Spring Security身份验证问题：HTTP 401 [英] Spring Security Authentication issue: HTTP 401

问题描述

我遇到过使用spring security的奇怪情况。使用过：

I've encountered a bizarre situation using spring security. Having used:

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.3.RELEASE</version>
    </parent>

以下简单的安全配置：

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

        UserDetails user = User.builder().username("1").password("1").roles("USER").build();
        auth.inMemoryAuthentication().withUser(user).passwordEncoder(new BCryptPasswordEncoder());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable().authorizeRequests().antMatchers("/inquiry").authenticated().anyRequest().permitAll().and()
                .httpBasic();
    }
}

我经常得到 401 Http状态代码。但是我深入研究了代码，并且我意识到在Spring安全核心中存在一个小问题。
类 DaoAuthenticationProvider 尝试检查提供的密码是否与密码编码器的实际凭证相匹配（在我的情况下 BCrypt ）在手。所以

I constantly get the 401 Http Status code. But I dig deeper into the code and I've realized that in the spring security core there is a minor issue. The class DaoAuthenticationProvider tries to check if the provided password matches the actual credential with password encoder(in my case BCrypt) in hand. So

if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword()))

但在编码器中，匹配的方法签名是：

But in the encoder, the method signature of matches is:

public boolean matches(CharSequence rawPassword, String encodedPassword)

因此身份验证失败。

推荐答案

在安全性中使用BCrypt进行内存中身份验证时配置，首先需要加密密码字符串。

When you use in-memory authentication with BCrypt in your security configuration, you need to encrypt the password string first.

所以你可以尝试

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

    // First encrypt the password string
    String encodedPassword = passwordEncoder().encode("1");

    // Set the password
    UserDetails user = User.builder()
                           .username("1")
                           .password(encodedPassword)
                           .roles("USER")
                           .build();

    // Use in-memory authentication with BCryptEncoder
    auth.inMemoryAuthentication()
        .withUser(user)
        .passwordEncoder(passwordEncoder());
}

@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

这篇关于Spring Security身份验证问题：HTTP 401的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！