原因:未找到org.springframework.security.authentication.UsernamePasswordAuthenticationToken的AuthenticationProvider

时间:2016-12-26 11:36:16

标签: spring tomcat authentication spring-security

我已配置spring security命名空间以使用我的自定义身份验证管理器进行身份验证:

的web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">

  <display-name>Application</display-name>

   <welcome-file-list>
        <welcome-file>index.html</welcome-file>
   </welcome-file-list>

   <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
            /WEB-INF/spring-security.xml
        </param-value>
    </context-param>

   <servlet>
        <servlet-name>app</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
        <init-param>
            <param-name>contextClass</param-name>
            <param-value>
                org.springframework.web.context.support.AnnotationConfigWebApplicationContext
            </param-value>
        </init-param>
        <init-param>
            <param-name>contextConfigLocation</param-name>
            <param-value>
               com.me.web.controllers.controller
            </param-value>
        </init-param> 
   </servlet>

    <listener>
        <listener-class>
            com.me.web.controllers.listener
        </listener-class>
    </listener>

    <servlet-mapping>
        <servlet-name>app</servlet-name>
        <url-pattern>/</url-pattern>
    </servlet-mapping>



    <filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <login-config>
    <auth-method>BASIC</auth-method>
    </login-config>

</web-app>

弹簧security.xml文件

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
     xmlns:context="http://www.springframework.org/schema/context"
     xmlns:security="http://www.springframework.org/schema/security"
     xmlns:mvc="http://www.springframework.org/schema/mvc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xmlns:p="http://www.springframework.org/schema/p"
     xsi:schemaLocation="
            http://www.springframework.org/schema/beans    
            http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
            http://www.springframework.org/schema/context
            http://www.springframework.org/schema/context/spring-context-4.0.xsd
            http://www.springframework.org/schema/security
            http://www.springframework.org/schema/security/spring-security-4.0.xsd
            http://www.springframework.org/schema/mvc
            http://www.springframework.org/schema/mvc/spring-mvc-4.0.xsd">

    <context:component-scan base-package="com.me.web.controllers"/>
    <bean class="org.springframework.web.servlet.view.InternalResourceViewResolver">
        <property name="prefix" value="/WEB-INF/" />
        <property name="suffix" value=".jsp" />
    </bean>

    <bean id="myProvider" class="com.me.web.controllers.CustomAuthenticationProvider"> </bean>

    <security:http auto-config="true">
        <security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
    </security:http>

    <security:authentication-manager erase-credentials="false" alias="authenticationManager">
        <security:authentication-provider ref='myProvider'/>
    </security:authentication-manager>

    <mvc:annotation-driven />
</beans>

CustomAuthenticationProvider.java

package com.me.web.controllers;

import java.util.jar.JarEntry;
import java.util.jar.JarFile;

import java.io.InputStream;
import java.util.Hashtable;
import java.util.ArrayList;
import java.util.Arrays;

import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

    @Override
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        String name = authentication.getPrincipal().toString();
        String password = authentication.getCredentials().toString();

        System.out.println("Username: " + name + ", password: " + password + "\n");

        if (name.equals("user") && password.equals("pass")) {
            return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"))));
        } else {
            return null;
        }
    }

    @Override
    public boolean supports(Class<?> authentication) {
        System.out.println("supports method called\n");
        return (UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication));
    }
}

