blocks|key|3131026|text|相反，您可以提供自己版本的DefaultAuthenticationEventPublisher并覆盖publishAuthenticationFailure方法。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|3131027|entityMap|0|LINK|mutability|MUTABLE|url|http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/authentication/DefaultAuthenticationEventPublisher.html^0|D|Z|0|0^^$0|@$1|2|3|4|5|6|7|L|8|@]|9|@$A|M|B|N|1|O]]|C|$]]|$1|D|3|-4|5|6|7|P|8|@]|9|@]|C|$]]]|E|$F|$5|G|H|I|C|$J|K]]]]

You could instead supply your own version of <a href="http://static.springsource.org/spring-security/site/docs/3.0.x/apidocs/org/springframework/security/authentication/DefaultAuthenticationEventPublisher.html" rel="noreferrer">DefaultAuthenticationEventPublisher</a> and override the publishAuthenticationFailure method.

blocks|key|2916814|text|好的，据我所知，答案是非常简单的，没有过多的讨论或记录。|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2916815|这是我要做的(没有任何配置，只是创建了这个类)……|2916816|import+org.apache.log4j.Logger;
import+org.springframework.context.ApplicationListener;
import+org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import+org.springframework.stereotype.Component;

@Component
public+class+MyApplicationListener+implements+ApplicationListener<AuthenticationFailureBadCredentialsEvent>+{
++++private+static+final+Logger+LOG+=+Logger.getLogger(MyApplicationListener.class);

++++@Override
++++public+void+onApplicationEvent(AuthenticationFailureBadCredentialsEvent+event)+{
++++++++Object+userName+=+event.getAuthentication().getPrincipal();
++++++++Object+credentials+=+event.getAuthentication().getCredentials();
++++++++LOG.debug("Failed+login+using+USERNAME+["+%2B+userName+%2B+"]");
++++++++LOG.debug("Failed+login+using+PASSWORD+["+%2B+credentials+%2B+"]");
++++}
}|code-block|syntax|javascript|2916817|我不是一个spring安全专家，所以如果有人读了这篇文章，知道我们不应该这样做的原因，或者知道更好的方法，我很乐意听到。|2916818|entityMap^0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|M|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|N|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|O|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|P|8|@]|9|@]|A|$]]|$1|K|3|-4|5|6|7|Q|8|@]|9|@]|A|$]]]|L|$]]

Okay so the answer turned out to be something extremely simple yet as far as I can tell, not greatly discussed or documented.

Here's all I had to do (no configurations anywhere just created this class)...

<pre><code>import org.apache.log4j.Logger;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.event.AuthenticationFailureBadCredentialsEvent;
import org.springframework.stereotype.Component;

@Component
public class MyApplicationListener implements ApplicationListener&lt;AuthenticationFailureBadCredentialsEvent&gt; {
 private static final Logger LOG = Logger.getLogger(MyApplicationListener.class);

 @Override
 public void onApplicationEvent(AuthenticationFailureBadCredentialsEvent event) {
 Object userName = event.getAuthentication().getPrincipal();
 Object credentials = event.getAuthentication().getCredentials();
 LOG.debug("Failed login using USERNAME [" + userName + "]");
 LOG.debug("Failed login using PASSWORD [" + credentials + "]");
 }
}
</code></pre>

I'm far from a spring security expert so if anyone reads this and knows of a reason we shouldn't do it like this or knows a better way I'd love to hear about it.

blocks|key|2916836|text|我发现这对我很有效。不幸的是，我仍然没有在SpringSecurity文档中找到它的确切位置：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2916837|在任何操作中，您都可以检查上次使用的用户名(无论登录是否失败)：|2916838|++++String++username+=+(String)+request.getSession().getAttribute("SPRING_SECURITY_LAST_USERNAME");|code-block|syntax|javascript|2916839|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|L|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|M|8|@]|9|@]|A|$G|H]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

I have found this works for me. Unfortunately, I still not found the exact location of this in SpringSecurity documents:

In any action, you can check the last-used username (no matter what the login was failed or not):

<pre><code> String username = (String) request.getSession().getAttribute("SPRING_SECURITY_LAST_USERNAME");
</code></pre>

blocks|key|246341|text|我是这样做的：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|246342|246343|创建了一个扩展onAuthenticationFailure方法的类，该方法以HttpServletRequest形式接收一个"username"，其中|ordered-list-item|offset|length|style|CODE|246344|是我在onAuthenticationFailure表单中输入的名称。|246345|entityMap^0|0|0|7|N|13|I|1R|A|0|3|N|0^^$0|@$1|2|3|4|5|6|7|N|8|@]|9|@]|A|$]]|$1|B|3|-4|5|6|7|O|8|@]|9|@]|A|$]]|$1|C|3|D|5|E|7|P|8|@$F|Q|G|R|H|I]|$F|S|G|T|H|I]|$F|U|G|V|H|I]]|9|@]|A|$]]|$1|J|3|K|5|6|7|W|8|@$F|X|G|Y|H|I]]|9|@]|A|$]]|$1|L|3|-4|5|6|7|Z|8|@]|9|@]|A|$]]]|M|$]]

