customAuthenticationProvider authenticate 调用两次
customAuthenticationProvider authenticate called twice
我已经对此进行了研究,我认为评论(在该线程中的实际答案下方:)将是我的解决方案......但我仍然得到双倍 submission/calls 进行认证。第二个每次都有一个空密码。第一个调用有凭据。
下面是 Java 配置 class 和 CustomAuthProvider class ..
@Configuration
@EnableWebSecurity
public class UserWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/", "/home**", "/login**","/create_user")
.permitAll().anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.failureUrl("/login?error")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.permitAll()
.and()
.exceptionHandling().accessDeniedPage("/login?denied") //in this simple case usually due to a InvalidCsrfTokenException after session timeout
.and()
.csrf()
.ignoringAntMatchers("/rest/**")
.and()
.sessionManagement().enableSessionUrlRewriting(false)
.and()
.headers().frameOptions().deny();
}
... 然后是 customAuthProvider ...
@Component
public class CustomAuthProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if (authentication.getName() == null) {
logger.warn("empty userName");
return null;
}
if (authentication.getCredentials() == null) {
logger.warn("empty password");
return null;
}
// code to check credentials etc ...
if (!(user != null && userHash.equals(storedHash))) {
System.out.println("fail");
return null;
}
return new UsernamePasswordAuthenticationToken(user,password);
}
修改了身份验证提供程序代码以以空授权列表和 return authenticationToken 结束......现在它可以工作了。
// ...
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(user,password, new ArrayList<>());
return authenticationToken;
我已经对此进行了研究,我认为评论(在该线程中的实际答案下方:
下面是 Java 配置 class 和 CustomAuthProvider class ..
@Configuration
@EnableWebSecurity
public class UserWebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http.antMatcher("/**")
.authorizeRequests()
.antMatchers("/", "/home**", "/login**","/create_user")
.permitAll().anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/login")
.failureUrl("/login?error")
.and()
.logout()
.logoutSuccessUrl("/login?logout")
.permitAll()
.and()
.exceptionHandling().accessDeniedPage("/login?denied") //in this simple case usually due to a InvalidCsrfTokenException after session timeout
.and()
.csrf()
.ignoringAntMatchers("/rest/**")
.and()
.sessionManagement().enableSessionUrlRewriting(false)
.and()
.headers().frameOptions().deny();
}
... 然后是 customAuthProvider ...
@Component
public class CustomAuthProvider implements AuthenticationProvider {
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
if (authentication.getName() == null) {
logger.warn("empty userName");
return null;
}
if (authentication.getCredentials() == null) {
logger.warn("empty password");
return null;
}
// code to check credentials etc ...
if (!(user != null && userHash.equals(storedHash))) {
System.out.println("fail");
return null;
}
return new UsernamePasswordAuthenticationToken(user,password);
}
修改了身份验证提供程序代码以以空授权列表和 return authenticationToken 结束......现在它可以工作了。
// ...
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(user,password, new ArrayList<>());
return authenticationToken;