Spring Security userCache 失效

发布于 2024-10-10 16:04:17 字数 581 浏览 6 评论 0原文

使用Spring Security我有一个DaoAuthenticationProvider,如下所示:

http://static.springsource.org/spring-security/site/docs/2.0.x/reference/dao-provider.html

我也有缓存(也喜欢它在那篇文章中描述过)。

问题是,当请求带有好的用户名(已经在缓存中)但密码错误时,它会从缓存中返回用户,就好像它是一个好的用户名/密码一样。因为它使用用户名作为密钥,所以根本不涉及密码。

从缓存返回用户的确切代码:

UserDetails user = this.userCache.getUserFromCache(username);

以前有人处理过这个问题吗?我还可以检查密码是否相同,但这将是自定义的事情。

谢谢。

Using Spring Security I have a DaoAuthenticationProvider described like here:

http://static.springsource.org/spring-security/site/docs/2.0.x/reference/dao-provider.html

I also have caching (also like it's described in that article).

The problem is that when a request comes in with a good username (that is already in the cache), but a bad password - it returns the user from the cache as if it is a good username/password. Because it uses the username as the key, the password is not involved at all.

The exact code that returns the user from the cache:

UserDetails user = this.userCache.getUserFromCache(username);

Did anybody ever dealt with this problem before? I can also check if the password is the same, but it would be a custom thing.

Thank you.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

一个人的夜不怕黑 2024-10-17 16:04:17

如果您使用标准组件配置应用程序,则场景应如下所示:

  1. 在用户请求到达时,将创建Authentication 对象并使用用户提供的用户名和密码进行填充。

  2. 检索用户详细信息:如果可能,UserCache 用于检索以前缓存的用户详细信息(即通过 UserDetailsS​​ervice 的实现调用 getUserFromCache code> 或 AuthenticationProvider 执行对 AuthenticationManager 的调用之前)。缓存中的用户详细信息与正确的密码一起出现是 100% 正确的。

  3. 在基本的预身份验证检查(凭据过期等)之后,将进行实际的身份验证。此时,将缓存的用户详细信息中的密码与存储在提供的 Authentication 对象中的密码(当前包含错误的密码)进行比较。此时身份验证尝试失败。

但是,如果您实现您自己的 AuthenticationProviderAuthenticationManager,则您负责密码检查。

If you configured your application with the standard components, the scenario should be as follows:

  1. At user request arrival the Authentication object is created and populated with username and password supplied by user.

  2. User details are retrieved: if it's possible, UserCache is used to retrieve previously cached user details (i.e. getUserFromCache is called either by implementations of UserDetailsService or AuthenticationProvider before the call to AuthenticationManager is performed). And it is 100% OK that the user details from cache will come with the good password.

  3. After basic pre-authentication checks (credentials expiration etc.) the actual authentication occurs. At this point the password from cached user details is compared to the password stored in Authentication object supplied (which currently contains the wrong password). At this point authentication attempt fails.

However, if you implement your own AuthenticationProvider or AuthenticationManager, you are responsible for password checking.

一身骄傲 2024-10-17 16:04:17

最初从数据库获取用户并缓存它的代码是什么?它会检查密码吗?听起来你有一个抽象问题 - Spring Security 不应该知道用户来自哪里(数据库或缓存),并且应该使用相同的逻辑。

What's the code that originally gets the user from the DB and caches it? Does it check the password? Sounds like you have an abstraction issue - Spring Security should not know where the user is coming from (DB or Cache) and should use the same logic either way.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文