我遇到过使用spring security的奇怪情况。使用过:
I've encountered a bizarre situation using spring security. Having used:
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.0.3.RELEASE</version> </parent>以下简单的安全配置:
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.core.userdetails.User; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { UserDetails user = User.builder().username("1").password("1").roles("USER").build(); auth.inMemoryAuthentication().withUser(user).passwordEncoder(new BCryptPasswordEncoder()); } @Override protected void configure(HttpSecurity http) throws Exception { http.csrf().disable().authorizeRequests().antMatchers("/inquiry").authenticated().anyRequest().permitAll().and() .httpBasic(); } }我经常得到 401 Http状态代码。但是我深入研究了代码,并且我意识到在Spring安全核心中存在一个小问题。 类 DaoAuthenticationProvider 尝试检查提供的密码是否与密码编码器的实际凭证相匹配(在我的情况下 BCrypt )在手。所以
I constantly get the 401 Http Status code. But I dig deeper into the code and I've realized that in the spring security core there is a minor issue. The class DaoAuthenticationProvider tries to check if the provided password matches the actual credential with password encoder(in my case BCrypt) in hand. So
if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword()))但在编码器中,匹配的方法签名是:
But in the encoder, the method signature of matches is:
public boolean matches(CharSequence rawPassword, String encodedPassword)因此身份验证失败。
推荐答案在安全性中使用BCrypt进行内存中身份验证时配置,首先需要加密密码字符串。
When you use in-memory authentication with BCrypt in your security configuration, you need to encrypt the password string first.
所以你可以尝试
@Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { // First encrypt the password string String encodedPassword = passwordEncoder().encode("1"); // Set the password UserDetails user = User.builder() .username("1") .password(encodedPassword) .roles("USER") .build(); // Use in-memory authentication with BCryptEncoder auth.inMemoryAuthentication() .withUser(user) .passwordEncoder(passwordEncoder()); } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); }更多推荐
Spring Security身份验证问题:HTTP 401
发布评论