我正在使用新的
BCryptPasswordEncoder
将用户密码散列到数据库(在我的例子中是 MongoDB)。当我刚刚测试登录时,我将安全配置中的密码编码器设置为 BCryptPasswordEncoder
,但是当我尝试登录时(当然使用正确的凭据),我得到了错误的凭据。我错过了什么?
安全配置:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.servlet.configuration.EnableWebMvcSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
@Configuration
@EnableWebMvcSecurity
public class VZWebSecurityConfig extends WebSecurityConfigurerAdapter{
@Autowired
VZUserDetailsService userDetailsService;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception{
auth.userDetailsService(userDetailsService).passwordEncoder(encoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception{
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.permitAll();
}
@Bean
public PasswordEncoder encoder(){
return new BCryptPasswordEncoder();
}
}
为了从一些有效用户开始,我用一些用户初始化数据库:
import java.util.ArrayList;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import vertyze.platform.data.constants.VZUserRoles;
@Configuration
@ComponentScan("it.vertyze.platform")
@EnableAutoConfiguration
public class Application implements CommandLineRunner {
@Autowired
VZUserRepository userRepository;
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Override
public void run(String... args) throws Exception {
userRepository.deleteAll();
PasswordEncoder encoder = new BCryptPasswordEncoder();
List<VZUserRoles> siteAdmin = new ArrayList<VZUserRoles>();
siteAdmin.add(VZUserRoles.SITE_ADMIN);
List<VZUserRoles> siteUser = new ArrayList<VZUserRoles>();
siteUser.add(VZUserRoles.SITE_VIEWER);
VZUser user1 = new VZUser();
VZUser user2 = new VZUser();
user1.setUsername("user1");
user1.setPassword(encoder.encode("password1"));
user1.setRoles(siteAdmin);
user2.setUsername("user2");
user2.setPassword(encoder.encode("password2"));
user2.setRoles(siteUser);
userRepository.save(user1);
userRepository.save(user2);
}
}
有人可以帮我吗?谢谢!
有没有偶然
WARN o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not look like BCrypt
在你的调试日志中? 如果是,您应该检查用户表中密码行的长度是否足够大。 bcrypt 算法生成长度为 60 的哈希值,因此如果您碰巧有一行包含例如输入 varchar(45) 你的哈希值可能会被截断。
确保您在数据库中保存的密码不是普通密码而是经过编码的密码
PasswordEncoder encoder = new BCryptPasswordEncoder();
User entity = new User("name", encoder.encode("password"));
编码器是您对PasswordEncoder接口的实现。
在这里您可以看到我手动插入表中的前两个用户具有明文密码,这对我来说是问题的根源。
id 用户名 密码
1“亚历山大”“1234”
“2“约翰”“多伊”
3“测试”“$2a$10$9mG1Ik1hRCdTdA9/RqSrUehDbkVqGhF.mbx4QE4nfe9Bnx6cLJj7。