java-Spring Boot / Spring Security,登录表单,密码检查
内容导读
互联网集市收集整理的这篇技术教程文章主要介绍了java-Spring Boot / Spring Security,登录表单,密码检查,小编现在分享给大家,供广大互联网技能从业者学习和参考。文章包含7142字,纯文字阅读大概需要11分钟。
内容图文
我可能很容易遇到问题,但是我不明白.
我对Spring Boot不太熟悉,许多事情会在这里自动发生.我想检查数据库中是否存在以表格形式写用户名和密码的人[并且他的帐户已激活].用户数据存储在application.properties中配置的MySQL数据库中.我想检查“用户”表中是否存在提供用户名的人,并检查提供的密码是否等于数据库中的用户密码.目前,我可以从数据库中键入任何用户名,并且密码可以是随机的(这对我来说很明显,因为我没有在任何地方进行检查,而且很奇怪,因为我觉得周围的一切都表明它可以正常工作).这对我来说听起来很简单,但是我在StackOverflow或教程中找不到任何合适的解决方案.
我的一般问题是-我应该在哪里以及如何检查登录表单中的密码?它是自动完成的(但无法以某种方式工作),还是应该编写我的自定义控制器/服务/方法来做到这一点?如果需要自定义控制器,那么解决问题的方向应该是什么?
目前,我不知道该去哪里.我希望所有与我的问题有关的其余代码都粘贴在这里.预先感谢您提供的所有提示和评论.
码:
ApplicationSecurityAdapter类:
@Configuration
@Order(SecurityProperties.ACCESS_OVERRIDE_ORDER)
public class ApplicationSecurityAdapter extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/user/register").permitAll()
.antMatchers("/user/activate").permitAll()
.antMatchers("/user/activation-send").permitAll()
.antMatchers("/user/reset-password").permitAll()
.antMatchers("/user/reset-password-change").permitAll()
.antMatchers("/user/autologin").access("hasRole('ROLE_ADMIN')")
.antMatchers("/user/delete").access("hasRole('ROLE_ADMIN')")
.antMatchers("/img/**").permitAll()
.antMatchers("/images/**").permitAll()
.antMatchers("/fonts/**").permitAll()
.anyRequest().authenticated()
.and()
.formLogin().loginPage("/login").failureUrl("/login?error").permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login").permitAll() // added permitAll()
.and()
.rememberMe().key(applicationSecret)
.tokenValiditySeconds(31536000);
}
@Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(new BCryptPasswordEncoder());
}
UserService类:
@Service
public class UserService implements UserDetailsService {
@Value("${app.user.verification}") // set to YES
private Boolean requireActivation;
@Value("${app.secret}") // some random stuff
private String applicationSecret;
@Autowired
private UserRepository repo;
@Autowired
private HttpSession httpSession;
public final String CURRENT_USER_KEY = "CURRENT_USER";
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = repo.findOneByUserName(username);
if(user == null) {
throw new UsernameNotFoundException(username);
}
if(requireActivation && !user.getToken().equals("1")) {
Application.log.error("User [" + username + "] tried to log in, but his account is not activated.");
throw new UsernameNotFoundException(username + " did not activate his account.");
}
httpSession.setAttribute(CURRENT_USER_KEY, user);
List<GrantedAuthority> auth = AuthorityUtils.commaSeparatedStringToAuthorityList(user.getRole());
return new org.springframework.security.core.userdetails.User(user.getUserName(), user.getPassword(), auth);
}
}
UserController:
@Controller
// @RequestMapping("/user/*")
public class UserController {
private Logger log = LoggerFactory.getLogger(UserController.class);
@Value("${app.user.verification}") // YES
private Boolean requireActivation;
@Value("users/")
private String userRoot;
@Autowired
private UserRepository userRepository;
@Autowired
protected AuthenticationManager authenticationManager;
@Autowired
private UserService userService;
@RequestMapping("/login")
public String login(User user) {
return "user/login";
}
}
登录表单:
<div layout:fragment="content">
<form class="form-signin" th:action="@{/login}" th:object="${user}" method="post">
<h2 class="form-signin-heading">LOGIN PANEL</h2>
<div class="alert alert-danger" th:if="${param.error}">
Incorrect credentials or account not activated.
