默认情况下,不管你是用户名不存在,密码错误,SS都会报出Bad credentials异常信息,而不现实具体的错误。翻源码发现在org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider有如下这段代码。
try {
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
user = retrieveUser(username, (UsernamePasswordAuthenticationToken) authentication);
} catch (UsernameNotFoundException notFound) {
logger.debug("User '" + username + "' not found");
if (hideUserNotFoundExceptions) {
throw new BadCredentialsException(messages.getMessage(
"AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
} else {
throw notFound;
}
}
而该抽象类的hideUserNotFoundExceptions属性默认为false,所以默认就会隐藏掉用户名不存在的错误。
网上有人说改源码,然后再打包编译,太暴力了,通过配置SS的applicationContext很容易修改这个属性。
对于SS认证管理器,你原来可能是这么配置的:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
user-service-ref="customUserDetailsService" >
</security:authentication-provider>
</security:authentication-manager>
<security:authentication-provider
user-service-ref="customUserDetailsService" >
</security:authentication-provider>
</security:authentication-manager>
刚才那个抽象类的一个实现类,org.springframework.security.authentication.dao.DaoAuthenticationProvider即是authentication-provider默认会使用的类,修改这部分如下:
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider
ref="authenticationProvider" >
</security:authentication-provider>
</security:authentication-manager>
<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="customUserDetailsService" />
<property name="hideUserNotFoundExceptions" value="false" />
</bean>
<security:authentication-provider
ref="authenticationProvider" >
</security:authentication-provider>
</security:authentication-manager>
<bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="customUserDetailsService" />
<property name="hideUserNotFoundExceptions" value="false" />
</bean>
密码策略:
<authentication-manager alias="MyAuthenticationManager">
<authentication-provider ref="authenticationProvider" >
</authentication-provider>
</authentication-manager>
<beans:bean id="authenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailService" />
<!--显示用户错误信息-->
<beans:property name="hideUserNotFoundExceptions" value="false" />
<beans:property name="passwordEncoder" ref="UTPasswordEncoder" />
</beans:bean>
<authentication-provider ref="authenticationProvider" >
</authentication-provider>
</authentication-manager>
<beans:bean id="authenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="userDetailService" />
<!--显示用户错误信息-->
<beans:property name="hideUserNotFoundExceptions" value="false" />
<beans:property name="passwordEncoder" ref="UTPasswordEncoder" />
</beans:bean>