在 Bootstrap 期间 Spring 安全返回 null SecurityContext

Posted 2023-02-27

【中文标题】在 Bootstrap 期间 Spring 安全返回 null SecurityContext

【英文标题】：Spring security returning null SecurityContext during Bootstrap

【发布时间】：2012-02-23 18:26:42

【问题描述】：

我在我的 Grails 应用程序中成功使用 Spring Security 时遇到问题。我安装了 spring-security-core 插件，然后运行命令来执行初始设置：

s2-quickstart my.package ReUser ReRole

其中 ReUser 和 ReRole 分别是我的用户和角色域类。然后，我继续按照 Peter Led*** 的 Simplified Spring Security 屏幕中的设置说明进行操作，但是当我真正尝试运行应用程序并验证用户身份时，我遇到了麻烦。我在 Bootstrap 中创建的用户名从未被识别（带有 BadCredentialsException），如果我从未存储这些用户、角色和连接类值。但是它们被存储起来，并在 Bootstrap 中声明了已保存值的计数。同样，相关类在 Config.groovy 中被正确识别为：

grails.plugins.springsecurity.userLookup.userDomainClassName = 're.sec.ReUser'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 're.sec.ReUserReRole'
grails.plugins.springsecurity.authority.className = 're.sec.ReRole'

这些结果让我一头雾水，直到我在日志中注意到以下序列：

web.FilterChainProxy Converted URL to lowercase, from: '/index.gsp'; to: '/index.gsp'
web.FilterChainProxy Candidate is: '/index.gsp'; pattern is /**; matched=true
web.FilterChainProxy /index.gsp at position 1 of 8 in additional filter chain; firing                    Filter: 'SecurityContextPersistenceFilter'
context.HttpSessionSecurityContextRepository No HttpSession currently exists
context.HttpSessionSecurityContextRepository No SecurityContext was available from the HttpSession: null. A new one will be created.
web.FilterChainProxy /index.gsp at position 2 of 8 in additional filter chain; firing Filter: 'MutableLogoutFilter'
web.FilterChainProxy /index.gsp at position 3 of 8 in additional filter chain; firing Filter: 'RequestHolderAuthenticationFilter'
web.FilterChainProxy /index.gsp at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
web.FilterChainProxy /index.gsp at position 5 of 8 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
web.FilterChainProxy /index.gsp at position 6 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
authentication.AnonymousAuthenticationFilter Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
web.FilterChainProxy /index.gsp at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
web.FilterChainProxy /index.gsp at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
intercept.FilterSecurityInterceptor Public object - authentication not attempted
web.FilterChainProxy /index.gsp reached end of additional filter chain; proceeding with original chain
access.ExceptionTranslationFilter Chain processed normally
context.HttpSessionSecurityContextRepository SecurityContext is empty or anonymous - context will not be stored in HttpSession. 
context.SecurityContextPersistenceFilter SecurityContextHolder now cleared, as request processing completed

这些实体（特别是“SecurityContext 为空或匿名 - 上下文不会存储在 HttpSession 中”，所有这些都在引导过程中显示），解释为什么我的应用程序无法识别我尝试的用户名/密码在引导期间存储？我做错了什么？

【参考方案1】：

您是否在您引用的博客文章中看到了有关对密码进行双重编码的说明？从 1.2 版开始，用户域类对密码进行编码。如果您在创建用户时（例如在 BootStrap 中）再次执行此操作，那么它们将被双重编码。

【讨论】：

不，我想我错过了那张纸条。你的建议为我解决了问题。谢谢。