SpringWebSecurity：错误原因的错误凭证

Question

我有一个非常简单的基于SpringSecurity的身份验证系统，与here发现的https://www.google.com/webmasters/tools/home?hl=en非常相似（稍微复杂一些）。

然而，当我执行登录过程时，SpringSecurity会根据其配置抛出Bad Credentials错误。

查看代码，我无法找到原因，因为在运行时用户名，密码，启用和角色都是根据存储在DB中的内容。因此，我认为它可能来自错误的配置或逻辑问题。

根据日志，唯一可能失败的是：WARNING: Encoded password does not look like BCrypt，但我读到每次认证都是正常的。

有人可以帮我检查配置吗？谢谢！

package com.company.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;

@Configuration
@EnableWebSecurity
public class AppSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("userDetailsService")
    UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}

@Bean
public PasswordEncoder passwordEncoder() {
    PasswordEncoder encoder = new BCryptPasswordEncoder();
    return encoder;
}


@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
            .antMatchers("**/admin/**").access("hasAnyRole('ROLE_ADMIN','ROLE_SUPERADMIN')")
            .antMatchers("/superadmin/**").access("hasRole('ROLE_SUPERADMIN')")
            .antMatchers("**/user/**").access("hasAnyRole('ROLE_USER','ROLE_ADMIN','ROLE_SUPERADMIN')")
            .antMatchers("/resources/**").permitAll()
            .antMatchers("/messages/**").permitAll() 
            .and()
            .formLogin()
                .loginPage("/login")
                .usernameParameter("username")
                .passwordParameter("password")
                .defaultSuccessUrl("/user/home")
                .failureUrl("/403")
                .permitAll()
            .and()
                .exceptionHandling().accessDeniedPage("/403")
            .and()
                .logout().logoutUrl("/logout")
            .and()
                .csrf().disable();
    }
}

package com.company.service.impl;

import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

import com.company.dao.UsuarioDao;
import com.company.model.UserRole;
import com.company.model.Usuario;

@Service("userDetailsService")
public class MyUserDetailsService implements UserDetailsService{

    @Autowired
    private UsuarioDao usuarioDao;


    @Transactional(readOnly=true)
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException {

        Usuario usuario = usuarioDao.findByChave(username);
        List<GrantedAuthority> authorities = buildUserAuthority(usuario.getUserRole());

        return buildUserForAuthentication(usuario, authorities);

    }

    private User buildUserForAuthentication(Usuario user, 
        List<GrantedAuthority> authorities) {

        User usr= new User(user.getUsername(), user.getPassword(), 
            user.isEnabled(), true, true, true, authorities);

        System.out.println(usr.toString());
/*
* Prints: org.springframework.security.core.userdetails.User@ae6e27ef: 
* Username: SMITH; Password: [PROTECTED]; Enabled: true; 
* AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: 
* true; Not granted any authorities
*/

        return usr;

    }

    private List<GrantedAuthority> buildUserAuthority(Set<UserRole> userRoles){

        Set<GrantedAuthority> setAuths = new HashSet<GrantedAuthority>();

        // Build user's authorities
        for (UserRole userRole : userRoles) {
            setAuths.add(new SimpleGrantedAuthority(userRole.getRole()));
        }

        List<GrantedAuthority> Result = new ArrayList<GrantedAuthority>(setAuths);

        return Result;  
    }

}

Answer 1

经过一番研究，我发现了这个问题。我正在处理第三方提供的已经输入的密码。因此，我将它直接存储在DB中，而SpringSecurity正在使用自己的加密（BCrypt）。因此，SpringSecurity与两个不同的编写字符串相比，产生了问题（在问题中提到的警告消息中给出了一个很好的提示）。

这样，我在AppSecurityConfig中禁用了@Bean PasswordEncoder，因为没有必要保留它（请记住我已经在处理预先输入的密码）。在那之后，事情很好。

有关更多信息，请查看以下问题和答案：

• Spring security/hibernate: Bad credentials even if they're right?
• Authentication in Spring Security whith encoded password
• Spring Security:password encoding in DB and in applicationContext
• How to change password hashing algorithm when using spring security?