Spring Security 中如何让用户名不存在的错误显示出来(用户名不存在显示Bad credentials)

时间:2022-12-31 11:31:50

 

 

 

默认情况下,不管你是用户名不存在,密码错误,SS都会报出Bad credentials异常信息,而不现实具体的错误。翻源码发现在org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider有如下这段代码。

 

try { 
    user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication); 
catch (UsernameNotFoundException notFound) { 
    logger.debug("User '" + username + "' not found"); 
 
     if (hideUserNotFoundExceptions) { 
         throw  new BadCredentialsException(messages.getMessage( 
                "AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials")); 
    }  else { 
         throw notFound; 
    } 
}

 

而该抽象类的hideUserNotFoundExceptions属性默认为false,所以默认就会隐藏掉用户名不存在的错误。

网上有人说改源码,然后再打包编译,太暴力了,通过配置SS的applicationContext很容易修改这个属性。

对于SS认证管理器,你原来可能是这么配置的:

< security:authentication-manager  alias ="authenticationManager" > 
     < security:authentication-provider
        
user-service-ref ="customUserDetailsService"   > 
     </ security:authentication-provider > 
</ security:authentication-manager >

 

刚才那个抽象类的一个实现类,org.springframework.security.authentication.dao.DaoAuthenticationProvider即是authentication-provider默认会使用的类,修改这部分如下:

 

< security:authentication-manager  alias ="authenticationManager" > 
     < security:authentication-provider
        
ref ="authenticationProvider"   > 
     </ security:authentication-provider > 
</ security:authentication-manager > 
 
< bean  id ="authenticationProvider"  class ="org.springframework.security.authentication.dao.DaoAuthenticationProvider" > 
     < property  name ="userDetailsService"  ref ="customUserDetailsService"   /> 
     < property  name ="hideUserNotFoundExceptions"  value ="false"   /> 
</ bean >

 

密码策略:

     < authentication-manager  alias ="MyAuthenticationManager" >
         < authentication-provider  ref ="authenticationProvider"   >
         </ authentication-provider >
     </ authentication-manager >
    
     < beans:bean  id ="authenticationProvider"  
        class
="org.springframework.security.authentication.dao.DaoAuthenticationProvider" >
         < beans:property  name ="userDetailsService"  ref ="userDetailService"   />
         <!-- 显示用户错误信息 -->
         < beans:property  name ="hideUserNotFoundExceptions"  value ="false"   />
         < beans:property  name ="passwordEncoder"  ref ="UTPasswordEncoder"   />
     </ beans:bean >