默認情況下,不管你是用戶名不存在,密碼錯誤,SS都會報出Bad credentials異常信息,而不現實具體的錯誤。翻源碼發現在org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider有如下這段代碼。
try {
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
而該抽象類的hideUserNotFoundExceptions屬性默認為false,所以默認就會隱藏掉用戶名不存在的錯誤。
網上有人說改源碼,然后再打包編譯,太暴力了,通過配置SS的applicationContext很容易修改這個屬性。
對於SS認證管理器,你原來可能是這么配置的:
<
security:authentication-manager
alias
="authenticationManager"
>
< security:authentication-provider
user-service-ref ="customUserDetailsService" >
</ security:authentication-provider >
</ security:authentication-manager >
< security:authentication-provider
user-service-ref ="customUserDetailsService" >
</ security:authentication-provider >
</ security:authentication-manager >
剛才那個抽象類的一個實現類,org.springframework.security.authentication.dao.DaoAuthenticationProvider即是authentication-provider默認會使用的類,修改這部分如下:
<
security:authentication-manager
alias
="authenticationManager"
>
< security:authentication-provider
ref ="authenticationProvider" >
</ security:authentication-provider >
</ security:authentication-manager >
< bean id ="authenticationProvider" class ="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
< property name ="userDetailsService" ref ="customUserDetailsService" />
< property name ="hideUserNotFoundExceptions" value ="false" />
</ bean >
< security:authentication-provider
ref ="authenticationProvider" >
</ security:authentication-provider >
</ security:authentication-manager >
< bean id ="authenticationProvider" class ="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
< property name ="userDetailsService" ref ="customUserDetailsService" />
< property name ="hideUserNotFoundExceptions" value ="false" />
</ bean >
密碼策略:
<
authentication-manager
alias
="MyAuthenticationManager"
>
< authentication-provider ref ="authenticationProvider" >
</ authentication-provider >
</ authentication-manager >
< beans:bean id ="authenticationProvider"
class ="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
< beans:property name ="userDetailsService" ref ="userDetailService" />
<!-- 顯示用戶錯誤信息 -->
< beans:property name ="hideUserNotFoundExceptions" value ="false" />
< beans:property name ="passwordEncoder" ref ="UTPasswordEncoder" />
</ beans:bean >
< authentication-provider ref ="authenticationProvider" >
</ authentication-provider >
</ authentication-manager >
< beans:bean id ="authenticationProvider"
class ="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
< beans:property name ="userDetailsService" ref ="userDetailService" />
<!-- 顯示用戶錯誤信息 -->
< beans:property name ="hideUserNotFoundExceptions" value ="false" />
< beans:property name ="passwordEncoder" ref ="UTPasswordEncoder" />
</ beans:bean >