Spring Security userCache 失效
使用Spring Security我有一个DaoAuthenticationProvider,如下所示:
http://static.springsource.org/spring-security/site/docs/2.0.x/reference/dao-provider.html
我也有缓存(也喜欢它在那篇文章中描述过)。
问题是,当请求带有好的用户名(已经在缓存中)但密码错误时,它会从缓存中返回用户,就好像它是一个好的用户名/密码一样。因为它使用用户名作为密钥,所以根本不涉及密码。
从缓存返回用户的确切代码:
UserDetails user = this.userCache.getUserFromCache(username);
以前有人处理过这个问题吗?我还可以检查密码是否相同,但这将是自定义的事情。
谢谢。
Using Spring Security I have a DaoAuthenticationProvider described like here:
http://static.springsource.org/spring-security/site/docs/2.0.x/reference/dao-provider.html
I also have caching (also like it's described in that article).
The problem is that when a request comes in with a good username (that is already in the cache), but a bad password - it returns the user from the cache as if it is a good username/password. Because it uses the username as the key, the password is not involved at all.
The exact code that returns the user from the cache:
UserDetails user = this.userCache.getUserFromCache(username);
Did anybody ever dealt with this problem before? I can also check if the password is the same, but it would be a custom thing.
Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
如果您使用标准组件配置应用程序,则场景应如下所示:
在用户请求到达时,将创建
Authentication对象并使用用户提供的用户名和密码进行填充。检索用户详细信息:如果可能,
UserCache用于检索以前缓存的用户详细信息(即通过UserDetailsService的实现调用getUserFromCachecode> 或AuthenticationProvider在执行对AuthenticationManager的调用之前)。缓存中的用户详细信息与正确的密码一起出现是 100% 正确的。在基本的预身份验证检查(凭据过期等)之后,将进行实际的身份验证。此时,将缓存的用户详细信息中的密码与存储在提供的 Authentication 对象中的密码(当前包含错误的密码)进行比较。此时身份验证尝试失败。
但是,如果您实现您自己的
AuthenticationProvider或AuthenticationManager,则您负责密码检查。If you configured your application with the standard components, the scenario should be as follows:
At user request arrival the
Authenticationobject is created and populated with username and password supplied by user.User details are retrieved: if it's possible,
UserCacheis used to retrieve previously cached user details (i.e.getUserFromCacheis called either by implementations ofUserDetailsServiceorAuthenticationProviderbefore the call toAuthenticationManageris performed). And it is 100% OK that the user details from cache will come with the good password.After basic pre-authentication checks (credentials expiration etc.) the actual authentication occurs. At this point the password from cached user details is compared to the password stored in
Authenticationobject supplied (which currently contains the wrong password). At this point authentication attempt fails.However, if you implement your own
AuthenticationProviderorAuthenticationManager, you are responsible for password checking.最初从数据库获取用户并缓存它的代码是什么?它会检查密码吗?听起来你有一个抽象问题 - Spring Security 不应该知道用户来自哪里(数据库或缓存),并且应该使用相同的逻辑。
What's the code that originally gets the user from the DB and caches it? Does it check the password? Sounds like you have an abstraction issue - Spring Security should not know where the user is coming from (DB or Cache) and should use the same logic either way.