在Spring Security 3.1中，UserDetails getPassword返回null.如何获取当前登录用户的密码? [英] UserDetails getPassword returns null in spring security 3.1. How to get password of currently logged in user?

问题描述

我已经使用Spring Security实现了更改密码功能，但是[[UserDetails)主体).getPassword())为登录用户返回null.

I have implemented change password functionality using spring security but ((UserDetails) principal).getPassword()) is returning null for logged in user.

如果我没记错的话，这在3.0以前就可以使用.在3.1中是否进行了更改，以便无法获取已登录用户的当前密码?

If I remember correctly, this used to work earlier in 3.0. Was this changed in 3.1 so that the current password of the logged in user cannot be retrieved?

在下面的代码中，我正在检查从网页输入的用户密码中的当前密码.然后，我正在检查登录用户的密码是否与键入的密码匹配.如果是这样，那么我想将oldPasswordMatchNewPassword设置为true.

In the below code I am checking the current password typed in user password from the web page. I am then checking if the logged in user's password matches the typed in password. If it does then I want to set oldPasswordMatchNewPassword = true.

如何实现此功能?

@RequestMapping(value = "/account/changePassword.do", method = RequestMethod.POST)
    public String submitChangePasswordPage(
            @RequestParam("oldpassword") String oldPassword,
            @RequestParam("password") String newPassword) {
        Object principal = SecurityContextHolder.getContext()
                .getAuthentication().getPrincipal();
        String username = principal.toString();
        if (principal instanceof UserDetails) {
            username = ((UserDetails) principal).getUsername();
            System.out.println("username: " + username);
            System.out.println("password: "
                    + ((UserDetails) principal).getPassword());
            if (((UserDetails) principal).getPassword() != null) {
                if (((UserDetails) principal).getPassword().equals(oldPassword)) {
                    oldPasswordMatchNewPassword = true;
                }
            }
        }
    if (oldPasswordMatchNewPassword == true) {
        logger.info("Old password matches new password. Password will be updated.");
        changePasswordDao.changePassword(username, newPassword);
        SecurityContextHolder.clearContext();
        return "redirect:home.do";
    } else {
        logger.info("Old password did not match new password. Password will be not be updated.");
        return null;
    }
}

我放了几个sysout()，以便可以看到返回的值. 对于((UserDetails)主体).getUsername()我可以看到正确的登录用户. ((UserDetails)主体).getPassword()返回空值.

I put a couple of sysout()s so that I can see the values returned. For ((UserDetails) principal).getUsername() I can see the correct logged in user. ((UserDetails) principal).getPassword() it is returning null.

如何获取((UserDetails)主体).getPassword()此值?

How do I get ((UserDetails) principal).getPassword() this value?

提前谢谢！

推荐答案

我使用了这段代码(erase-credentials ="false")来解决此问题.我不知道这是否是一种优雅的解决方案，但它解决了我的问题:

I used this block of code (erase-credentials="false") to fix this. I do not know if this is an elegant solution but it fixed my problem:

<authentication-manager alias="authenticationManager" erase-credentials="false">
    <!-- authentication-provider user-service-ref="userService" -->
    <authentication-provider>
        <jdbc-user-service data-source-ref="dataSource" />
    </authentication-provider>
</authentication-manager>

这篇关于在Spring Security 3.1中，UserDetails getPassword返回null.如何获取当前登录用户的密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！