I did it this way:

<ol>
<li>Created a class that extends <code>SimpleUrlAuthenticationFailureHandler</code></li>
<li>Overrid the <code>onAuthenticationFailure</code> method, which receives an <code>HttpServletRequest</code> as a parameter.</li>
<li><code>request.getParameter("username")</code>, where <code>"username"</code> is the name of my input in my HTML form.</li>
</ol>

blocks|key|3131125|text|关于这个解决方案的信息似乎不多，但是如果您在Spring+Security配置中设置了failureForwardUrl，您将被转发到错误页面，而不是重定向。然后，您可以轻松地检索用户名和密码。例如，在您的配置中添加：.and().formLogin().failureForwardUrl("/login/failed")+(*+url必须与登录页面的url不同)|type|unstyled|depth|inlineStyleRanges|offset|length|style|CODE|entityRanges|data|3131126|在您的登录控制器中，执行以下操作：|3131127|@RequestMapping(value+=+"/login/failed")
public+String+loginfailed(@ModelAttribute(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_USERNAME_KEY)+String+user,+@ModelAttribute(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_PASSWORD_KEY)+String+password)+{
+++++//+Your+code+here
}|code-block|syntax|javascript|3131128|SPRING_SECURITY_FORM_USERNAME_KEY、SPRING_SECURITY_FORM_PASSWORD_KEY是默认名称，但您也可以在FormLoginConfigurer中设置它们：|3131129|.and().formLogin().usernameParameter("email").passwordParameter("password").failureForwardUrl("/login/failed")|3131130|entityMap|0|LINK|mutability|MUTABLE|url|https://docs.spring.io/autorepo/docs/spring-security/4.1.2.RELEASE/apidocs/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.html#failureForwardUrl-java.lang.String-^0|31|1H|17|H|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|Y|8|@$9|Z|A|10|B|C]]|D|@$9|11|A|12|1|13]]|E|$]]|$1|F|3|G|5|6|7|14|8|@]|D|@]|E|$]]|$1|H|3|I|5|J|7|15|8|@]|D|@]|E|$K|L]]|$1|M|3|N|5|6|7|16|8|@]|D|@]|E|$]]|$1|O|3|P|5|J|7|17|8|@]|D|@]|E|$K|L]]|$1|Q|3|-4|5|6|7|18|8|@]|D|@]|E|$]]]|R|$S|$5|T|U|V|E|$W|X]]]]

There doesn't seem to be much information on this solution, but if you set <a href="https://docs.spring.io/autorepo/docs/spring-security/4.1.2.RELEASE/apidocs/org/springframework/security/config/annotation/web/configurers/FormLoginConfigurer.html#failureForwardUrl-java.lang.String-" rel="nofollow noreferrer">failureForwardUrl</a> in your Spring Security configuration, you will be forwarded to the error page instead of redirected. You can then easily retrieve the username and password.
For example, in your config add:
<code>.and().formLogin().failureForwardUrl("/login/failed")</code> (* url must be different from the login page url)

And in your login controller, the following:

<pre><code>@RequestMapping(value = "/login/failed")
public String loginfailed(@ModelAttribute(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_USERNAME_KEY) String user, @ModelAttribute(UsernamePasswordAuthenticationFilter.SPRING_SECURITY_FORM_PASSWORD_KEY) String password) {
 // Your code here
}
</code></pre>

SPRING_SECURITY_FORM_USERNAME_KEY, SPRING_SECURITY_FORM_PASSWORD_KEY are the default names, but you can set these in the FormLoginConfigurer as well:

<pre><code>.and().formLogin().usernameParameter("email").passwordParameter("password").failureForwardUrl("/login/failed")
</code></pre>

blocks|key|2916951|text|这是一个相当老的线程，但如果您使用的是相对较新的"spring-boot-starter-security“包，下面是我是如何做到的：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|2916952|我这样设置我的AuthenticationFailureHandler：|2916953|SimpleUrlAuthenticationFailureHandler+handler+=+new+SimpleUrlAuthenticationFailureHandler("/my-error-url");
handler.setUseForward(true);|code-block|syntax|javascript|2916954|这将在请求中设置最后一个异常：|2916955|//from+SimpleUrlAuthenticationFailureHandler+source
request.setAttribute("SPRING_SECURITY_LAST_EXCEPTION",+exception);|2916956|然后，我可以从我的控制器中获得错误的用户名：|2916957|RequestMapping("/impersonate-error")
public+String+impersonateErrorPage(Map<String,+Object>+model,+HttpServletRequest+request)+{

++++AuthenticationException+ex+=+(AuthenticationException)request.getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
++++if(ex+!=+null)+{
++++++++logger.debug("Impersonate+message:+"+%2B+ex.getMessage());
++++++++model.put("badName",+ex.getMessage());
++++}
++++return+"impersonate-error";
}|2916958|entityMap^0|0|0|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|S|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|T|8|@]|9|@]|A|$]]|$1|D|3|E|5|F|7|U|8|@]|9|@]|A|$G|H]]|$1|I|3|J|5|6|7|V|8|@]|9|@]|A|$]]|$1|K|3|L|5|F|7|W|8|@]|9|@]|A|$G|H]]|$1|M|3|N|5|6|7|X|8|@]|9|@]|A|$]]|$1|O|3|P|5|F|7|Y|8|@]|9|@]|A|$G|H]]|$1|Q|3|-4|5|6|7|Z|8|@]|9|@]|A|$]]]|R|$]]

