这个是发送的请求: ### 密码模式 POST {{auth_host}}/auth/oauth/token?client_id=XcWebApp&client_secret=XcWebApp&grant_type=password&username=stu1&password=
可以看到password是空白没填写任何内容,但是结果依旧拿的到token
下面是UserDetailsaService的实现类:
@Component
public class UserDetailImpl implements UserDetailsService {
@Resource
private XcUserMapper xcUserMapper;
@Override
public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException {
// 根据username查询数据库
String username = s;
LambdaQueryWrapper<XcUser> queryWrapper = new LambdaQueryWrapper<>();
XcUser xcUser = xcUserMapper.selectOne(queryWrapper.eq(XcUser::getUsername, username));
// 查询用户不存在,返回null,spring security抛出异常用户不存在
if (xcUser == null) {
return null;
}
// 如果用户拿到了正确的密码,最终封装成一个UserDetails对象给spring security框架返回,有框架进行密码比对
String password = xcUser.getPassword();
// 权限
String[] authorities = {"test"};
UserDetails userDetails = User.withUsername(username).password(password).authorities(authorities).build(); // 问题就在这里
return userDetails;
}
}
下面是WebSecurityConfig中代码
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
// 该类中还有其他代码没写。以下仅为导致错误的代码
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(daoAuthenticationProviderCustom);
}
}
下面是DaoAuthenticationProviderCustom
@Component
public class DaoAuthenticationProviderCustom extends DaoAuthenticationProvider {
@Resource
public void setUserDetailsService(UserDetailsService userDetailsService) {
super.setUserDetailsService(userDetailsService);
}
@Override
protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
}
}
我暂时还不需要重写校验密码的方法,直接把DaoAuthenticationProviderCustom删除即可,问题解决