Spring Boot 启动器安全性未通过身份验证

本文介绍了Spring Boot 启动器安全性未通过身份验证的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我是 Spring Boot Security 的新手，正在学习本教程:

I'm new to spring boot security and following this tutorial:

www.baeldung/spring-security-jdbc-authentication

我正在使用 POSTMAN 进行测试.

I'm using POSTMAN to test.

我在授权中使用了 Type = Basic Auth -> Type

I used Type = Basic Auth in Authorization -> Type

用户名/密码 = admin/12345

Username/Password = admin/12345

我尝试了所有方法，但总是得到以下回复:

I tried everything but always get following response:

{ "timestamp": "2019-10-11T16:03:23.463+0000", "status": 401, "error": "Unauthorized", "message": "Unauthorized", "path": "/api/user" }

网址之一:

localhost:8080/api/user

这是我的安全配置:

package com.spr.security; import javax.sql.DataSource; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import com.spr.util.Constants; @Configuration @EnableWebSecurity public class SecurityConfig extends WebSecurityConfigurerAdapter { @Autowired private DataSource dataSource; @Autowired private PasswordEncoder passwordEncoder; protected void configure(HttpSecurity http) throws Exception { http.httpBasic() .and() .authorizeRequests() .antMatchers("/api/**").hasRole("USER") .antMatchers("/admin/**").hasRole("ADMIN") .and() .csrf().disable() .headers().frameOptions().disable(); } @Autowired protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { auth.jdbcAuthentication().dataSource(dataSource).passwordEncoder(passwordEncoder); /* * By default spring security assumes `users` table for storing users * and `authorities` table for storing roles */ } @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); } }

也试过了:

auth.jdbcAuthentication().dataSource(dataSource).passwordEncoder(new BCryptPasswordEncoder());

我使用实体创建了以下表格.

I created following tables using entities.

users id int AUTO_INCREMENT (PK) username UNIQUE varchar(256) email varchar(256) authorities username varchar(256) authority varchar(256)

每张表只有一条记录

在用户中:

username = admin password = $2y$10$llcw8Cbuww90KW1dYB6Rn.98iM0JyTiC1VBT1WveVKz99VqbhFLpG email = abc@test

密码在 bcrypt-generator 上是 12345 哈希值，强度为 10

Password is 12345 hashed on bcrypt-generator with 10 strength

在当局:

username = admin authority = ROLE_USER

我也试过authority = USER

I also tried authority = USER

我的 pom.xml 中有以下依赖

I have following dependency in my pom.xml

<!-- Spring data JPA --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-jpa</artifactId> </dependency> <!-- spring security --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <!-- for jdbc authentication --> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-jdbc</artifactId> </dependency>

我的 application.properties 文件

My application.properties file

## Spring DATASOURCE (DataSourceAutoConfiguration & DataSourceProperties) spring.datasource.url=jdbc:mysql://localhost:3306/sprboot?useSSL=false&serverTimezone=UTC spring.datasource.username=spr spring.datasource.password=boot ## Hibernate Properties # The SQL dialect makes Hibernate generate better SQL for the chosen database spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.MySQL5InnoDBDialect # Hibernate ddl auto (create, create-drop, validate, update) spring.jpa.hibernate.ddl-auto=validate spring.jackson.serialization.fail-on-empty-beans=false spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.security.SecurityAutoConfiguration logging.level.springframework.security=DEBUG

如果没有 Spring Security，我的所有路径、控制器、jpa 等都可以正常工作.

Without Spring Security, all my paths, controllers, jpa etc. works fine.

我在这里做错了什么?

需要更多信息吗?

编辑

有没有办法在日志窗口(控制台)中查看spring security authentication sql我在 application.properties 中添加了以下内容，但没有显示生成的 sql

Is there a way to see spring security authentication sql in log window(console) I added following in application.properties but nothing shows the generated sql

spring.jpa.show-sql=true logging.level.hibernate.SQL=DEBUG logging.level.hibernate.type=TRACE logging.level.hibernate.type.descriptor.sql.BasicBinder=TRACE logging.level.springframework.security=DEBUG

我正在使用 mysql 数据库

I'm using mysql database

推荐答案

有两个问题，我是这样解决的:

There were two problems and this is how I fixed:

将 hasRole() 更改为 hasAuthority()

protected void configure(HttpSecurity httpSecurity) throws Exception { httpSecurity.httpBasic() .and() .authorizeRequests() .antMatchers("/api/**").hasAuthority("USER") .antMatchers("/admin/**").hasAuthority("ADMIN") .and() .csrf().disable() .headers().frameOptions().disable(); }

我在堆栈溢出的另一个链接中发现 Spring Security 中存在一个错误，bcrypted 密码应该以 $2a... 开头，而不是以 $2b... 或 $2y...

I found in another link on stack overflow that there is a bug in Spring Security and the bcrypted password should start with $2a... and not with $2b... or $2y...