日志文件

INFO: Loading XML bean definitions from ServletContext resource [/WEB-INF/omdwebapp-servlet.xml]
дек 27, 2016 11:28:50 AM org.springframework.security.core.SpringSecurityCoreVersion performVersionChecks
INFO: You are running with Spring Security Core 4.0.4.RELEASE
дек 27, 2016 11:28:50 AM org.springframework.security.core.SpringSecurityCoreVersion performVersionChecks
WARNING: **** You are advised to use Spring 4.2.5.RELEASE or later with this version. You are running: 4.1.5.RELEASE
дек 27, 2016 11:28:50 AM org.springframework.security.config.SecurityNamespaceHandler <init>
INFO: Spring Security 'config' module version is 4.0.4.RELEASE
дек 27, 2016 11:28:50 AM org.springframework.security.config.http.FilterInvocationSecurityMetadataSourceParser parseInterceptUrlsForFilterInvocationRequestMap
INFO: Creating access control expression attribute 'hasRole('ROLE_USER')' for /**
дек 27, 2016 11:28:50 AM org.springframework.security.config.http.AuthenticationConfigBuilder createLoginPageFilterIfNeeded
INFO: No login page configured. The default internal one will be used. Use the 'login-page' attribute to set the URL of the login page.
дек 27, 2016 11:28:50 AM org.springframework.security.config.http.HttpSecurityBeanDefinitionParser checkFilterChainOrder
INFO: Checking sorted filter chain: [Root bean: class [org.springframework.security.web.context.SecurityContextPersistenceFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 200, Root bean: class [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 400, Root bean: class [org.springframework.security.web.header.HeaderWriterFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 500, Root bean: class [org.springframework.security.web.csrf.CsrfFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 600, Root bean: class [org.springframework.security.web.authentication.logout.LogoutFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 700, <org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter#0>, order = 1100, Root bean: class [org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1300, Root bean: class [org.springframework.security.web.authentication.www.BasicAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1500, Root bean: class [org.springframework.security.web.savedrequest.RequestCacheAwareFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1600, Root bean: class [org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 1700, Root bean: class [org.springframework.security.web.authentication.AnonymousAuthenticationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2000, Root bean: class [org.springframework.security.web.session.SessionManagementFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2100, Root bean: class [org.springframework.security.web.access.ExceptionTranslationFilter]; scope=; abstract=false; lazyInit=false; autowireMode=0; dependencyCheck=0; autowireCandidate=true; primary=false; factoryBeanName=null; factoryMethodName=null; initMethodName=null; destroyMethodName=null, order = 2200, <org.springframework.security.web.access.intercept.FilterSecurityInterceptor#0>, order = 2300]
дек 27, 2016 11:28:51 AM org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor <init>
INFO: JSR-330 'javax.inject.Inject' annotation found and supported for autowiring
дек 27, 2016 11:28:51 AM org.springframework.security.web.DefaultSecurityFilterChain <init>
INFO: Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.SecurityContextPersistenceFilter@5ebfb059, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@7ad2d3a7, org.springframework.security.web.header.HeaderWriterFilter@2745b7f0, org.springframework.security.web.csrf.CsrfFilter@522f01b4, org.springframework.security.web.authentication.logout.LogoutFilter@c18fa93, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@3beacf19, org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter@34c2910a, org.springframework.security.web.authentication.www.BasicAuthenticationFilter@51c04295, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@25536e21, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@8634bac, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@2efd0d81, org.springframework.security.web.session.SessionManagementFilter@6781a840, org.springframework.security.web.access.ExceptionTranslationFilter@714d36d6, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@44b55b7]
дек 27, 2016 11:28:51 AM org.springframework.security.config.http.DefaultFilterChainValidator checkLoginPageIsntProtected
INFO: Checking whether login URL '/login' is accessible with your configuration
дек 27, 2016 11:28:51 AM org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping registerHandlerMethod
INFO: Mapped "{[/rest],methods=[POST],params=[],headers=[],consumes=[],produces=[application/json],custom=[]}" onto public static void com.omd.web.controllers.OmdRestController.processPostRequest(javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) throws javax.servlet.ServletException
дек 27, 2016 11:28:51 AM org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping registerHandlerMethod
INFO: Mapped "{[/rest],methods=[GET],params=[],headers=[],consumes=[],produces=[application/json],custom=[]}" onto public static void com.omd.web.controllers.OmdRestController.processGetRequest(java.lang.String,javax.servlet.http.HttpServletRequest,javax.servlet.http.HttpServletResponse) throws javax.servlet.ServletException
дек 27, 2016 11:28:51 AM org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter initControllerAdviceCache

但是当我向服务器发送请求(apache-tomcat)时,spring无限循环请求登录和密码,无论登录名是什么:密码我输入。 我在做什么?如果不清楚,我该如何调试呢?

尝试登录时出现以下错误消息:

Your login attempt was not successful, try again.

Reason: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken

我没有找到我在课堂上添加的日志,所以我认为authenticate函数不会被调用。

2 个答案:

答案 0 :(得分:1)

<security:intercept-url pattern="/**" access="hasRole('ROLE_USER')" />

但您的authenticate方法中没有返回任何角色。

如果您想进行基本身份验证,则应首先发送请求。

Authorization -- Basic base64Encode(username:password)

到服务器,在authenticate方法中,您应该返回

return new UsernamePasswordAuthenticationToken(name, password, new ArrayList<GrantedAuthority>(Arrays.asList(new SimpleGrantedAuthority("ROLE_USER"))));

顺便说一句:如果你设置auto-config = true,它会自动添加以下配置。

<form-login />
<http-basic />
<logout />

我认为你只想设置所有应该进行身份验证的请求。所以你只需要将配置更改为

<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY" />

然后您无需更改authenticate方法即可返回角色。

修改

authentication.equals(UsernamePasswordAuthenticationToken.class);

这将返回false,将其更改为

(UsernamePasswordAuthenticationToken.class
                .isAssignableFrom(authentication));

答案 1 :(得分:1)

我遇到了同样的问题,并通过添加具有该名称的此类

解决了该问题。

IMP:我正在研究纯Java配置

import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;


public class SecurityWebApplicationInitializer 
                        extends AbstractSecurityWebApplicationInitializer {

}