Java Spring Security-不推荐使用User.withDefaultPasswordEncoder()? [英] Java Spring Security - User.withDefaultPasswordEncoder() is deprecated?
问题描述
我对Java Spring Security还是很陌生,并且一直遵循Spring.io 教程指南.
作为其中的一部分,我根据需要编辑了WebSecurityConfig类:
I am very new to java spring security, and was following the Spring.io tutorial guide.
As part of this, I edited the WebSecurityConfig class as required:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Bean
@Override
public UserDetailsService userDetailsService() {
UserDetails user =
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
在userDetailService()方法中,它使用的withDefaultPasswordEncoder()现在已弃用,如docs中所示:
Within the userDetailService() method, it uses withDefaultPasswordEncoder() which is now deprecated as seen in the docs: withDefaultPasswordEncoder()
不幸的是,如果不使用不推荐使用的方法,则无法找到替代方法来完成本教程. 如果可能的话,有人可以提供替代方法吗?
Unfortunately, I have not been able to find an alternative to this, to complete this tutorial without using the deprecated method. Would somebody be able to provide an alternative for this if possible?
谢谢!
注意: :我已经附上了我的错误以及gradle文件的几个屏幕截图
note: I have attached a couple of screen shots of my error, as well as my gradle file
推荐答案
删除了旧答案,误解了这个问题.这是新的:
User.withDefaultPasswordEncoder()仍然可以用于演示,您不必担心这就是您正在执行的操作-即使已弃用它-但在生产中,您的源代码中不应包含纯文本密码
User.withDefaultPasswordEncoder() can still be used for demos, you don't have to worry if that's what you're doing - even if it's deprecated - but in production, you shouldn't have a plain text password in your source code.
以下操作是您应该做的,而不是使用当前的userDetailsService()方法:
What you should be doing instead of using your current userDetailsService() method is the following:
private static final String ENCODED_PASSWORD = "$2a$10$AIUufK8g6EFhBcumRRV2L.AQNz3Bjp7oDQVFiO5JJMBFZQ6x2/R/2";
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.passwordEncoder(passwordEncoder())
.withUser("user").password(ENCODED_PASSWORD).roles("USER");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
其中ENCODED_PASSWORD用BCrypt编码的secret123.您还可以像下面这样以编程方式对其进行编码:passwordEncoder().encode("secret123").
Where ENCODED_PASSWORD is secret123 encoded with BCrypt. You can also encode it programmatically like so: passwordEncoder().encode("secret123").
这样,即使将代码推送到公共存储库,人们也不会知道密码,因为ENCODED_PASSWORD仅显示密码的编码版本,而不是纯文本版本,而是因为您知道secret123的编码密码,而其他人则不是,密码为user:secret123的内存中用户不会受到损害.
That way, even if you push your code to a public repository, people won't know the password because ENCODED_PASSWORD only shows the encoded version of the password and not the plain text version, but because you know that $2a$10$AIUufK8g6EFhBcumRRV2L.AQNz3Bjp7oDQVFiO5JJMBFZQ6x2/R/2 is actually the encoded password of the string secret123 whereas others don't, your in-memory user with the credentials user:secret123 won't be compromised.
请注意,出于示例的目的,我将其保留在静态变量中.
Note that I'm using leaving it in a static variable for the sake of the example.
这篇关于Java Spring Security-不推荐使用User.withDefaultPasswordEncoder()?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
