我在Spring安全性方面遇到问题,并在 MsSQL 中加密密码 . 在我的REST应用程序中,我使用 Spring 4
, Hibernate
和 Spring Data JPA
. 我正在尝试用 Bcrypt
实现密码加密,但我只能得到
WARN 4780 --- [io-8080-exec-61] o.s.s.c.bcrypt.BCryptPasswordEncoder
:Encoded password does not look like BCrypt
尝试使用正确的凭据登录时 . 然后访问显然被拒绝 .
我尝试过的或我所知道的:
-
MS SQL中的密码作为Bcrypt加密字符串正确存储
-
DB中密码的位置足够长(64个字符)
-
将
auth.jdbcAuthentication().dataSource(dataSource)
添加到AuthenticationManagerBuilder没有改变任何内容 . -
当询问DB输入密码时,它返回存储的内容--Brypt编码密码 .
整个事情有点奇怪,因为我使用相同的PasswordEncoder实例来编码所有内容 . 然后它不承认自己的加密 . 是)我有的 :
组态:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private RESTAuthenticationEntryPoint authenticationEntryPoint;
@Autowired
private RESTAuthenticationFailureHandler authenticationFailureHandler;
@Autowired
private RESTAuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private UserDetailsService userAuthService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/home", "/").permitAll()
.antMatchers("/login").permitAll()
.antMatchers("/addGame").hasRole("USER")
.and()
.exceptionHandling()
.authenticationEntryPoint(authenticationEntryPoint)
.and()
.formLogin()
.successHandler(authenticationSuccessHandler)
.failureHandler(authenticationFailureHandler);
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider());
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userAuthService);
authProvider.setPasswordEncoder(encoder());
return authProvider;
}
@Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder();
}
}
的UserDetailsService:
@Service
public class UserAuthService implements UserDetailsService{
@Autowired
UserDatabaseService userDatabaseService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
UserDto user = userDatabaseService.getUserByUsername(username);
if ( user == null ){
throw new UsernameNotFoundException(username);
} else{
return new MyUserPrincipal(user);
}
}
}
UserDatabaseService(使用Spring Data实现):
@Service
public class UserDatabaseService {
@Autowired
UserDatabaseRepository userDatabaseRepository;
@Autowired
UserToUserDtoConverter userToUserDtoConverter;
@Autowired
UserDtoToUserEntityConverter userDtoToUserEntityConverter;
@Autowired
PasswordEncoder passwordEncoder;
public UserDto getUserByUsername(String username){
return userToUserDtoConverter.convert( userDatabaseRepository.findByUsername(username) );
}
public boolean saveUser(UserDto user){
user.setPassword(passwordEncoder.encode(user.getPassword()));
if ( userDatabaseRepository.save( userDtoToUserEntityConverter.convert(user) ) != null ){
return true;
} else{
return false;
}
}
}
说实话,我真的不知道什么是错的 . 我一直在关注这两个教程:http://www.baeldung.com/spring-security-authentication-with-a-database http://www.baeldung.com/spring-security-registration-password-encoding-bcrypt
所有帮助将不胜感激 .
编辑:用于将DTO类转换为实体的转换器(反之亦然)
@Service
public class UserDtoToUserEntityConverter {
public UserEntity convert(UserDto user){
return new UserEntity(user.getFirstName(), user.getLastName(), user.getUsername(), user.getPassword() , user.getEmail() );
}
public Collection<UserEntity> convertAll(Collection<UserDto> fElements){
Collection<UserEntity> convertedElement =
fElements.stream()
.map(element -> convert(element))
.collect(Collectors.toList());
return convertedElement;
}
}
@Service
public class UserToUserDtoConverter implements UserDtoConverter {
@Override
public UserDto convert(UserEntity from) {
return new BaseUserDto( from.getFirstName(), from.getLastName(),
from.getUsername(), from.getPassword(),
from.getEmail() );
}
}
MyUserPrincipal:
public class MyUserPrincipal implements UserDetails{
private UserDto user;
public MyUserPrincipal(UserDto user) {
this.user = user;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
throw new UnsupportedOperationException("Not supported yet.");
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getUsername();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
1 回答
如果有人想知道是什么问题 - 数据库返回密码和结尾处的空格......这就是为什么它永远不能验证,提供的密码总是与存储在db中的密码“不同”...该死的 .