Spring Security - UserDetailsS​​ervice 实现 - 登录失败

Posted 2023-02-27

【中文标题】Spring Security - UserDetailsS​​ervice 实现 - 登录失败

【英文标题】：Spring Security - UserDetailsService implementation - Login Fails

【发布时间】：2012-12-25 11:05:08

【问题描述】：

我对 Spring 还很陌生，我遇到了 Spring Security 的问题。 实际上它只有在没有我的自定义 UserDetailsS​​ervice 实现的情况下才有效。

帐户和角色对象

@Entity
@Table(name="ACCOUNT", uniqueConstraints = @UniqueConstraint (columnNames = "USERNAME"),      @UniqueConstraint (columnNames = "EMAIL"))
public class Account implements Serializable 
private static final long serialVersionUID = 2872791921224905344L;

@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@Column(name="ID")
private Integer id;

@Column(name="USERNAME")
@NotNull
private String username;

@Column(name="PASSWORD")
@NotNull
private String password;

@Column(name="EMAIL")
@NotNull
@Email
private String email;

@Column(name="ENABLED")
private boolean enabled;

@ManyToMany(cascade= CascadeType.ALL)
@JoinTable(name="ACCOUNT_ROLE", joinColumns = @JoinColumn (name="ID_ACCOUNT"), inverseJoinColumns = @JoinColumn (name="ID_ROLE"))
private Set<Role> roles = new HashSet<Role>(0);

角色

@Entity
@Table(name="ROLE", uniqueConstraints=@UniqueConstraint (columnNames="NAME"))
public class Role implements Serializable

private static final long serialVersionUID = -9162292216387180496L;

@Id
@GeneratedValue(strategy = GenerationType.AUTO)
private Integer id;

@Column(name = "NAME")
@NotNull
private String name;

@ManyToMany(mappedBy = "roles")
private Set<Account> accounts = new HashSet<Account>(0);

UserDetails 的适配器

@SuppressWarnings( "serial", "deprecation" )
public class UserDetailsAdapter implements UserDetails 

private Account account;

public UserDetailsAdapter(Account account) this.account = account;

public Account getAccount() return account;

public Integer getId()return account.getId();

public String getEmail () return account.getEmail();

@Override
public Collection<? extends GrantedAuthority> getAuthorities() 
    Set<GrantedAuthority> authorities = new HashSet<GrantedAuthority>();
    for (Role r :account.getRoles()) 
        authorities.add(new GrantedAuthorityImpl(r.getName()));
    
    return authorities;

自定义 UserDetailsS​​ervice

@Service("customUserDetailsService")
public class CustomUserDetailsService implements UserDetailsService 
@Inject AccountDao accountDao;
@Inject RoleDao roleDao;


@Override
public UserDetails loadUserByUsername(String username)
        throws UsernameNotFoundException 
    Account account= accountDao.findByUsername(username);



    if(account==null) throw new UsernameNotFoundException("No such user: " + username);
     else if (account.getRoles().isEmpty()) 
        throw new UsernameNotFoundException("User " + username + " has no authorities");
                
    UserDetailsAdapter user = new UserDetailsAdapter(account);
    return user;
    

web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee  http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>

<!-- The definition of the Root Spring Container shared by all Servlets and Filters -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/spring/root-context.xml
                    /WEB-INF/spring/appServlet/security-  context.xml</param-value>
</context-param>

<!-- Creates the Spring Container shared by all Servlets and Filters -->
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<!-- Creates the Filters to handle hibernate lazyload exception -->

<filter>
    <filter-name>OpenSessionInViewFilter</filter-name>
    <filter-class>org.springframework.orm.hibernate3.support.OpenSessionInViewFilter</filter-class>
</filter>

<filter-mapping>
    <filter-name>OpenSessionInViewFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>


<!-- Processes application requests -->
<servlet>
    <servlet-name>appServlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>/WEB-INF/spring/appServlet/servlet-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>appServlet</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

</web-app>

根上下文

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:mvc="http://www.springframework.org/schema/mvc"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:context="http://www.springframework.org/schema/context"
xsi:schemaLocation="http://www.springframework.org/schema/mvc  http://www.springframework.org/schema/mvc/spring-mvc-3.1.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

