我在使用Spring Security的应用程序中对jdbc身份验证有问题。有时我能够进行登录而没有任何复杂性(传递正确的凭据),但是有时应用程序在登录页面上显示“错误的凭据”(我确定凭据正确)。
我正在使用Spring Boot,Spring Security,MySQL,BCryptEncoder来存储密码,试图进行很多修改,但结果仍然相同...
JDBC验证码:
@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.dataSource(dataSource)
.usersByUsernameQuery("SELECT username, password, 'true' as enabled"
+ " FROM user WHERE username=?")
.authoritiesByUsernameQuery("SELECT username, authority"
+ " FROM authorities WHERE username=?")
.passwordEncoder(new BCryptPasswordEncoder());
}
Spring安全配置:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login")
.permitAll()
.antMatchers("/registration")
.permitAll()
.antMatchers("/forgot-password", "/reset**")
.permitAll()
.antMatchers("/**")
.access("hasRole('ROLE_USER')")
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/")
.usernameParameter("username")
.passwordParameter("password")
.and()
.rememberMe()
.rememberMeCookieName("home-budget-login-cookie")
.tokenValiditySeconds(365 * 24 * 60 * 60)
.rememberMeParameter("remember-me")
.tokenRepository(persistentTokenRepository())
.and()
.logout()
.permitAll()
.deleteCookies("auth_code", "home-budget-login-cookie");
}
保存新的用户方法(注册过程):
@Service("userService")
public class UserService {
public void saveUser(User user, boolean updateMode) {
user.setPassword(new BCryptPasswordEncoder().encode(user.getPassword()));
user.setPasswordConfirm(new BCryptPasswordEncoder().encode(user.getPasswordConfirm()));
user.setEnable(1);
User userReturned = userRepository.save(user);
if (!updateMode) {
Authorities role = new Authorities();
role.setUsername(userReturned.getUsername());
role.setAuthority("ROLE_USER");
roleRepository.save(role);
}
}
}
用户实体:
@Entity
@Table(name = "user")
public class User {
@Id
@GeneratedValue(strategy = GenerationType.AUTO)
@Column(name = "user_id")
private int id;
@Column(name = "username")
@NotNull
private String username;
@Column(name = "email")
@Email(message = "Please provide a valid e-mail")
@NotNull
private String email;
@Column(name = "password")
@NotNull
private String password;
@Column(name = "password_confirm")
@NotNull
private String passwordConfirm;
@Column(name = "enabled")
private int enable;
@Column(name = "reset_token")
private String resetToken;
我希望应用程序在传递正确的凭据期间不会出现任何问题地登录我。有没有比jdbc身份验证更好的方法?