堆栈内存溢出
  简体   繁体   English

从Spring 3.0.x迁移到3.1.x时出现BadCredentialsException

[英]BadCredentialsException when migrating from Spring 3.0.x to 3.1.x

 原文  2012-08-16 12:59:51       java/ spring/ spring-security

问题描述

We have migrated from 3.0.7 spring security to 3.1.2, and one of our tests that uses in-memory-config fails on bad credentials. 我们已经从3.0.7 spring security迁移到3.1.2,并且我们使用in-memory-config的一个测试在错误的凭据上失败。

We don't do anything special, just authenticate one of the users with plain text username and password. 我们没有做任何特别的事情,只需用纯文本用户名和密码验证其中一个用户。 once authenticated, we populate our authorities. 一旦通过认证,我们就会填补我们的权力。

Code: 码: 

public Authentication authenticate(UserDetails userDetails)
        throws AuthenticationException {
    try {
        org.springframework.security.core.Authentication authenticate = authenticationManager.authenticate(createAuthenticationRequest(userDetails));
        if (!authenticate.isAuthenticated()) {
            throw new AuthenticationException("Authentication failed for user ["+userDetails.getUsername()+"]");
        }

        Collection<? extends GrantedAuthority> grantedAuthorities = authenticate.getAuthorities();
                    ...
             } catch(Exception exception) {
        throw new AuthenticationException(exception);
    }

Code: 码: 

<bean id="daoAuthenticationProvider" 
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <property name="userDetailsService" ref="daoUserDetailsService" />
</bean>

<bean id="daoUserDetailsService" class="org.springframework.security.core.userdetails.memory.InMemoryDaoImpl">
    <property name="userMap">
        <value>
            Edward = koala, READ_ONLY
        </value>
    </property>
</bean>

We get the following exception on a call to authenticate: 我们在调用身份验证时遇到以下异常: 

Caused by: org.springframework.security.authentication.BadCre dentialsException: Bad credentials
at org.springframework.security.authentication.dao.Da oAuthenticationProvider.additionalAuthenticationCh ecks(DaoAuthenticationProvider.java:67)
at org.springframework.security.authentication.dao.Ab stractUserDetailsAuthenticationProvider.authentica te(AbstractUserDetailsAuthenticationProvider.java: 149)
at org.springframework.security.authentication.Provid erManager.authenticate(ProviderManager.java:156)
at org.openspaces.security.spring.SpringSecurityManag er.authenticate(SpringSecurityManager.java:117)
... 11 more

Any ideas how to workaround it or if there is a patch pending this issue? 任何想法如何解决它或是否有一个补丁等待这个问题?

2 个解决方案

解决方案1
 2 已采纳  2012-08-16 13:35:40

Looking at your config, it might be a whitespace parsing issue, but it should be easy enough to debug by putting a breakpoint in DaoAuthenticationProvider.additionalAuthenticationChecks to see why the authentication fails. 查看您的配置,它可能是一个空白解析问题,但它应该很容易通过在DaoAuthenticationProvider.additionalAuthenticationChecks放置一个断点来查看验证失败的原因。

In any case, the property editor approach for configuring in-memory users is deprecated in favour of namespace configuration. 在任何情况下,不推荐使用用于配置内存用户的属性编辑器方法来支持命名空间配置。 You can use something like 你可以使用类似的东西 

<security:user-service id="daoUserDetailsService">
    <security:user name="Edward" password="koala" authorities="READ_ONLY" />
</security:user-service>

to get the same result. 得到相同的结果。 And of course you have to add the security namespace to your application context file. 当然,您必须将安全命名空间添加到应用程序上下文文件中。

解决方案2
 0  2014-06-19 03:21:02

The following answer is based on Guy Korland's comment (Aug 16 '12 at 20:40) where he did further debugging: 以下答案基于Guy Korland的评论(2012年8月16日20:40),他做了进一步的调试:

The default value for erase-credentials changed from 'false' to 'true' with Spring 3.1 onward, and this is why your password is null'ed out when it is pulled from the cache. 在使用Spring 3.1之后,erase-credentials的默认值从'false'更改为'true',这就是为什么从缓存中提取密码时无效的密码。 It also explains why your test case passed prior to Spring 3.1. 它还解释了为什么您的测试用例在Spring 3.1之前通过。 The class you are retrieving from the cache is UserDetails, and once Spring has authenticated the unencrypted password, it no longer has use for it so it erases it as a security measure. 您从缓存中检索的类是UserDetails,一旦Spring验证了未加密的密码,它就不再使用它,因此它将其作为安全措施擦除。 For your simple test scenario, you can override the erase-credentials value to 'false', but consider finding a more secure solution for the long term if you are indeed relying on that value unencrypted after authentication has been established. 对于简单的测试场景,您可以将erase-credentials值覆盖为“false”,但如果确实在建立身份验证后依赖未加密的值,请考虑长期寻找更安全的解决方案。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Spring 3.1.x里程碑存储库 - Spring 3.1.x milestone repository spring 安全 (3.0.x) 和用户模拟 - spring security (3.0.x) and user impersonation 找不到当前线程的会话(Spring 3.1.X和Hibernate 4) - No Session found for current thread (Spring 3.1.X and Hibernate 4) 使用Spring 3.1.x和MockMvc模拟/自动装配bean - Mocking/autowiring beans with Spring 3.1.x and MockMvc 带有HTMLUnitDriver的Selenium 3.0.x. - Selenium 3.0.x with HTMLUnitDriver 使用POSTMAN将文件上传到Spring MVC 3.0.x - upload file using POSTMAN to Spring MVC 3.0.x 将Spring从3.0.x更新到3.1.2会导致表单选择框不显示列表字符串 - Updating Spring from 3.0.x to 3.1.2 causes form select box to not display list tostring 将大型应用程序从spring 3.0.x升级到4.1.x - 我应该遵循哪些最佳实践/程序? - Upgrading large application from spring 3.0.x to 4.1.x - What best practices / procedures should I follow? 在Mac上使用Resin 3.1.x配置JRebel 5 - Configuring JRebel 5 with Resin 3.1.x on mac Cassandra 3.0.x 是否支持 JDK 11? - Is JDK 11 supported in Cassandra 3.0.x?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM