如何在没有密码编码的情况下使用 Spring security? [英] How to use Spring security without password encoding?

问题描述

我目前正在尝试学习 Spring 安全性.我使用 BCryptPasswordEncoder 在持久化到数据库之前对用户密码进行编码

代码:

I'm trying to learn Spring security currently. I used BCryptPasswordEncoder to encode user password before persisting into a database

Code:

@Override
    public void saveUser(User user) {
        user.setPassword(bCryptPasswordEncoder.encode(user.getPassword()));
        user.setActive(1);
        Role userRole = roleRepository.findByRole("ADMIN");
        user.setRoles(new HashSet<Role>(Arrays.asList(userRole)));
        userRepository.save(user);
    }

然后在身份验证期间也使用它，并且用户按预期进行了身份验证.

Then used it during authentication as well and User was getting authenticated as expected.

@Override
    protected void configure(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.
            jdbcAuthentication()
                .usersByUsernameQuery(usersQuery)
                .authoritiesByUsernameQuery(rolesQuery)
                .dataSource(dataSource).passwordEncoder(bCryptPasswordEncoder);
    }

然后我从 configure() 方法中删除了 .passwordEncoder(bCryptPasswordEncoder);，仍然使用编码密码的用户成功通过身份验证.

Then I removed .passwordEncoder(bCryptPasswordEncoder); from configure() method, still users with encoded password is getting authenticated successfully.

然后我从 saveUser() 和 configure() 方法中删除了密码编码器，并将 User 持久化到数据库中(即没有密码编码)并试图访问一个经过身份验证的页面，但我得到了 AccessedDeniedException，

但是即使我删除了 passwordEncoder() 来自 configure() 方法.为什么会这样?

Spring Security 在认证过程中是否默认使用密码编码器?

如果是这样如何在没有密码编码的情况下使用spring security?

Then I removed password encoder from both the saveUser() and the configure() method, and persisted a User into the database(i.e without password encoding) and tried to access an authenticated page but I got AccessedDeniedException,

But users with encoded password still gets authenticated even though i removed passwordEncoder() from configure() method. Why is this happening?

Does spring security by default use password encoder during authentication?

If so how to use spring security without password encoding?

推荐答案

始终启用 Spring Security 5 密码加密.默认使用的加密是 bcrypt.Spring Security 5 的巧妙之处在于它实际上允许您在密码中指定用于创建密码的加密.

With Spring Security 5 encryption on passwords is always enabled. The encryption used by default is bcrypt. What is neat about Spring Security 5 is that it actually allows you to specify, in your password, which encryption was used to create the has.

为此，请参阅 密码存储格式 在 Spring 安全参考指南中.简而言之，它允许您为算法的众所周知的密钥添加密码前缀.存储格式为{}.

For this see the Password Storage Format in the Spring Security Reference Guide. In short it allows you to prefix your password for a well known key to an algorithm. The storage format is {<encryption>}<your-password-hash>.

当什么都不使用时，它会变成 {noop}your-password(这将使用 NoOpPasswordEncoder 和 {bcrypt}$a2...... 将使用 BcryptPasswordEncoder.有多种现成支持的算法，但您也可以定义自己的算法.

When using nothing it would become {noop}your-password (which would use the NoOpPasswordEncoder and {bcrypt}$a2...... would use the BcryptPasswordEncoder. There are several algorithms supported out-of-the-box, but you can also define your own.

要定义您自己的，请创建您自己的 PasswordEncoder 并将其注册到 DelegatingPasswordEncoder 的密钥下.

To define your own create your own PasswordEncoder and register it under a key with the DelegatingPasswordEncoder.

这篇关于如何在没有密码编码的情况下使用 Spring security?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！