个人中心
gpt4 book ai didi

java - Spring-Security:MySQL JDBC 身份验证失败

转载 作者:行者123 更新时间:2023-12-02 11:02:03 25 4
gpt4 key购买 nike

我正在操作 this repo 中的一个开源项目。文件bank.sql是mysql中数据库的模式。这是pom.xml :

 <dependencies>

    <!-- https://mvnrepository.com/artifact/org.apache.tomcat/juli -->
    <dependency>
        <groupId>org.apache.tomcat</groupId>
        <artifactId>juli</artifactId>
        <version>6.0.26</version>
    </dependency>

    <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>jsp-api</artifactId>
        <version>2.0</version>
        <scope>provided</scope>
    </dependency>


     <dependency>
        <groupId>javax.servlet</groupId>
        <artifactId>servlet-api</artifactId>
        <version>2.5</version>
        <scope>provided</scope>
    </dependency>

  <dependency>
   <groupId>junit</groupId>
   <artifactId>junit</artifactId>
   <version>4.11</version>
   <scope>test</scope>
  </dependency>

  <dependency>
     <groupId>org.springframework</groupId>
     <artifactId>spring-core</artifactId>
     <version>3.2.3.RELEASE</version>
  </dependency>

  <dependency>
     <groupId>org.springframework</groupId>
     <artifactId>spring-web</artifactId>
     <version>3.2.3.RELEASE</version>
  </dependency>

  <dependency>
     <groupId>org.springframework</groupId>
     <artifactId>spring-webmvc</artifactId>
     <version>3.2.3.RELEASE</version>
  </dependency>

  <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-core</artifactId>
      <version>3.2.3.RELEASE</version>
  </dependency>

  <dependency>
      <groupId>org.springframework.security</groupId>
      <artifactId>spring-security-config</artifactId>
      <version>3.2.3.RELEASE</version>
  </dependency>

  <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-web</artifactId>
       <version>3.2.3.RELEASE</version>
  </dependency>

  <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-jdbc</artifactId>
       <version>3.2.3.RELEASE</version>
  </dependency>

  <dependency>
       <groupId>mysql</groupId>
       <artifactId>mysql-connector-java</artifactId>
       <version>5.1.6</version>
  </dependency>

  <dependency>
       <groupId>jstl</groupId>
       <artifactId>jstl</artifactId>
       <version>1.2</version>
  </dependency>

  <dependency>
       <groupId>opensymphony</groupId>
       <artifactId>sitemesh</artifactId>
       <version>2.4.2</version>
  </dependency>
 </dependencies>

我有一个登录表单,如下所示:

    <form name="loginForm" class="form-login"
        action="<c:url value="/j_spring_security_check" />" method="POST">
        <h2>Please sign in</h2>

        <c:if test="${not empty error}">
            <div class="alert alert-danger">${error}</div>
        </c:if>
        <c:if test="${not empty msg}">
            <div class="alert alert-info">${msg}</div>
        </c:if>

        <input type="text" class="form-control" placeholder="Username" name="username">
        <input type="password" class="form-control" placeholder="Password" name="password" />
        <button type="submit" class="btn btn-lg btn-primary btn-block" name="submit">Login</button>
        <input type="hidden" name="${_csrf.parameterName}"
            value="${_csrf.token}" />

    </form>

文件Spring-Security.xml如下:

<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:beans="http://www.springframework.org/schema/beans" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
    http://www.springframework.org/schema/security
    http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <http auto-config="true" use-expressions="true">
        <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />
        <intercept-url pattern="/user**" access="hasAnyRole('ROLE_USER', 'ROLE_ADMIN')" />
        <intercept-url pattern="/change**" access="hasRole('ROLE_NEWUSER')" />

        <access-denied-handler error-page="/403" />

        <form-login 
            login-page="/login" 
            authentication-success-handler-ref="bankCustomAuthenticationSuccessHandler"
            authentication-failure-url="/login?error" 
            username-parameter="username"
            password-parameter="password" />
        <logout logout-success-url="/login?logout"  />
        <!-- enable csrf protection -->
        <csrf/>
    </http>