This is a pretty old thread, but if you are using a relatively current "spring-boot-starter-security" package, here's how I did it:

I set my AuthenticationFailureHandler like so:

<pre><code>SimpleUrlAuthenticationFailureHandler handler = new SimpleUrlAuthenticationFailureHandler("/my-error-url");
handler.setUseForward(true);
</code></pre>

This will set the last exception into the request:

<pre><code>//from SimpleUrlAuthenticationFailureHandler source
request.setAttribute("SPRING_SECURITY_LAST_EXCEPTION", exception);
</code></pre>

Then from my controller I can get the bad username:

<pre><code>RequestMapping("/impersonate-error")
public String impersonateErrorPage(Map&lt;String, Object&gt; model, HttpServletRequest request) {

 AuthenticationException ex = (AuthenticationException)request.getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
 if(ex != null) {
 logger.debug("Impersonate message: " + ex.getMessage());
 model.put("badName", ex.getMessage());
 }
 return "impersonate-error";
}
</code></pre>

blocks|key|243931|text|如果你想使用Spring+AOP，你可以将下面的代码添加到你的方面类中：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|243932|private+String+usernameParameter+=+"username";+

@Before("execution(*+org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler.onAuthenticationFailure(..))")
public+void+beforeLoginFailure(JoinPoint+joinPoint)+throws+Throwable+{
++++++++HttpServletRequest+request+=+(HttpServletRequest)+joinPoint.getArgs()[0];
++++++++AuthenticationException+exceptionObj+=+(AuthenticationException)+joinPoint.getArgs()[2];

++++++++String+username+=+request.getParameter(usernameParameter);

++++++++System.out.println(">>>+Aspect+check:+AuthenticationException:++"%2BexceptionObj.getMessage());
++++++++System.out.println(">>>+Aspect+check:+user:+"%2B+username+%2B+"+failed+to+log+in.");
}|code-block|syntax|javascript|243933|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|I|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|J|8|@]|9|@]|A|$E|F]]|$1|G|3|-4|5|6|7|K|8|@]|9|@]|A|$]]]|H|$]]

If you want to use Spring AOP, you can add the below code to your Aspect class:

<pre><code>private String usernameParameter = "username"; 

@Before("execution(* org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler.onAuthenticationFailure(..))")
public void beforeLoginFailure(JoinPoint joinPoint) throws Throwable {
 HttpServletRequest request = (HttpServletRequest) joinPoint.getArgs()[0];
 AuthenticationException exceptionObj = (AuthenticationException) joinPoint.getArgs()[2];

 String username = request.getParameter(usernameParameter);

 System.out.println("&gt;&gt;&gt; Aspect check: AuthenticationException: "+exceptionObj.getMessage());
 System.out.println("&gt;&gt;&gt; Aspect check: user: "+ username + " failed to log in.");
}
</code></pre>

We're using spring security 3.0.5, Java 1.6 and Tomcat 6.0.32. In our .xml config file we've got:

<pre><code>&lt;form-login login-page="/index.html" default-target-url="/postSignin.html" always-use-default-target="true"
 authentication-failure-handler-ref="authenticationFailureHandler"/&gt;
</code></pre>

and our <code>authenticationFailureHandler</code> defined as:

<pre><code>&lt;beans:bean id="authenticationFailureHandler" class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler"&gt;
 &lt;beans:property name="exceptionMappings"&gt;
 &lt;beans:props&gt;
 &lt;beans:prop key="org.springframework.security.authentication.BadCredentialsException"&gt;/index.html?authenticationFailure=true&lt;/beans:prop&gt;
 &lt;/beans:props&gt;
 &lt;/beans:property&gt;
&lt;/beans:bean&gt;
</code></pre>

Java

<pre><code> @RequestMapping(params={"authenticationFailure=true"}, value ="/index.html")
 public String handleInvalidLogin(HttpServletRequest request) {
 //... How can I get the username that was used???
 // I've tried:
 Object username = request.getAttribute("SPRING_SECURITY_LAST_USERNAME_KEY");
 Object username = request.getAttribute("SPRING_SECURITY_LAST_USERNAME"); // deprecated
 }
</code></pre>

So we're directing all <code>BadCredentialsExceptions</code> to the <code>index.html</code> and <code>IndexController</code>. In the <code>IndexController</code> I'd like to get the <code>username</code> that was used for the failed login attempt. How can I do this?

How can I get the username from a failed login using spring security?

Java

我们使用的是spring security 3.0.5，Java 1.6和Tomcat 6.0.32。在我们的.xml配置文件中，我们有：<form-login login-page="/index.html" default-target-url="/postSignin.html" always-use-defau...

问如何使用spring security从失败的登录中获取用户名？
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何使用spring security从失败的登录中获取用户名？EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何使用spring security从失败的登录中获取用户名？
EN