我正在尝试使用JWT实现spring AuthorizationServer。我能够生成JWT令牌并登录,直到我将BCrypt添加到混音中。现在,当我尝试登录时,我从API获得“Bad credentials”。
OAuth2Configuration.java
@Configuration
@EnableAuthorizationServer
public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter {
private DataSource dataSource;
private AuthenticationManager authenticationManager;
private BCryptPasswordEncoder passwordEncoder;
public OAuth2Configuration(AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
this.dataSource = new Jdbc3PoolingDataSource();
this.passwordEncoder = new BCryptPasswordEncoder();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.passwordEncoder(passwordEncoder);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.inMemory()
.withClient("api-client")
.secret("verysecretivesecret")
.scopes("READ", "WRITE", "DELETE")
.authorizedGrantTypes("implicit", "refresh_tokens", "password", "authorization_code");
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
endpoints.authorizationCodeServices(authorizationCodeServices())
.tokenStore(tokenStore())
.tokenEnhancer(jwtTokenEnhancer())
.authenticationManager(authenticationManager);
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(jwtTokenEnhancer());
}
@Bean
protected JwtAccessTokenConverter jwtTokenEnhancer() {
return new JwtAccessTokenConverter();
}
@Bean
protected AuthorizationCodeServices authorizationCodeServices() {
return new JdbcAuthorizationCodeServices(dataSource);
}
}
WebSecurityConfig.java
@Configuration
class WebSecurityConfig extends WebSecurityConfigurerAdapter {
private AccountDetailsService accountDetailsService;
private BCryptPasswordEncoder passwordEncoder;
private DataSource dataSource;
WebSecurityConfig(AccountDetailsService accountDetailsService) {
this.accountDetailsService = accountDetailsService;
this.dataSource = new Jdbc3PoolingDataSource();
this.passwordEncoder = new BCryptPasswordEncoder();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(accountDetailsService).passwordEncoder(passwordEncoder).and().jdbcAuthentication().dataSource(dataSource);
}
}
SeedData.java
@Override
public void run(String... args) throws Exception {
Stream.of("alan,test").map(x -> x.split(","))
.forEach(tuple -> {
Account user = new Account();
user.setUsername(tuple[0]);
user.setPassword(new BCryptPasswordEncoder().encode(tuple[1]));
user.setEmail(tuple[0]);
user.setRoles(Collections.singletonList(role));
user.setActive(true);
this.accountRepository.save(user);
});
}
感谢您的帮助。
答案 0 :(得分:8)
我需要做出以下更改才能让它发挥作用。如果有其他人需要它。
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(accountDetailsService)
.passwordEncoder(passwordEncoder)
.and()
.authenticationProvider(authenticationProvider())
.jdbcAuthentication()
.dataSource(dataSource);
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(accountDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder);
return authenticationProvider;
}
答案 1 :(得分:4)
这是因为您将BCrypt应用于WebSecurity和AuthorizationServer。因此,您不仅需要在商店中保留BCrypt加密的用户密码,还需要为OAuth2保留BCrypt加密的客户端密码。我想这不是你试图接近的。
为了使您的代码正常工作,请删除
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
security.passwordEncoder(passwordEncoder);
}
或手动加密你的“verysecretivesecret”