我在我的应用程序中使用Spring安全性并使用AccessDecisionManager。在判断方法中,我需要将数据库名称传递给控制器,以便在SecurityContextHolder中设置db name。我在decision方法中的代码如下:
UsernamePasswordAuthenticationToken token = new
UsernamePasswordAuthenticationToken( authentication.getPrincipal(), authentication.getCredentials());
token.setDetails("databaseNAme");
SecurityContextHolder.getContext().setAuthentication(token);
在spring-security.xml中的url为:'
intercept-url pattern =“/ hello”access =“ROLE_ADMIN”>
在web.xml中:
<filter>
<filter-name>springSecurityFilterChain"<"filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
但是在某些网址上我收到了这个错误:
HTTP Status 500 - Null password was supplied in authentication token
type Exception report
message Null password was supplied in authentication token
description The server encountered an internal error that prevented it from fulfilling this request.
exception
java.lang.IllegalArgumentException: Null password was supplied in authentication token
org.springframework.util.Assert.notNull(Assert.java:112)
org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:59)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
org.springframework.security.access.intercept.AbstractSecurityInterceptor.authenticateIfRequired(AbstractSecurityInterceptor.java:316)
org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:202)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115)
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
所以请帮助我如何解决这个问题。在一些网址中,我得到了此异常,并且我的应用程序的98%网址成功运行。
答案 0 :(得分:0)
UsernamePasswordAuthenticationToken token = new
UsernamePasswordAuthenticationToken( authentication.getPrincipal(), authentication.getCredentials());
此Authentication未经过身份验证,经过身份验证的身份验证(authentication.getCredentials())不包含凭据。
protected Authentication createNewAuthentication(Authentication currentAuth,
String newPassword) {
UserDetails user = loadUserByUsername(currentAuth.getName());
UsernamePasswordAuthenticationToken newAuthentication = new UsernamePasswordAuthenticationToken(
user, null, user.getAuthorities());
newAuthentication.setDetails(currentAuth.getDetails());
return newAuthentication;
}
当您第一次使用正确的凭据请求您的资源时,它会成功,但Authentication中的SecurityContentHolder将由您的代码在决定方法中更改,而unauthenticated authentication without credentials将设置为会话,然后您尝试在同一会话中访问您的资源,unauthenticated authentication without credentials将从会话加载,FilterSecurityInterceptor将检查身份验证,并且它未经身份验证,因此它将进行身份验证再次。然后它将抛出Null password exception。
我认为你可以在你决定方法中将authentication转换为UsernamePasswordAuthenticationToken,然后将详细信息设置到其中。