onto public static void com.omd.web.controllers.OmdRestController.processGetRequest(java.lang.String,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) throws javax.servlet.ServletException
дек 27, 2016 11:28:51 AM org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter initControllerAdviceCache

但是当我向服务器（apache-tomcat）发送请求时，无论我输入什么登录名和密码，都会在无限循环中请求登录名和密码。我在做什么？如果不清楚，我该如何调试？

这是我尝试登录时的错误消息：

Your login attempt was not successful, try again.

Reason: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

我没有找到我在课堂上添加的日志，所以我认为 authenticate 函数没有被调用。

【问题讨论】：

【参考方案1】：

我遇到了同样的问题，我通过使用这个名称添加这个类来解决它

IMP：我正在处理纯 Java 配置

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;


public class SecurityWebApplicationInitializer 
                        extends AbstractSecurityWebApplicationInitializer

【讨论】：

【参考方案2】：

<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

但是在您的 authenticate 方法中没有返回任何角色。

如果要进行基本身份验证，则应发送带头的请求。

Authorization -- Basic base64Encode(username:password)

到服务器，并在您的 authenticate 方法中，您应该返回

return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"))));

顺便说一句：如果你设置auto-config = true，它会自动添加以下配置。

<form-login />
<http-basic />
<logout />

我想你只是想设置所有的请求都应该被认证。所以你只需要将配置更改为

<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

那么您无需更改 authenticate 方法即可返回角色。

编辑

authentication.equals(UsernamePasswordAuthenticationToken.class);

这将返回false，将其更改为

(UsernamePasswordAuthenticationToken.class
                .isAssignableFrom(authentication));

【讨论】：

类似

&lt;context-param&gt;         &lt;param-name&gt;contextConfigLocation&lt;/param-name&gt;         &lt;param-value&gt;             classpath:spring-security.xml         &lt;/param-value&gt;     &lt;/context-param&gt;

让我们continue this discussion in chat。

以上是关于原因：没有为 org.springframework.security.authentication.UsernamePasswordAuthenticationToken 找到 Authentica的主要内容，如果未能解决你的问题，请参考以下文章

有没有办法引用规格（Spring）的审计表？

启用了 ssl 的 spring mvc - 没有可用的会话属性

Spring Boot 2.0 新特性和发展方向

SpringBoot项目部署到tomcat

SpringMvc文件上传下载和拦截器

Spring-boot OAuth2 实现：NoSuchBeanDefinitionException：没有 AuthenticationManager 类型的合格 bean