[英]Spring Boot: How to auto login after user registration?
这是用于用户注册的控制器方法:
@PostMapping("register_user")
public void registerUser(@RequestParam String email, @RequestParam String password, @RequestParam String name,
@RequestParam String info, HttpServletResponse response) throws EmailExistsException, IOException {
userRepository.save(new User(email, new BCryptPasswordEncoder().encode(password), name, info));
try {
UserDetails userDetails = customUserDetailsService.loadUserByUsername(email);
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = new UsernamePasswordAuthenticationToken(userDetails, password, userDetails.getAuthorities());
authenticationManager.authenticate(usernamePasswordAuthenticationToken);
if (usernamePasswordAuthenticationToken.isAuthenticated()) {
SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
log.debug(String.format("Auto login %s successfully!", email));
}
} catch (Exception e) {
log.error(e.getMessage(), e);
}
response.sendRedirect("/");
}
这是来自 SecurityConfig 的配置方法:
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(customUserDetailsService).passwordEncoder(new BCryptPasswordEncoder());
}
在用户注册期间,出现“错误凭据”错误:
org.springframework.security.authentication.BadCredentialsException: Bad credentials
at org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:98) ~[spring-security-core-4.1.3.RELEASE.jar:4.1.3.RELEASE]
at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:166) ~[spring-security-core-4.1.3.RELEASE.jar:4.1.3.RELEASE]
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) ~[spring-security-core-4.1.3.RELEASE.jar:4.1.3.RELEASE]
at s7.controller.ActionController.registerUser(ActionController.java:45) ~[main/:na]
注册后用户可以登录,没有任何错误。 我究竟做错了什么?
PS我也尝试过像这个主题的自动登录: 成功注册后自动登录但我有相同的BadCredentialsException。
如果我评论authenticationManager.authenticate(usernamePasswordAuthenticationToken);
, 用户将使用正确的 authentication.getPrincipal() 在没有任何 BadCredentialsException 的情况下自动登录。
向 registerUser 方法添加 'HttpServletRequest request' 参数。
在这一行之后: SecurityContextHolder.getContext().setAuthentication(usernamePasswordAuthenticationToken);
添加这行代码: request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext());
否则用户将不会处于 Spring Security 要求的会话中。
希望这有帮助!
我能够使用以下代码(SpringBoot 2.0.5)解决这个问题:
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Lazy;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;
@Service
public class SecurityService {
@Autowired
@Lazy
AuthenticationManager authManager;
private Logger logger = LoggerFactory.getLogger(SecurityService.class);
public void doLogin(String username, String password) {
if (username == null) {
username = "";
}
if (password == null) {
password = "";
}
username = username.trim();
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(
username, password);
Authentication authentication = authManager.authenticate(authRequest);
if (authentication.isAuthenticated()) {
SecurityContextHolder.getContext().setAuthentication(authentication);
logger.debug(String.format("Auto login successfully!", username));
}
}
}
为了让它工作,我最难弄清楚的是 AuthenticationManager。 您必须自动装配您在 spring 安全配置中设置的相同 AuthenticationManager ,如下所示,不要忘记在服务上自动装配懒惰。
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
UsuarioService usuarioService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/registration*").permitAll()
.anyRequest().hasAnyAuthority("MASTER")
.and()
.formLogin().loginPage("/login").permitAll()
.and()
.csrf().disable()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/login");
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**", "/css/**", "/img/**", "/files/**", "/forgot-password"");
}
@Autowired
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(usuarioService);
}
@Bean
public AuthenticationManager authManager() throws Exception {
return this.authenticationManager();
}
@Bean
public BCryptPasswordEncoder passwordEncoder() {
BCryptPasswordEncoder bCryptPasswordEncoder = new BCryptPasswordEncoder();
return bCryptPasswordEncoder;
}
}
最后一个问题花了我一段时间才弄明白。 如果您使用“web.ignoring()”添加注册端点,则安全上下文将不存在,您将无法登录用户。 所以一定要把它添加为 .antMatchers("/registration*").permitAll()
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.