我创建了一个Spring安全UserService,用于检查用户是否已登录(来自登录页面)数据库(jdbc)。
如果记录存在,则重定向到主页,否则重定向到访问被拒绝页面。
我测试了它,它运行良好,但是当我从数据库中删除记录并尝试检查时,我发现它仍然像数据库中仍然存在的记录一样工作:使用删除用户名和密码有效!
有人可以告诉我为什么吗?
这是我的代码:
@Component(value = "userService")
public class UserService implements AuthenticationProvider {
@Inject
@Named(value = "dataSource")
private DataSource dataSource1;
String name;
String password;
int countRow=0;
public Authentication authenticate(Authentication auth) throws AuthenticationException {
ResultSet resultSet = null;
PreparedStatement preparedStatement = null;
Connection connection = null;
name= auth.getName();
password=auth.getCredentials().toString();
final String select= "select username,password from users where username='"+name+"'and password='"+password+"'";
try {
connection = dataSource1.getConnection();
preparedStatement = connection.prepareStatement(select);
resultSet = preparedStatement.executeQuery();
if(resultSet.next()){
countRow++;
if(countRow!=0){
return new UsernamePasswordAuthenticationToken(name, null);}
}
return null;
}
return new UsernamePasswordAuthenticationToken("", "");
}
答案 0 :(得分:0)
而不是这段代码
if(resultSet.next()){
countRow++;
if(countRow!=0){
return new UsernamePasswordAuthenticationToken(name, null);}
}
return null;
使用
String select= "select username,password from users where username=? and password=?";//to avoid sql injection
preparedStatement = connection.prepareStatement(select);
preparedStatement.setString(1,name);
preparedStatement.setString(2,password);
............
if(resultSet.next())//condition is true, means record exists in database
{
//stuff to redirection to success
}
else
{
//stuff to access denied
}
但我不知道springs。请检查一下