登录失败后,Spring Security 会阻止用户 [英] Spring security blocks user after failed login
问题描述
我使用的是 spring-security 3.
I'm using spring-security 3.
我尝试登录应用程序并填写了错误的用户/密码组合.3 次错误尝试后,我填写了正确的用户/密码组合,但它仍然返回:
I tried to login to the application and filled with the wrong user/pass combination. After 3 wrong attempts, I filled with the right user/pass combination, but it still returns:
Your login attempt was not successful, try again.
Reason: Bad credentials
在开发中这(有点)没问题,因为我只是重新启动服务器并且可以正常登录,但是在生产中我无法每次有人忘记他/她的密码时重新启动服务器.
On develop that's (kind of) OK because I just restart the server and can login fine, but on production I can't restart the server every time somebody forgets his/her password.
我以为等待超时后我仍然可以登录,但这也不起作用.
I thought that maybe waiting after the timeout I could still login, but that doesn't work either.
app-security-web.xml
app-security-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd">
<context:property-placeholder location="file:${PROPERTIES_HOME}/app.properties" ignore-unresolvable="true"/>
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<session-management>
<concurrency-control max-sessions="3" error-if-maximum-exceeded="false"/>
</session-management>
</http>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="userService" />
</authentication-manager>
<user-service id="userService">
<user name="foo" password="bar" authorities="ROLE_USER"/>
</user-service>
</beans:beans>
web.xml
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<display-name>PM app</display-name>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:app-service-context.xml
classpath:app-dao-context.xml
/WEB-INF/app-web-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<servlet>
<servlet-name>pmapp-web</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>app-web</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>CXFServlet</servlet-name>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>3</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>CXFServlet</servlet-name>
<url-pattern>/services/*</url-pattern>
</servlet-mapping>
<mime-mapping>
<extension>js</extension>
<mime-type>text/javascript</mime-type>
</mime-mapping>
<filter>
<filter-name>urlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>urlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<resource-ref>
<res-ref-name>jdbc/App</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
<mapped-name>App</mapped-name>
</resource-ref>
</web-app>
我希望用户能够在 n 分钟后登录(取消阻止)或设置阻止用户之前的尝试次数.欢迎任何其他想法.
I want the user to be able to either login after n minutes (unblock) or set the number of attempts before blocking the user. Any other idea is welcome.
我使用的是 spring 3.0.6.RELEASE 和 spring-security 3.0.6.RELEASE
I'm using spring 3.0.6.RELEASE and spring-security 3.0.6.RELEASE
谢谢!
推荐答案
尝试 Spring Security 3.0.7.RELEASE.这为我解决了完全相同的问题.
Try Spring Security 3.0.7.RELEASE. That fixed the exact same problem for me.
这篇关于登录失败后,Spring Security 会阻止用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!