如何在spring security authenticated登录中获取用户输入的用户名和密码值 [英] How to get the user entered values of username and password in a spring security authenticated login

问题描述

我在我的应用程序中使用Spring MVC，登录通过spring security进行身份验证。我在 UserServiceImpl.java 类中有以下两种方法，
public UserDetails loadUserByUsername（String userName）throws UsernameNotFoundException，DataAccessException
{

I use Spring MVC in my application and the login is authenticated by spring security. I have the following two methods in my UserServiceImpl.java class, public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException, DataAccessException {

        ApplicationTO applicationTO = null;
        try
            {
                applicationTO = applicationService.getApplicationTO(adminDomainName);
            }
        catch (ApplicationPropertyException e)
            {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
        UserTO userTO = getUserTO(applicationTO.getApplicationId(), userName);
        if (userTO == null)
            {
                throw new UsernameNotFoundException("user not found");
            }
        httpSession.setAttribute("userTO", userTO);
        return buildUserFromUserEntity(userTO);
    }


User buildUserFromUserEntity(UserTO userTO)
            {
                String username = userTO.getUsername();
                String password = userTO.getPassword();
                int userId = userTO.getUserId();
                int applicationId = userTO.getApplicationId();
                boolean enabled = userTO.isEnabled();
                boolean accountNonExpired = true;
                boolean credentialsNonExpired = true;
                boolean accountNonLocked = true;
                User user = new User(username, password, enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, getAuthority(applicationId, userId));
                return user;
            }

我对Spring相对较新，对弹簧安全性不太了解部分。在我的 spring-security.xml 文件中，我有以下内容，

I am relatively new to Spring and do not have much idea about the spring security part. In my spring-security.xml file, I have the following,

<form-login login-page="/login" default-target-url="/module/user-home/welcome"
    authentication-failure-url="/login?error" username-parameter="username"
    password-parameter="password" />
<logout logout-success-url="/login?logout" />

<beans:bean id="daoAuthenticationProvider"
 class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
  <beans:property name="userDetailsService" ref="userDetailsService"/>
</beans:bean>

<beans:bean id="authenticationManager"
    class="org.springframework.security.authentication.ProviderManager">
  <beans:property name="providers">
    <beans:list>
      <beans:ref local="daoAuthenticationProvider" />
    </beans:list>
  </beans:property>
</beans:bean>

我的登录表单的操作设置如下：

And my login form has the action set as follows:

<form id="loginForm" class="form-horizontal" role="form" name='loginForm' action="${rc.getContextPath()}/j_spring_security_check" method='POST'>

现在我想获取密码的值用户已在 loadUserByUsername 方法内的登录表单中输入，或者通过向 UserServiceImpl.java添加新方法 class。

Now I am trying to get the value of the password that the user has entered in the login form, either inside the loadUserByUsername method or by adding a new method to the UserServiceImpl.java class.

在保存密码之前，我使用以下内容加密密码。
使用java加密和解密密码的API和算法是什么

I use the following to encrypt my passwords before saving them. What API and algorithm to be used to encrypt and decrypt a password using java

因此，在登录期间，spring security将用户输入的密码与加密密码进行比较从数据库和登录失败。但是根据上面链接中建议的实现，有一种方法可以比较密码和加密密码以检查它们是否相同。只有当我可以访问用户输入的密码时才可以这样做。这就是我试图让用户输入密码的原因。

So during login, spring security compares the user entered password with encrypted password from the database and the login fails. But as per the implementation suggested in the above link, there is a method to compare the password and the encrypted password to check if they are same. That is possible only if I get access to the user entered password. This is the reason I am trying to get the user entered password.

推荐答案

正如MangEngkus在回答中建议的那样，你可以实现你的拥有自定义 AuthenticationProvider ，但根据您的说明，我认为您不需要这样做。

As was suggested in answer by MangEngkus you can implement your own custom AuthenticationProvider but based on your description I don't think you need to do that.

您无需实施自己的密码散列机制进入spring-security。您只需要定义 BCryptPasswordEncoder 。

You don't need to implement your own password hashing mechanism into spring-security. You just need to define BCryptPasswordEncoder from spring itself.

要么这样使用默认值：

<authentication-manager>
  <authentication-provider>
    <password-encoder hash="bcrypt" />
  </authentication-provider>
</authentication-manager>

或创建自己的bean并将其提供给默认提供者：

Or create your own bean and supply it to default provider:

<authentication-manager>
  <authentication-provider>
    <password-encoder ref="encoder" />
  </authentication-provider>
</authentication-manager>

<beans:bean id="encoder" 
  class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="15" />
</beans:bean>

但对你而言，这就是：:)

But for you, this is the way: :)

<beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
  <beans:property name="userDetailsService" ref="userDetailsService"/>
  <beans:property name="passwordEncoder" ref="encoder" />
</beans:bean>

<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

这篇关于如何在spring security authenticated登录中获取用户输入的用户名和密码值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！