<!-- Root Context: defines shared resources visible to all other web components -->
<context:property-placeholder properties-ref="deployProperties"/> 
<!-- Remember to correctly locate the right file for properties configuration(example DB connection parameters) -->
<bean id="deployProperties" class="org.springframework.beans.factory.config.PropertiesFactoryBean"
    p:location="/WEB-INF/spring/appServlet/spring.properties" />

    <context:annotation-config/>
    <context:component-scan base-package="org.treci">
    <context:exclude-filter type="annotation" expression="org.springframework.stereotype.Controller"/>
    </context:component-scan>

    <import resource="/appServlet/data-context.xml"/>

安全上下文

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.1.xsd
    http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

<http pattern="/resources" security="none" />


<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/" access="permitAll"/>
    <intercept-url pattern="/login" access="permitAll"/>
    <intercept-url pattern="/login-success" access="hasRole('ROLE_ADMIN')"/>

    <form-login login-page="/login" 
    default-target-url="/login-success"
    authentication-failure-url="/login-failed"/>
    <logout logout-success-url="/logout"/>
</http>

<beans:bean id="customUserDetailsService" class="org.treci.app.service.CustomUserDetailsService"></beans:bean>


<authentication-manager>
    <authentication-provider user-service-ref="customUserDetailsService">
    </authentication-provider>
</authentication-manager>

</beans:beans>

希望你们中的一些人能帮忙，救救我:)

【问题讨论】：

你有日志吗？当我的 UserDetailsS​​ervice 不是 @Transactional 时，我遇到了类似的问题。

它到底是怎么不工作的？

在提供用户名和密码后，它总是让我进入 authentication-failure-url="/login-failed"/ 对数据库的数据访问正在工作，因为我正在网页上打印DAO 的工作

@madhead - 所以你认为我应该用 "@Transactional" 注释服务；我要试试；对于这个解决方案，我认为我应该将 也放在安全上下文中。这是正确的吗？

@madhead 我用“@Transactional”测试过，但它总是让我进入 authentication-failure-url="/login-failed" 。

【参考方案1】：

这是我解决问题的方法：

如您所见，在 CustomDetailsS​​ervice 中，我使用适配器返回了一个 UserDetails 对象。

看了一些教程，我意识到我应该返回一个 org.springframework.security.core.userdetails.User 对象。

这是我的新 CustomDetailsS​​ervice 实现：

@Transactional(readOnly=true)
@Service("customUserDetailsService")
public class CustomUserDetailsService implements UserDetailsService 
@Inject AccountDao accountDao;

@Override
public UserDetails loadUserByUsername(String username)
        throws UsernameNotFoundException 
    Account account= accountDao.findByUsername(username);

    if(account==null) throw new UsernameNotFoundException("No such user: " + username);
     else if (account.getRoles().isEmpty()) 
        throw new UsernameNotFoundException("User " + username + " has no authorities");
                

    boolean accountNonExpired = true;
    boolean credentialsNonExpired = true;
    boolean accountNonLocked = true;

    return new User(
            account.getUsername(),
            account.getPassword().toLowerCase(),
            account.isEnabled(),
            accountNonExpired,
            credentialsNonExpired,
            accountNonLocked,
            getAuthorities(account.getRoles()));
    

public List<String> getRolesAsList(Set<Role> roles) 
    List <String> rolesAsList = new ArrayList<String>();
    for(Role role : roles)
        rolesAsList.add(role.getName());
    
    return rolesAsList;


public static List<GrantedAuthority> getGrantedAuthorities(List<String> roles) 
    List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
    for (String role : roles) 
        authorities.add(new SimpleGrantedAuthority(role));
    
    return authorities;


public Collection<? extends GrantedAuthority> getAuthorities(Set<Role> roles) 
    List<GrantedAuthority> authList = getGrantedAuthorities(getRolesAsList(roles));
    return authList;

【讨论】：

如果您使用 LDAP 进行身份验证，一个用于角色授权的数据库，并且不想将密码传递给 UserDetailsS​​ervice，您可以传递一个字符串（即“LDAP”）。它不会接受空值。

那么你没有使用你的 UserDetailsAdapter 类吗？