用户名和密码未与Spring中的身份验证映射

Question

我正在使用Spring 4.3.1.RELEASE版本，它是自定义身份验证登录应用程序。但我面临问题

首先看看代码

CustomAuthenticationProvider.java

@Component
@Qualifier(value = "customAuthenticationProvider")
public class CustomAuthenticationProvider implements AuthenticationProvider{


public Authentication authenticate(Authentication authentication) throws     AuthenticationException {
    String username = authentication.getName();
    String password = (String) authentication.getCredentials();
    User user = new User();
    user.setUsername(username);
    user.setPassword(password);


    Role r = new Role();
    r.setName("ROLE_ADMIN");
    List<Role> roles = new ArrayList<Role>();
    roles.add(r);


    Collection<? extends GrantedAuthority> authorities = roles;
    return new UsernamePasswordAuthenticationToken(user, password, authorities);
}

public boolean supports(Class<?> arg0) {
    return true;
}

}

SecurityConfiguration.java

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

@Autowired
private CustomAuthenticationProvider customAuthenticationProvider;

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
    auth.authenticationProvider(customAuthenticationProvider);
}

//.csrf() is optional, enabled by default, if using     WebSecurityConfigurerAdapter constructor
@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
            .antMatchers("/admin/**").access("hasRole('ROLE_USER')")
            .and()
            .formLogin()
            .loginPage("/login").failureUrl("/login?error")
            .usernameParameter("username").passwordParameter("password")
            .and()
            .logout().logoutSuccessUrl("/login?logout")
            .and()
            .csrf();
}
}

的login.jsp 这是我的登录页面

  <form name="loginForm" novalidate ng-submit="ctrl.login(user)">
        <div class="form-group" ng-class="{'has-error': loginForm.username.$invalid}">
            <input class="form-control" name="username" id="username"  type="text"
                   placeholder="Username" required ng-model="user.username" />
            <span class="help-block"
                  ng-show="loginForm.username.$error.required">Required</span>
        </div>
        <div class="form-group" ng-class="{'has-error': loginForm.password.$invalid}">
            <input class="form-control" name="password" id="password" type="password"
                   placeholder="Password" required ng-model="user.password" />
            <span class="help-block"
                  ng-show="loginForm.password.$error.required">Required</span>
        </div>
        <div class="form-group">
            <button type="submit" class="btn btn-primary pull-right"
                    value="Login" title="Login" ng-disabled="!loginForm.$valid">
                <span>Login</span>
            </button>
        </div>
    </form>

在CustomAuhtenticationProvider类中的authenticate（）

1. authentication.getCredentials（）;
2. authentication.getName（）;

两者都给出空字符串，但我需要用户名和密码。



这是我的AngularJS服务

Service.js

  function loginUser(user) {
    var config = {
        headers: {
            'csrf_token': csrfToken
        }
    }


    var deferred = $q.defer();
    $http.post("/login", user,config)
        .then(
            function (response) {
                deferred.resolve(response.data);
            },
            function(errResponse){
                console.error('Error while creating User');
                deferred.reject(errResponse);
            }
        );
    return deferred.promise;
}

Answer 1

您正在将身份验证凭据作为JSON发送，并且您正在使用尝试从HttpServletRequest参数检索身份验证凭据的默认UsernamePasswordAuthenticationFilter。

它们将始终为null。您必须构建自己的自定义过滤器，该过滤器从请求正文中收到的json而不是http params中获取身份验证凭据。

查看this

编辑：事实是您没有获得从Angular控制器发送的登录凭据。原因可能是，如果您在请求正文中将它们作为json发送，则不能依赖于默认的UsernamePasswordAuthenticationFilter，因为它尝试构建读取HttpServletRequest参数的Authentication对象。

public class UsernamePasswordAuthenticationFilter extends         AbstractAuthenticationProcessingFilter {

public Authentication attemptAuthentication(HttpServletRequest request,
            HttpServletResponse response) throws AuthenticationException {
        if (postOnly && !request.getMethod().equals("POST")) {
            throw new AuthenticationServiceException(
                    "Authentication method not supported: " + request.getMethod());
        }

        String username = obtainUsername(request);
        String password = obtainPassword(request);
        ...
}

/**
     * Enables subclasses to override the composition of the password, such as by
     * including additional values and a separator.
     * <p>
     * This might be used for example if a postcode/zipcode was required in addition to
     * the password. A delimiter such as a pipe (|) should be used to separate the
     * password and extended value(s). The <code>AuthenticationDao</code> will need to
     * generate the expected password in a corresponding manner.
     * </p>
     *
     * @param request so that request attributes can be retrieved
     *
     * @return the password that will be presented in the <code>Authentication</code>
     * request token to the <code>AuthenticationManager</code>
     */
    protected String obtainPassword(HttpServletRequest request) {
        return request.getParameter(passwordParameter);
    }

    /**
     * Enables subclasses to override the composition of the username, such as by
     * including additional values and a separator.
     *
     * @param request so that request attributes can be retrieved
     *
     * @return the username that will be presented in the <code>Authentication</code>
     * request token to the <code>AuthenticationManager</code>
     */
    protected String obtainUsername(HttpServletRequest request) {
        return request.getParameter(usernameParameter);
    }

您应该扩展此过滤器，覆盖attemptAuthentication（）方法，以避免在恢复此凭据时调用obtainUsername和obtainPassword。相反，编写一个自定义方法，您将在其中读取ServletRequest's InputStream并使用您以前使用的json库解析对象。我通常使用jackson this way