我刚开始使用Apache Shiro,因为我;继承的";有些代码有以下错误,请耐心等待。
当管理员更改用户的密码时,该用户将无法登录
输入新更改的密码会返回错误的CredentialsException。正在检查数据库,密码已更改。
奇怪的是,如果你输入旧密码,你就可以登录。注销后,您可以使用新密码。
- 应用程序是Java,构建在Vaadin8框架上
- Persistence用于连接MySQL数据库
没有shiro.ini文件,我只能找到一个security.xml文件:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-4.0.xsd">
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager"/>
<property name="loginUrl" value="/#!login"/>
<property name="successUrl" value="/"/>
<property name="filterChainDefinitions">
<value>
/favicon.ico = noSessionCreation, anon
/login/ = authc
/logout/ = logout
/** = anon
</value>
</property>
</bean>
<bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">
<property name="realm" ref="myRealm"/>
</bean>
<bean id="myRealm" class="com.example.project.ui.view.panels.login.MyAuthRealm">
</bean>
<bean id="lifecycleBeanPostProcessor" class="org.apache.shiro.spring.LifecycleBeanPostProcessor"/>
<!-- Enable Shiro Annotations for Spring-configured beans. Only run after -->
<!-- the lifecycleBeanProcessor has run: -->
<bean class="org.springframework.aop.framework.autoproxy.DefaultAdvisorAutoProxyCreator"
depends-on="lifecycleBeanPostProcessor"/>
<bean class="org.apache.shiro.spring.security.interceptor.AuthorizationAttributeSourceAdvisor">
<property name="securityManager" ref="securityManager"/>
</bean>
</beans>
和一个带有一些滤波器的web.xml:
...
<!-- Apache Shiro -->
<filter>
<filter-name>shiroFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
<init-param>
<param-name>targetFilterLifecycle</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>shiroFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
...
据我所知,已经使用了Shiro的默认实现,并且没有扩展任何自定义,例如会话或缓存。
这是登录按钮监听器
loginButton.addClickListener(new Button.ClickListener() {
public void buttonClick(Button.ClickEvent event) {
boolean isFormValid = true;
if (isFormValid) {
UsernamePasswordToken token = new UsernamePasswordToken((String) usernameField.getValue(), (String) passField.getValue());
Subject currentUser = SecurityUtils.getSubject();
try {
currentUser.login(token);
Page.getCurrent().reload();
} catch (UnknownAccountException uae) {
errorLabel.setValue("Unknown Account. Please try again");
} catch (IncorrectCredentialsException ice) {
errorLabel.setValue("Incorrect Credentials. Please try again");
} catch (LockedAccountException lae) {
errorLabel.setValue("This account is locked");
} catch (ExcessiveAttemptsException eae) {
errorLabel.setValue("Too many login attempts. Please try again later");
} catch (AuthenticationException ae) {
errorLabel.setValue("Something went wrong. Please try again later");
}
}
}
});
这是来自自定义领域MyAuthRealm的doGetAuthenticationInfo
protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authcToken)
throws AuthenticationException {
UsernamePasswordToken token = (UsernamePasswordToken) authcToken;
// Problem is located here.
