春季BadCredentials事件未触发 [英] Spring BadCredentials Event not firing

问题描述

我想记录用户是否尝试使用错误的凭据进行身份验证.因此，我已将此事件侦听器类添加到我的项目中:

I want to log if a user tries to authenticate with wrong credentials. Therefore i have added this event listener class to my project:

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.stereotype.Component;

@Component
public class AuthenticationFailureListener
        implements ApplicationListener<AuthenticationFailureBadCredentialsEvent>{

    private final Logger logger = LoggerFactory.getLogger(getClass());

    @Override
    public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {
        System.out.println("test");
        logger.info("test2");
    }
}

问题是它根本不起作用.我使用Spring Security的默认登录页面.使用错误的凭据时，页面显示错误的凭据"错误，但是我的上述方法没有被调用.对于成功事件侦听器，我有非常相似的代码，效果非常好:

Problem is it does not work at all. I use Spring Security default login page. The page shows "bad credentials" error when using wrong credentials, but my method above does not get called. I have very similar code for a success event listener, which works wonderfully:

@Component
public class AuthenticationSuccessListener implements
        ApplicationListener<InteractiveAuthenticationSuccessEvent> {

    private final Logger logger = LoggerFactory.getLogger(getClass());

    @Autowired private UserService users;

    @Override
    public void onApplicationEvent(InteractiveAuthenticationSuccessEvent event) {
        User user = users.get(event.getAuthentication().getName());
        boolean isAdmin = user.getRole().equals(User.ROLE_ADMIN);
        logger.info((isAdmin ? "Admin" : "User") + " with id " + user.getIdLink()
                + " has successfully logged in!");
    }
}

这是我的Spring Security Java配置:

Here is my Spring Security Java Configuration:

@Configuration
@EnableWebMvcSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter{

    @Autowired
    private CustomUserDetailsService userDetailsService;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
            .userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .formLogin()
                .and()
            .httpBasic();
    }
}

我不知道这是怎么回事，非常感谢您的帮助！

I have no clue whats going on here, help appreciated a lot!

春季版:4.0.9
Spring Security版本:3.2.5(也尝试过4.0.1)

Spring version: 4.0.9
Spring Security version: 3.2.5 (also tried 4.0.1)

好的，我将Spring的日志级别设置为DEBUG，但是什么也没有.我搜索了监听器"的所有出现，并且日志显示AuthenticationFailureListener以及AuthenticationSuccessListeners的实例已创建，没有任何错误.

Okay, i set log level to DEBUG for Spring, but nothing. I searched for every occurance of "Listener" and the log states that instances of AuthenticationFailureListener as well as AuthenticationSuccessListeners have been created without any error.

我什至将日志放入diff工具中(在替换所有时间&审查之后)，并与注释掉FailureListener代码但未找到内容的代码版本进行比较.您可以根据需要自己搜索:
https://www.diffchecker.com/cwdn4sp4
在页面底部，您会在左侧找到普通的日志文本.

I even put the log into diff tool (after replacing all times & censoring) and compared with a code version where FailureListener code is commented out, but didn't find something. You can search it yourself if you want to:
https://www.diffchecker.com/cwdn4sp4
On the bottom of the page you will find the plain log text on the left side.

Edit2:部分解决

Serges解决方案有所帮助，这是我对onAuthenticationFailure方法的完整实现:​​

Serges solution helped, here is my complete implementation of the onAuthenticationFailure method:

@Override
public void onAuthenticationFailure(
        HttpServletRequest request, HttpServletResponse response,
        AuthenticationException exception) throws IOException, ServletException {

    if (exception instanceof BadCredentialsException) {
        String name = request.getParameter("username");
        String password = request.getParameter("password");
        Authentication auth =
                new UsernamePasswordAuthenticationToken(name, password);
        eventPublisher.publishEvent(
                new AuthenticationFailureBadCredentialsEvent(auth, exception));
    }
    super.onAuthenticationFailure(request, response, exception);
}

推荐答案

这是设计的.

用于 AbstractAuthenticationProcessingFilter 的Javadoc很清楚:

Javadoc for AbstractAuthenticationProcessingFilter is clear on that :

事件发布:

如果身份验证成功，则将通过应用程序上下文发布InteractiveAuthenticationSuccessEvent.如果身份验证失败，则不会发布任何事件，因为通常会通过特定于AuthenticationManager的应用程序事件来记录该事件.

If authentication is successful, an InteractiveAuthenticationSuccessEvent will be published via the application context. No events will be published if authentication was unsuccessful, because this would generally be recorded via an AuthenticationManager-specific application event.

(强调我的)

如果要显式发送验证失败事件，可以使用扩展了 SimpleUrlAuthenticationFailureHandler 的自定义 AuthenticationFailureHandler 来发送事件并调用基类 onAuthenticationFailure方法.

If you want to send explicitely an event for authentication failures, you could use a custom AuthenticationFailureHandler extending SimpleUrlAuthenticationFailureHandler that would send the event and call base class onAuthenticationFailure method.

public class EventSendingAuthenticationFailureHandler
        extends SimpleUrlAuthenticationFailureHandler,
        implements ApplicationEventPublisherAware {

    protected ApplicationEventPublisher eventPublisher;

    public void setApplicationEventPublisher(ApplicationEventPublisher eventPublisher) {
        this.eventPublisher = eventPublisher;
    }

    @Override
    void onAuthenticationFailure(javax.servlet.http.HttpServletRequest request,
                       javax.servlet.http.HttpServletResponse response,
                       AuthenticationException exception)
                         throws IOException,
                                javax.servlet.ServletException {
        // use eventPublisher to publish the event according to exception
        super.onAuthenticationFailure(request, response, exception);
    }
}

您应该可以通过以下方式进行配置:

You should be able to configure it that way :

@Bean
AuthenticationFailureHandler eventAuthenticationFailureHandler() {
    return new EventSendingAuthenticationFailureHandler();
}

@Autowired
AuthenticationFailureHandler eventAuthenticationFailureHandler;

protected void configure(HttpSecurity http) throws Exception {
    http
        .csrf().disable()
        .formLogin().failureHandler(eventAuthenticationFailureHandler)
            .and()
        .httpBasic();
}

这篇关于春季BadCredentials事件未触发的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！