默认情况下,不管你是用户名不存在,密码错误,SS都会报出Bad credentials异常信息,而不现实具体的错误。翻源码发现在org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider有如下这段代码。
try {
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
而该抽象类的hideUserNotFoundExceptions属性默认为false,所以默认就会隐藏掉用户名不存在的错误。
网上有人说改源码,然后再打包编译,太暴力了,通过配置SS的applicationContext很容易修改这个属性。
对于SS认证管理器,你原来可能是这么配置的:
<
security:authentication-manager
alias
="authenticationManager"
>
< security:authentication-provider
user-service-ref ="customUserDetailsService" >
</ security:authentication-provider >
</ security:authentication-manager >
< security:authentication-provider
user-service-ref ="customUserDetailsService" >
</ security:authentication-provider >
</ security:authentication-manager >
刚才那个抽象类的一个实现类,org.springframework.security.authentication.dao.DaoAuthenticationProvider即是authentication-provider默认会使用的类,修改这部分如下:
<
security:authentication-manager
alias
="authenticationManager"
>
< security:authentication-provider
ref ="authenticationProvider" >
</ security:authentication-provider >
</ security:authentication-manager >
< bean id ="authenticationProvider" class ="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
< property name ="userDetailsService" ref ="customUserDetailsService" />
< property name ="hideUserNotFoundExceptions" value ="false" />
</ bean >
< security:authentication-provider
ref ="authenticationProvider" >
</ security:authentication-provider >
</ security:authentication-manager >
< bean id ="authenticationProvider" class ="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
< property name ="userDetailsService" ref ="customUserDetailsService" />
< property name ="hideUserNotFoundExceptions" value ="false" />
</ bean >
密码策略:
<
authentication-manager
alias
="MyAuthenticationManager"
>
< authentication-provider ref ="authenticationProvider" >
</ authentication-provider >
</ authentication-manager >
< beans:bean id ="authenticationProvider"
class ="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
< beans:property name ="userDetailsService" ref ="userDetailService" />
<!-- 显示用户错误信息 -->
< beans:property name ="hideUserNotFoundExceptions" value ="false" />
< beans:property name ="passwordEncoder" ref ="UTPasswordEncoder" />
</ beans:bean >
< authentication-provider ref ="authenticationProvider" >
</ authentication-provider >
</ authentication-manager >
< beans:bean id ="authenticationProvider"
class ="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
< beans:property name ="userDetailsService" ref ="userDetailService" />
<!-- 显示用户错误信息 -->
< beans:property name ="hideUserNotFoundExceptions" value ="false" />
< beans:property name ="passwordEncoder" ref ="UTPasswordEncoder" />
</ beans:bean >