// For some reason this query returns the old password
List<AdminUser> results = this.em.createQuery("SELECT u FROM AdminUser u WHERE u.username ='" + token.getPrincipal() + "' AND u.isActive = TRUE").getResultList();
if (results.size() == 1) {
SimpleAuthenticationInfo info = new SimpleAuthenticationInfo(((AdminUser) results.get(0)).getUsername(), ((AdminUser) results.get(0)).getPassword(), getName());
return info;
}
return null;
}
正如我在results变量上面的注释中提到的,出于某种原因,查询在管理员更改密码之前返回了密码,这就是为什么我会得到IncorrectCredentialsException。
这是AdminUser型号类别:
@Entity
@Table(name = "admin_user")
@Cacheable(false)
@XmlRootElement
@NamedQueries({
@NamedQuery(name = "AdminUser.findAll", query = "SELECT a FROM AdminUser a"),
@NamedQuery(name = "AdminUser.findById", query = "SELECT a FROM AdminUser a WHERE a.id = :id"),
@NamedQuery(name = "AdminUser.findByEmail", query = "SELECT a FROM AdminUser a WHERE a.email = :email"),
@NamedQuery(name = "AdminUser.findByFistName", query = "SELECT a FROM AdminUser a WHERE a.fistName = :fistName"),
@NamedQuery(name = "AdminUser.findByLastName", query = "SELECT a FROM AdminUser a WHERE a.lastName = :lastName"),
@NamedQuery(name = "AdminUser.findByLoginAttempts", query = "SELECT a FROM AdminUser a WHERE a.loginAttempts = :loginAttempts"),
@NamedQuery(name = "AdminUser.findByPassword", query = "SELECT a FROM AdminUser a WHERE a.password = :password"),
@NamedQuery(name = "AdminUser.findByUsername", query = "SELECT a FROM AdminUser a WHERE a.username = :username"),
@NamedQuery(name = "AdminUser.findByRoles", query = "SELECT a FROM AdminUser a WHERE a.roles = :roles")})
public class AdminUser implements Serializable {
private static final long serialVersionUID = 1L;
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
@Basic(optional = false)
@Column(name = "id")
private Integer id;
// @Pattern(regexp="[a-z0-9!#$%&'*+/=?^_`{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_`{|}~-]+)*@(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?", message="Invalid email")//if the field contains email address consider using this annotation to enforce field validation
@Basic(optional = false)
@NotNull
@Size(min = 1, max = 255)
@Column(name = "email")
private String email;
@Size(max = 100)
@Column(name = "fist_name")
private String fistName;
@Size(max = 100)
@Column(name = "last_name")
private String lastName;
@Basic(optional = false)
@NotNull
@Column(name = "login_attempts")
private int loginAttempts;
@Basic(optional = false)
@NotNull
@Size(min = 1, max = 255)
@Column(name = "password")
private String password;
@Size(max = 100)
@Column(name = "username")
private String username;
@Size(max = 255)
@Column(name = "roles")
private String roles;
@Lob
@Size(max = 65535)
@Column(name = "settings")
private String settings;
@Basic(optional = false)
@NotNull
@Column(name = "isActive")
private boolean isActive;
@OneToMany(mappedBy = "adminUserId")
private Collection<Staff> staffCollection;
public AdminUser() {
}
public AdminUser(Integer id) {
this.id = id;
}
public AdminUser(Integer id, String email, int loginAttempts, String password) {
this.id = id;
this.email = email;
this.loginAttempts = loginAttempts;
this.password = password;
}
public Integer getId() {
return id;
}
public void setId(Integer id) {
this.id = id;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
public String getFistName() {
return fistName;
}
public void setFistName(String fistName) {
this.fistName = fistName;
}
public String getLastName() {
return lastName;
}
public void setLastName(String lastName) {
this.lastName = lastName;
}
public int getLoginAttempts() {
return loginAttempts;
}
public void setLoginAttempts(int loginAttempts) {
this.loginAttempts = loginAttempts;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getRoles() {
return roles;
}
public void setRoles(String roles) {
this.roles = roles;
}
public String getSettings() {
return settings;
}
public void setSettings(String settings) {
this.settings = settings;
}
public boolean isIsActive() {
return isActive;
}
public void setIsActive(boolean isActive) {
this.isActive = isActive;
}
@XmlTransient
public Collection<Staff> getStaffCollection() {
return staffCollection;
}
public void setStaffCollection(Collection<Staff> staffCollection) {
this.staffCollection = staffCollection;
}
@Override
public int hashCode() {
int hash = 0;
hash += (id != null ? id.hashCode() : 0);
return hash;
}
@Override
public boolean equals(Object object) {
// TODO: Warning - this method won't work in the case the id fields are not set
if (!(object instanceof AdminUser)) {
return false;
}
AdminUser other = (AdminUser) object;
if ((this.id == null && other.id != null) || (this.id != null && !this.id.equals(other.id))) {
return false;
}
return true;
}
@Override
public String toString() {
return "com.model.AdminUser[ id=" + id + " ]";
}
}
你知道接下来会发生什么吗?这样你就可以引导我朝着正确的方向前进?
可能涉及缓存,当您更新用户的密码(或禁用缓存(时,您需要使给定领域的缓存无效