自定义DaoAuthenticationProvider不检查密码

时间:2015-07-07 09:52:20

标签: java spring spring-security

我在Java EE应用程序(Spring / Struts / Hibernate)中实现spring Security。我和我的职业DaoAuthenticationProvider有一些混淆。

@Override
public void configure(AuthenticationManagerBuilder pAuth) throws Exception {
    pAuth.authenticationProvider(mAuthenticationProvider)
            .userDetailsService(mUserDetailsService)
            .passwordEncoder(new Md5PasswordEncoder());
}

这是在我的SecurityConfig(扩展WebSecurityConfigurerAdapter)课程中。 当我调试应用程序时,我可以看到在我的自定义DaoAuthenticationProvider中未设置密码编码器(PlainTextPasswordEncoder而不是Md5),为什么?

之后我尝试在构造函数中手动设置这个值:

public LimitLoginAuthenticationProvider() {
    setPasswordEncoder(new Md5PasswordEncoder());
    setUserDetailsService(mUserDetailsService);
}

当我调试它时,我看到正确的值。

但在这两种情况下,如果我这样做:

@Override
public Authentication authenticate(Authentication pAuthentication) {
    Authentication lAuth = super.authenticate(pAuthentication);
    return lAuth;
}

lAuth的属性指示用户是否进行身份验证,无论密码是什么,都为true ... 有人有答案吗?

编辑:LimitLoginAuthenticationProvider实施

@Component("authenticationProvider")
public class LimitLoginAuthenticationProvider extends DaoAuthenticationProvider {
    @Autowired
    private IUserDao mUserDao;

    @Autowired
    @Qualifier("userDetailsService")
    UserDetailsService mUserDetailsService;

    public LimitLoginAuthenticationProvider() {
        setPasswordEncoder(new Md5PasswordEncoder());
    }

    @Autowired
    @Qualifier("userDetailsService")
    @Override
    public void setUserDetailsService(UserDetailsService userDetailsService) {
        super.setUserDetailsService(userDetailsService);
    }

    @Override
    public Authentication authenticate(Authentication pAuthentication) {
        Authentication lAuth = super.authenticate(pAuthentication);
        return lAuth;
    }

    @Override
    @Transactional(readOnly = true)
    protected void additionalAuthenticationChecks(UserDetails pUserDetails,
            UsernamePasswordAuthenticationToken pAuthentication)
            throws AuthenticationException {
        try {
            User lUser = mUserDao.findUserByLogin(pAuthentication.getName());
            if (lUser.getStatus() >= 3) {
                logger.debug("User account is locked");
                throw new LockedException(messages.getMessage(
                        "AbstractUserDetailsAuthenticationProvider.locked",
                        "User account is locked"));
            }
        } catch (DaoException e) {
        }
    }
}

1 个答案:

答案 0 :(得分:0)

好吧我想我错过了 <button class="btn btn-default btn-lg" ng-click="submitForm(post._id)">{{ action }}</button> 的目标。 我想我必须自己查一下密码:

DaoAuthenticationProvider

(我错了吗?)

相关问题
最新问题