[英]Spring security - custom userDetailsService implemenation not getting called
尝试使用自定义userDetailsService学习Spring安全性并面临以下问题
当访问受限制的页面(/ admin或/ user)时,spring security会启动并显示登录页面。
但是,在使用正确的用户名和密码提交登录页面后,将在调用我的自定义userDetailsService实现中的loadUserByUsername方法之前直接显示拒绝访问页面。
在日志中,只有org.springframework.security.access.AccessDeniedException异常-访问受限页面时,没有其他异常。
码
@Controller
public class TestController {
@RequestMapping("/home")
public String getHomePage() {
return "home";
}
@RequestMapping(value="/user")
public String getUserPage() {
return "user";
}
@RequestMapping(value="/admin")
public String getAdminPage() {
return "admin";
}
}
安全配置:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll"/>
<intercept-url pattern="/login" access="permitAll"/>
<intercept-url pattern="/logout" access="permitAll"/>
<intercept-url pattern="/denied" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/user" access="hasRole('ROLE_USER')"/>
<intercept-url pattern="/admin" access="hasRole('ROLE_ADMIN')"/>
<form-login login-page="/login"
username-parameter="tmp_usrnm"
password-parameter="tmp_pwd"
authentication-failure-url="/login/failure"
default-target-url="/abcd"/>
<access-denied-handler error-page="/denied"/>
<logout invalidate-session="true"
logout-success-url="/logout/success"
logout-url="/logout"/>
</http>
<authentication-manager>
<authentication-provider user-service-ref="customUserDetailsService">
<password-encoder hash="md5"/>
</authentication-provider>
</authentication-manager>
<beans:bean id="customUserDetailsService" class="com.krishnan.balaji.mc.service.CustomUserDetailsService">
<beans:property name="userRepository">
<beans:bean class="com.krishnan.balaji.mc.repos.UserRepositoryImpl"></beans:bean>
</beans:property>
</beans:bean>
登录表单:
<!--<form class="login-form" action=<c:url value="j_spring_security_check"/> method="post" >-->
<form action=<c:url value="/login"/> method="post" >
<input id="j_username" name="tmp_usrnm" size="20" maxlength="50" type="text"/>
<input id="j_password" name="tmp_pwd" size="20" maxlength="50" type="password"/>
<p><input type="submit" value="Login"/></p>
</form>
提供登录/注销/拒绝访问页面的控制器
@Controller
public class UserAccessController {
@RequestMapping("/login")
public String login(Model model, @RequestParam(required=false) String message) {
model.addAttribute("message", message);
System.out.println("serving login page");
return "access/login";
}
@RequestMapping(value = "/denied")
public String denied() {
System.out.println("serving access denied page");
return "access/denied";
}
@RequestMapping(value = "/login/failure")
public String loginFailure() {
System.out.println("serving failed login page");
String message = "Login Failure!";
return "redirect:/login?message="+message;
}
@RequestMapping(value = "/logout/success")
public String logoutSuccess() {
System.out.println("serving logout page");
String message = "Logout Success!";
return "redirect:/login?message="+message;
}
}
CustomUserDetailsService
@Service
public class CustomUserDetailsService implements UserDetailsService {
private UserRepository userRepository;;
@Transactional(readOnly = true)
@Override
public UserDetails loadUserByUsername(String username)
throws UsernameNotFoundException {
System.out.println("loadUserByUsername called");
try {
com.krishnan.balaji.mc.model.User domainUser = userRepository
.getUserByUserName(username);
boolean enabled = true;
boolean accountNonExpired = true;
boolean credentialsNonExpired = true;
boolean accountNonLocked = true;
return new User(domainUser.getUsername(), domainUser.getPassword()
.toLowerCase(), enabled, accountNonExpired,
credentialsNonExpired, accountNonLocked,
getAuthorities(domainUser.getRole().getRole()));
} catch (Exception e) {
throw new RuntimeException(e);
}
}
public Collection<? extends GrantedAuthority> getAuthorities(Integer role) {
List<GrantedAuthority> authList = getGrantedAuthorities(getRoles(role));
return authList;
}
public List<String> getRoles(Integer role) {
List<String> roles = new ArrayList<String>();
if (role.intValue() == 1) {
roles.add("ROLE_USER");
roles.add("ROLE_ADMIN");
} else if (role.intValue() == 2) {
roles.add("ROLE_USER");
}
return roles;
}
public static List<GrantedAuthority> getGrantedAuthorities(
List<String> roles) {
List<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
for (String role : roles) {
authorities.add(new SimpleGrantedAuthority(role));
}
return authorities;
}
public UserRepository getUserRepository() {
return userRepository;
}
public void setUserRepository(UserRepository userRepository) {
this.userRepository = userRepository;
}
}
在http Spring Security配置中,您应该更改以下内容:
default-target-url="/abcd"
像
default-target-url="/"
或您定义的其他任何内容。
default-target-url定义登录过程成功时默认转到的位置。 intercept-url从最具体到最通用
Spring Security Oauth - 永远不会调用自定义UserDetailsService
[英]Spring Security Oauth - Custom UserDetailsService is never getting called
Spring 安全 5 - 我的自定义 UserDetailsService 未被调用
[英]Spring Security 5 - My custom UserDetailsService is not called
Spring Security:未调用自定义 UserDetailsService(使用 Auth0 身份验证)
[英]Spring Security: Custom UserDetailsService not being called (using Auth0 authentication)
Spring Security自定义UserDetailsService和自定义User类
[英]Spring Security custom UserDetailsService and custom User class
@EJB注入到Custom UserdetailsService中(实现Spring Security UserDetailsService)
[英]@EJB injection in a Custom UserdetailsService (implementing Spring Security UserDetailsService)
Spring Security自定义身份验证 - AuthenticationProvider与UserDetailsService
[英]Spring Security Custom Authentication - AuthenticationProvider vs UserDetailsService
Spring Security 2 userDetailsService问题上的自定义身份验证提供程序
[英]Custom Authentication Provider on Spring Security 2 userDetailsService issue
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.