为什么这个 Spring Security 实现只检查密码而不检查用户名?
[英]Why this Spring Security implementation is checking only for the password and not for the username?
问题描述
I'm working on a simple Spring Boot app using Spring Security.
我正在使用 Spring Security 开发一个简单的 Spring Boot 应用程序。 And I hardcoded an username and password, but the problem is that I can login with any username, only the password is checked by Spring Security.我对用户名和密码进行了硬编码,但问题是我可以使用任何用户名登录,Spring Security 只检查密码。
This is the code:这是代码:
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig extends WebSecurityConfigurerAdapter {
public final MyUserDetailsService userDetailsService;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService);
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
MyUserDetailsService class: MyUserDetailsService 类:
@Service
public class MyUserDetailsService implements UserDetailsService {
private static final String USERNAME = "john";
private static final String PASSWORD = "$2a$10$5yPLXyd0J2TEHhsbD3Azjumpn6OePKsiV1XPpFaZfytT33mRAn3N6";
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
return new org.springframework.security.core.userdetails
.User(USERNAME, PASSWORD, new ArrayList<>());
}
}
Rest Controller class:休息控制器类:
@RestController
public class ApiController {
@GetMapping("/hello")
public String sendMoney() {
return "Hello World!";
}
}
I hardcoded the username "john" and password "test" encrypted with BCrypt.我硬编码了用 BCrypt 加密的用户名“john”和密码“test”。 But the problem is that I can login with any username, only the password should be "test".但问题是我可以用任何用户名登录,只有密码应该是“test”。 Can somebody explain me why?有人可以解释我为什么吗? Why Spring Security is checking only the password to be "test", but it doesn't check for the username to be "john"?为什么 Spring Security 只检查密码为“test”,但不检查用户名是否为“john”? Any feedback will be apreciated.任何反馈都将受到赞赏。 Thank you!谢谢!
2 个解决方案
解决方案1
2 已采纳 2020-10-23 09:17:40
This is by design .这是设计使然。 UserDetailsService.loadUserByUsername(String user) is expected to provide the record corresponding to user . UserDetailsService.loadUserByUsername(String user)应提供与user对应的记录。 It is acceptable to use a hardcoded record, but then you are responsable to control that the user name is correct.使用硬编码记录是可以接受的,但您有责任控制用户名是否正确。
But in fact, if you want SpringSecurity to test both the user name and the password, you should not implement a custom UserDetailService , but directly use a InMemoryUserDetailsManager that provides it out of the box.但实际上,如果您希望 SpringSecurity 同时测试用户名和密码,则不应实现自定义UserDetailService ,而是直接使用开箱即用的InMemoryUserDetailsManager 。
解决方案2
1 2020-10-23 09:06:46
You seem to ignore the argument s to:你似乎忽略了论证s到:
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
so in other words - for whatever user details the code is asked to retrieve, it retrieves the hard-coded ones.所以换句话说 - 对于要求代码检索的任何用户详细信息,它都会检索硬编码的内容。 User "notjohn"?用户“notjohn”? Sure we have it.我们当然有。 User "notexisting"?用户“不存在”? We also have it, etc.我们也有,等等。
I guess your intention is to have a check if s equals to "john" and only return the hard-coded user details if the requested username is "john" .我猜您的目的是检查s等于"john"并且仅在请求的用户名是"john"时才返回硬编码的用户详细信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.