AngularJS和Spring后端-在AngularJS中以user.password的身份从数据库获取密码

Question

so I am calling Login function when the user logs in. This function calls UserService.GetByEmail, which does a GET HTTP request that fetches User from database and returns the User as a response if there's a User with email typed in login. After that, I do the authentication with if (user !== null && user.password === password) { part. However, when I look at console output, I do have an Object for user variable, but I have nothing for user.password to compare with password. How do I put the User password from response into user.password?

(function () {
'use strict';

angular
    .module('app')
    .factory('AuthenticationService', AuthenticationService);

AuthenticationService.$inject = ['$http', '$cookieStore', '$rootScope', '$timeout', 'UserService'];
function AuthenticationService($http, $cookieStore, $rootScope, $timeout, UserService) {
    var service = {};

    service.Login = Login;
    service.SetCredentials = SetCredentials;
    service.ClearCredentials = ClearCredentials;

    return service;


    function Login(email, password, callback) {

        $http.post('/user/authenticate', { username: username, password: password })
        .success(function (response) {
        callback(response);
        });

    }

Then here is part of my UserController in the backend.

@RequestMapping(value = "/user/authenticate", method = RequestMethod.POST)
public ResponseEntity<Void> authenticateUser(@RequestBody User user,    UriComponentsBuilder ucBuilder) {

}

I'm not sure how I should authenticate in the backend. What are the steps needed to do this?

Answer 1

There's a few things:

1. This cannot be all the code involved: it's not clear what the UserService object or AuthenticationService factory function are.
2. Moreover one expects that you would not have a password to compare with anyway (that be a bit of a security hole).

Instead, authentication should be considered successful if the HTTP status code is 200 (or other 2xx codes depending on the backend). Ordinarily, this means that if you enter the then() clause of the promise the login must have been successful, because 4xx codes would have been mapped to failures and reported through catch() instead.

Answer 2

You shouldn't be sending password in any form to the client. If you're using Spring Security, you need to call the login handler on the server.

You should look into using something like JWT instead (read more here https://www.toptal.com/java/rest-security-with-jwt-spring-security-and-java ) or if you really need to be using form based security for some reason you can login to the server by using this block of code.

this.login = function (username, password, rememberMe) {
if (rememberMe === undefined) rememberMe = false;
return $http.post(
  '/j_spring_security_check',
  $.param({
    j_username: username,
    j_password: password,
    j_remember: rememberMe
  }),
  {
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded',
      'X-Requested-With': 'XMLHttpRequest'
    }
  }
).then(_.bind(function (response) {
  if (response.data.success === true) {
    //something to happen on login
  }
  return $q.reject(response);
}, this));
};

this.logout = function () { 
  $http.get('/j_spring_security_logout').then(_.bind(function () {
    //something to happen on logout
  }, this));
};