当使用下面提到的代码片段登录我们的Spring Security Web应用程序时,我们发现在服务器重启或安全上下文重载时,所有用户的密码文本字段为空。
请找到以下有关我们面临的问题的注释。
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("customUserDetailsService")
UserDetailsService userDetailsService;
@Autowired
public void configureGlobalSecurity(AuthenticationManagerBuilder auth)
throws Exception {
auth.userDetailsService(userDetailsService);
//auth.authenticationEventPublisher(eventPublisher)
auth.authenticationProvider(authenticationProvider());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new
DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder());
return authenticationProvider;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
final List<RoleMasterBean> roleList =
roleMasterService.getroleMasterByUserTypeId(1L);
String roleAnnotation="";
long i=0;
if(null != roleList){
for(final RoleMasterBean role : roleList){
if(i==0)
roleAnnotation="hasRole('"+role.getName()+"')";
else
roleAnnotation=roleAnnotation+" or
hasRole('"+role.getName()+"')";
i++;
}
}
http.authorizeRequests()
.antMatchers("/admin/**").access(roleAnnotation)
.and().formLogin().loginPage("/login")
.successHandler(authenticationSuccessHandler)
.usernameParameter("userName").passwordParameter("passWord")
.failureHandler(authenticationFailureHandler)
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.NEVER)
.maximumSessions(1)
.expiredUrl("/login?expired");
}
}
@Service("userService")
public class UserServiceImpl implements UserService {
@Autowired
private UserDao userDao;
@Autowired
private PasswordEncoder passwordEncoder;
public void saveUser(User user){
password = user.getFirstName().substring(0, 3) + "!" + (new
Random()).nextInt(1000);
String encrptPassword = passwordEncoder.encode(password);
user.setPassword(encrptPassword);
return userDao.saveAndFlush(user);
}
}
public void saveUser(User user){
password = user.getFirstName().substring(0, 3) + "!" + (new
Random()).nextInt(1000);
String encrptPassword =
passwordEncoder.encode(AESE256Utils.encryptBySecretSalt(password));
user.setPassword(encrptPassword);
return userDao.saveAndFlush(user);
}
}
在旧代码中,密码正在通过浏览器中的纯文本和DB中的passwordEncoder编码文本进行验证。
例如:browserPasswordText ="123456" and DBPasswordEncodedTest = "$2a$10$sag1GEP0/9Zzo0shR3sNU.qFT7pIZzTR7s4EdRfFwGgKSRhQm1SAi"
现在按照新逻辑,在表单获取提交密码并以AES256编码文本发送到服务器的过程中,在插入用户时,我们已经将纯文本转换为AES256EncodedText,然后转换为passwordEncoderEncodedText。
例如:来自browserPasswordText ="Test@123" To "AhgvfTWbm35PnPDB9ax2Zw=="
和DBPasswordEncodedTest = "$2a$10$ZdPecNIuXnNzHc2QN7gVUe3TR9ePUuGG61r3EMMookYvYHW9KEIH2"
在用户创建和登录时未发现任何问题,该问题按实施情况完美运行。
我们曾经两次遇到一个问题,即所有用户的密码都被带有以下警告日志的空字符串更新。
2019-01-09 17:23:30 [http-nio-8080-exec-72] WARN o.s.s.c.bcrypt.BCryptPasswordEncoder -
Empty encoded password
2019-01-09 17:23:46 [http-nio-8080-exec-74] WARN o.s.s.c.bcrypt.BCryptPasswordEncoder -
Empty encoded password