Spring安全/休眠:即使它们是对的,凭据也不好?

时间:2013-02-20 18:48:07

标签: spring hibernate spring-security hql

嘿,我在使用基于springsecurity的登录时遇到了一些麻烦

我一直收到错误的“错误凭证”

这是我的用户表:

![用户表] [1]

这是来自applicationContext的我的dataSource:

<!-- database driver/location -->
<bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource">
    <property name="driverClassName" value="com.mysql.jdbc.Driver" />
    <property name="url" value="jdbc:mysql://localhost:3306/ams" />
    <property name="username" value="root" />
    <property name="password" value="root" />
</bean>

和我的securityContext:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:security="http://www.springframework.org/schema/security"
    xmlns:tx="http://www.springframework.org/schema/tx"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
              http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
              http://www.springframework.org/schema/security 
              http://www.springframework.org/schema/security/spring-security-3.0.xsd">

    <!-- <security:http auto-config="true" access-decision-manager-ref="accessDecisionManager"> -->
    <security:http auto-config="true">
        <security:intercept-url pattern="/login/login.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/login/doLogin.do" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/lib/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/images/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
        <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_REMEMBERED" />
        <security:form-login login-page="/login/login.do" authentication-failure-url="/login/login.do?login_error=true" default-target-url="/test/showTest.do"/>
        <security:logout logout-success-url="/login/login.do" invalidate-session="true" />
        <security:remember-me key="rememberMe"/>
    </security:http>    


    <security:authentication-manager>
        <security:authentication-provider>
            <security:jdbc-user-service data-source-ref="dataSource" 
            users-by-username-query="select USERNAME as username, PASSWORD as password, DELETED as deleted from ams.user where USERNAME=?"
            authorities-by-username-query="
                select distinct user.USERNAME as username, permission.NAME as authority 
            from scu.user, scu.user_role, scu.role, scu.role_permission, scu.permission
            where user.ID=user_role.USER_ID AND user_role.ROLE_ID=role_permission.ROLE_ID AND role_permission.PERMISSION_ID=permission.ID AND user.USERNAME=?"/>
            <!-- security:password-encoder ref="passwordEncoder" /> -->
        </security:authentication-provider>
    </security:authentication-manager>

    <bean id="passwordEncoder"
        class="org.springframework.security.authentication.encoding.ShaPasswordEncoder">
        <constructor-arg value="256" />
    </bean>
</beans>

当我尝试使用以下命令登录时:admin和init01

它给我错误的凭据错误... =(

感谢任何建议!!!

2 个答案:

答案 0 :(得分:4)

password-encoder中的authentication-provider引用已被注释掉。如果您使用散列密码(如您所示),则需要密码编码器。另请检查this answer,特别是关于编写测试的第2点,以确保您使用的密码编码器与您存储在数据库中的密码编码器相匹配。

您可能还想检查this answer on using bcrypt作为纯SHA哈希值的更安全的替代方法。

答案 1 :(得分:0)

您的密码正在进行哈希处理。如果您添加密码'init01',它实际上意味着原始密码的哈希是'init01',因为Spring哈希提供的密码并与您输入的密码匹配。所以SHA('init01')不是'init01'