    <beans:bean id="bankCustomAuthenticationSuccessHandler"
        class="ee.mikkelsaar.bank.security.MyUrlAuthenticationSuccessHandler" />

    <authentication-manager>
        <authentication-provider>
            <password-encoder hash="sha" />
            <jdbc-user-service data-source-ref="dataSource" users-by-username-query="select username,password, enabled from users where username=?" authorities-by-username-query="select u.username, a.authority from users u, authorities a where u.username = a.username and u.username =?" />
        </authentication-provider>
    </authentication-manager>

    <beans:import resource="spring-datasource.xml" />

    <beans:bean id="passwordEncoder" class="org.springframework.security.authentication.encoding.MessageDigestPasswordEncoder">
      <beans:constructor-arg value="sha" />
    </beans:bean>


</beans:beans>

并且有一个bean来获取数据源以将其提供给Authentication-manager比如下面这样:

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
    http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">

    <bean id="dataSource"
        class="org.springframework.jdbc.datasource.DriverManagerDataSource">

        <property name="driverClassName" value="com.mysql.jdbc.Driver" />
        <property name="url" value="jdbc:mysql://localhost:3306/bank" />
        <property name="username" value="root" />
        <property name="password" value="" />
    </bean>

</beans>

我确信 MySQL 服务器在端口 3306 上运行良好。

正确的凭据是 username:Tompassword:Tom但每次我尝试用它们登录时都会失败。我想知道我的身份验证过程出了什么问题?

如何修复它?

我想,也许数据源bean没有正确创建,但我不知道如何检查它?

更新:

当我添加<http security="none" pattern="/login"/>时给我的Spring-Security.xml它提示 

HTTP Status 405 - Request method 'POST' not supported for (username, password) `(Tom, tom)`, which is not a valid credential. But for a valid credential like `(Tom,Tom)` is still navigates to the login page again.

但它确实发生了

最佳答案

首先,在 Spring Security 4 之前的版本中,默认参数名称是 j_usernamej_password (就像您提到的帖子中一样),而不是 username /密码

在 Spring Security 4 中,默认名称是 usernamepassword,但 UsernamePasswordAuthenticationFilter 绑定(bind)的默认 URL 是 /登录而不是/j_spring_security_check

因此,在所有 Spring Security 版本中,您的 URL 和参数名称组合与默认值不匹配。

以下是如何配置针对数据库的用户名密码身份验证的示例:http://www.mkyong.com/spring-security/spring-security-form-login-using-database/ (适用于 Spring Security 3.x)

另一个示例(更短更简单),适用于 Spring Security 4:https://spring.io/guides/gs/securing-web/

参数如何传递

基本上,如果您有基于表单的身份验证,它的工作原理如下:

  1. 用户尝试访问某些需要身份验证的 URL;用户缺乏身份验证
  2. Spring Security 将用户重定向到登录页面
  3. 用户在该页面上输入登录名和密码并提交;在 Spring Security 4 之前版本的默认配置中,用户名作为 j_username 提交,密码作为 j_password 提交到 /j_spring_security_check<
  4. Spring Security 提供的 UsernamePasswordAuthenticationFilter 处理对 /j_spring_security_check URL 的提交。一旦收到请求(来自登录表单),它就会提取参数(用户名/密码),将它们打包到 UsernamePasswordAuthenticationToken 中,并将其提供给 AuthenticationManager 进行身份验证。
  5. AuthenticationManager 检查访问权限(例如,JDBC 可用于检查数据库)
  6. 如果身份验证成功(用户存在且提供的名称、密码匹配),则会构造结果Authentication(其中包含有关角色的信息)、保存并AuthenticationSuccessHandler 被调用;它获取身份验证结果
  7. 身份验证成功后,用户将被重定向回他在步骤 1 中尝试访问的 URL,并且仅在此执行业务逻辑 Controller

关于java - Spring-Security:MySQL JDBC 身份验证失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/44882667/

25 4 0
文章推荐: java - Intellij扩展java语法高亮
文章推荐: java - 将 2D 平面拉伸(stretch)为 3D 立方体
文章推荐: java - 我需要哪种 Java 对象类型(集合/列表/集合/其他)?
文章推荐: java - 为什么不能循环直接实现 Iterator 的类?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com