春季BadCredentials事件未触发 [英] Spring BadCredentials Event not firing
问题描述
我想记录用户是否尝试使用错误的凭据进行身份验证.因此,我已将此事件侦听器类添加到我的项目中:
I want to log if a user tries to authenticate with wrong credentials. Therefore i have added this event listener class to my project:
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.stereotype.Component;
@Component
public class AuthenticationFailureListener
implements ApplicationListener<AuthenticationFailureBadCredentialsEvent>{
private final Logger logger = LoggerFactory.getLogger(getClass());
@Override
public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {
System.out.println("test");
logger.info("test2");
}
}
问题是它根本不起作用.我使用Spring Security的默认登录页面.使用错误的凭据时,页面显示错误的凭据"错误,但是我的上述方法没有被调用.对于成功事件侦听器,我有非常相似的代码,效果非常好:
Problem is it does not work at all. I use Spring Security default login page. The page shows "bad credentials" error when using wrong credentials, but my method above does not get called. I have very similar code for a success event listener, which works wonderfully:
@Component
public class AuthenticationSuccessListener implements
ApplicationListener<InteractiveAuthenticationSuccessEvent> {
private final Logger logger = LoggerFactory.getLogger(getClass());
@Autowired private UserService users;
@Override
public void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
User user = users.get(event.getAuthentication().getName());
boolean isAdmin = user.getRole().equals(User.ROLE_ADMIN);
logger.info((isAdmin ? "Admin" : "User") + " with id " + user.getIdLink()
+ " has successfully logged in!");
}
}
这是我的Spring Security Java配置:
Here is my Spring Security Java Configuration:
@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{
@Autowired
private CustomUserDetailsService userDetailsService;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
}
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.formLogin()
.and()
.httpBasic();
}
}
我不知道这是怎么回事,非常感谢您的帮助!
I have no clue whats going on here, help appreciated a lot!
春季版:4.0.9
Spring Security版本:3.2.5(也尝试过4.0.1)
Spring version: 4.0.9
Spring Security version: 3.2.5 (also tried 4.0.1)
好的,我将Spring的日志级别设置为DEBUG,但是什么也没有.我搜索了监听器"的所有出现,并且日志显示AuthenticationFailureListener以及AuthenticationSuccessListeners的实例已创建,没有任何错误.
Okay, i set log level to DEBUG for Spring, but nothing. I searched for every occurance of "Listener" and the log states that instances of AuthenticationFailureListener as well as AuthenticationSuccessListeners have been created without any error.
我什至将日志放入diff工具中(在替换所有时间&审查之后),并与注释掉FailureListener代码但未找到内容的代码版本进行比较.您可以根据需要自己搜索:
https://www.diffchecker.com/cwdn4sp4
在页面底部,您会在左侧找到普通的日志文本.
I even put the log into diff tool (after replacing all times & censoring) and compared with a code version where FailureListener code is commented out, but didn't find something. You can search it yourself if you want to:
https://www.diffchecker.com/cwdn4sp4
On the bottom of the page you will find the plain log text on the left side.
Edit2:部分解决
Serges解决方案有所帮助,这是我对onAuthenticationFailure方法的完整实现:
Serges solution helped, here is my complete implementation of the onAuthenticationFailure method:
@Override
public void onAuthenticationFailure(
HttpServletRequest request, HttpServletResponse response,
AuthenticationException exception) throws IOException, ServletException {
if (exception instanceof BadCredentialsException) {
String name = request.getParameter("username");
String password = request.getParameter("password");
Authentication auth =
new UsernamePasswordAuthenticationToken(name, password);
eventPublisher.publishEvent(
new AuthenticationFailureBadCredentialsEvent(auth, exception));
}
super.onAuthenticationFailure(request, response, exception);
}
推荐答案
这是设计的.
用于 AbstractAuthenticationProcessingFilter
的Javadoc很清楚:
Javadoc for AbstractAuthenticationProcessingFilter
is clear on that :
事件发布:
如果身份验证成功,则将通过应用程序上下文发布InteractiveAuthenticationSuccessEvent.如果身份验证失败,则不会发布任何事件,因为通常会通过特定于AuthenticationManager的应用程序事件来记录该事件.
If authentication is successful, an InteractiveAuthenticationSuccessEvent will be published via the application context. No events will be published if authentication was unsuccessful, because this would generally be recorded via an AuthenticationManager-specific application event.
(强调我的)
如果要显式发送验证失败事件,可以使用扩展了 SimpleUrlAuthenticationFailureHandler
的自定义 AuthenticationFailureHandler
来发送事件并调用基类 onAuthenticationFailure
方法.
If you want to send explicitely an event for authentication failures, you could use a custom AuthenticationFailureHandler
extending SimpleUrlAuthenticationFailureHandler
that would send the event and call base class onAuthenticationFailure
method.
public class EventSendingAuthenticationFailureHandler
extends SimpleUrlAuthenticationFailureHandler,
implements ApplicationEventPublisherAware {
protected ApplicationEventPublisher eventPublisher;
public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
this.eventPublisher = eventPublisher;
}
@Override
void onAuthenticationFailure(javax.servlet.http.HttpServletRequest request,
javax.servlet.http.HttpServletResponse response,
AuthenticationException exception)
throws IOException,
javax.servlet.ServletException {
// use eventPublisher to publish the event according to exception
super.onAuthenticationFailure(request, response, exception);
}
}
您应该可以通过以下方式进行配置:
You should be able to configure it that way :
@Bean
AuthenticationFailureHandler eventAuthenticationFailureHandler() {
return new EventSendingAuthenticationFailureHandler();
}
@Autowired
AuthenticationFailureHandler eventAuthenticationFailureHandler;
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.formLogin().failureHandler(eventAuthenticationFailureHandler)
.and()
.httpBasic();
}
这篇关于春季BadCredentials事件未触发的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!