使用Bcrypt加密InMemoryAuthentication密码 [英] Encrypting InMemoryAuthentication passwords with Bcrypt
问题描述
在对UserDetailsService的自定义实现使用Bcrypt之前,我首先要了解是否可以在内存数据库中使用它.
Before I use Bcrypt on a custom implementation of UserDetailsService, I first want to see if I can use it in an in-memory database.
package com.patrick.Security;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.NoOpPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@EnableWebSecurity
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private UserDetailsService userDetailsService;
@Autowired
public WebSecurityConfig(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers(HttpMethod.POST, "/login").permitAll()
.antMatchers(HttpMethod.POST, "/users").hasAuthority("ADMIN")
.antMatchers(HttpMethod.POST, "/shifts").hasAnyAuthority("ADMIN", "SUPERVISOR")
.anyRequest().authenticated()
.and()
.addFilter(new AuthenticationFilter(authenticationManager()))
.addFilter(new AuthorizationFilter(authenticationManager()));
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication().passwordEncoder(passwordEncoder())
.withUser("admin").password("password").roles("ADMIN");
}
@Bean
public PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
}
在创建/公开PasswordEncoder bean时,会弹出此警告,最终使我无法访问登录路径:
With creating/exposing the PasswordEncoder bean this warning pops up which ultimately prevents me from accessing the login path:
o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
添加已弃用的NoOpPasswordEncoder将暂时解决此问题,但显然不会对密码进行编码:
Adding the Deprecated NoOpPasswordEncoder will temporarily solve the issue, but obviously wont encode the passwords:
@SuppressWarnings("deprecation")
@Bean
public static NoOpPasswordEncoder passwordEncoder() {
return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
}
添加Bcrypt的正确方法是什么?
What's the correct way to add Bcrypt?
推荐答案
在创建/公开PasswordEncoder bean时,会弹出此警告 最终使我无法访问登录路径:
With creating/exposing the PasswordEncoder bean this warning pops up which ultimately prevents me from accessing the login path:
o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
这是因为您提供的密码未使用BCrypt编码.不需要直接传递"password"作为密码,而是需要先对其进行编码.
This is because the password you're providing is not encoded with BCrypt. Instead of passing "password" directly as the password it needs to be encoded first.
出于测试目的,一种简单的方法是仅保留您的密码编码器,然后在您的configure方法中对它进行编码
For testing purposes, an easy way of doing this would be to just get a hold of your password encoder and encode it in your configure method like this
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
String password = passwordEncoder().encode("password");
auth.inMemoryAuthentication().withUser("admin").password(password).roles("ADMIN");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
这篇关于使用Bcrypt加密InMemoryAuthentication密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