</div>
<input type="text" id="inputUsername" name="username" class="form-control top" placeholder="username goes here..." required="required" autofocus="autofocus"/>
<input type="password" id="inputPassword" name="password" class="form-control bottom" placeholder="password goes here..."
required="required"/>
<div class="checkbox">
<label>
<input type="checkbox" name="remember-me"/> Remember me
</label>
</div>
<button class="btn btn-lg btn-primary btn-block" type="submit">Log in</button>
</form>
</div>
解决方法:
问题出在您的loadUserByUsername
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = repo.findOneByUserName(username);
if(user == null) {
throw new UsernameNotFoundException(username);
}
if(requireActivation && !user.getToken().equals("1")) {
Application.log.error("User [" + username + "] tried to log in, but his account is not activated.");
throw new UsernameNotFoundException(username + " did not activate his account.");
}
httpSession.setAttribute(CURRENT_USER_KEY, user);
List<GrantedAuthority> auth = AuthorityUtils.commaSeparatedStringToAuthorityList(user.getRole());
return new org.springframework.security.core.userdetails.User(user.getUserName(), user.getPassword(), auth);
}
您将用户设置为会话.不要这样!只需加载用户并返回即可.
用户将自动存储在会话中,并且可以像this answer所示进行查找.
我认为密码检查不起作用的原因是您将BCryptPasswordEncoder配置为密码编码器.
确保您存储在用户中的密码是由此编码器编码的.
否则,密码检查将失败.
为了避免自定义激活检查,请使您的User类实现UserDetails.如果您检查文档,则可以设置4个标志,这些标志将由spring boot进行检查.
boolean isAccountNonExpired() // Indicates whether the user's account has expired.
boolean isAccountNonLocked() // Indicates whether the user is locked or unlocked.
boolean isCredentialsNonExpired() // Indicates whether the user's credentials (password) has expired.
boolean isEnabled() // Indicates whether the user is enabled or disabled.
您对loadUserByUsername的实现应如下所示.它实际上应该只执行方法名称所建议的操作.查找用户,如果找不到具有给定用户名的用户,则抛出UsernameNotFoundException.
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = repo.findOneByUserName(username);
if(user == null) {
throw new UsernameNotFoundException(username);
}
return user;
}
如果不想让“用户”实现“ UserDetails”(例如,将框架和业务逻辑分开),请使用this constructor返回Spring User,可以在其中设置这些标志.
您的实现可能如下所示:
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = repo.findOneByUserName(username);
if(user == null) {
throw new UsernameNotFoundException(username);
}
List<GrantedAuthority> auth = AuthorityUtils.commaSeparatedStringToAuthorityList(user.getRole());
return new org.springframework.security.core.userdetails.User(
user.getUserName(),
user.getPassword(),
requireActivation && !user.getToken().equals("1"), // enabled. Use whatever condition you like
true, // accountNonExpired. Use whatever condition you like
true, // credentialsNonExpired. Use whatever condition you like
true, // accountNonLocked. Use whatever condition you like
auth);
}
然后,spring会自动检查密码,权限,激活状态等.
内容总结
以上是互联网集市为您收集整理的java-Spring Boot / Spring Security,登录表单,密码检查全部内容,希望文章能够帮你解决java-Spring Boot / Spring Security,登录表单,密码检查所遇到的程序开发问题。 如果觉得互联网集市技术教程内容还不错,欢迎将互联网集市网站推荐给程序员好友。
内容备注
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 gblab@vip.qq.com 举报,一经查实,本站将立刻删除。
内容手机端
扫描二维码推送至手机访问。