Question

我遇到了Spring Security的问题，并在 MsSQL 中加密了密码。在我的REST应用中，我使用Spring 4，Hibernate和Spring Data JPA。我尝试使用Bcrypt实施密码加密，但我只能

WARN 4780 --- [io-8080-exec-61] o.s.s.c.bcrypt.BCryptPasswordEncoder
:Encoded password does not look like BCrypt

尝试使用正确的凭据登录时。然后访问显然被拒绝。

我尝试过的或我所知道的：

MS SQL中的密码作为Bcrypt加密字符串正确存储
密码在DB中的位置足够长（64个字符）
向AuthenticationManagerBuilder添加auth.jdbcAuthentication().dataSource(dataSource)并没有改变任何内容。
当要求DB输入密码时，它会返回存储的内容 - Brypt编码密码。

整个事情有点奇怪，因为我使用相同的PasswordEncoder实例来编码所有东西。然后它不承认自己的加密。我有什么：

配置：

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
        @Autowired
        private RESTAuthenticationEntryPoint authenticationEntryPoint;

        @Autowired
        private RESTAuthenticationFailureHandler authenticationFailureHandler;

        @Autowired
        private RESTAuthenticationSuccessHandler authenticationSuccessHandler;

        @Autowired
        private UserDetailsService userAuthService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                    .csrf().disable()
                    .authorizeRequests()
                        .antMatchers("/home", "/").permitAll()  
                        .antMatchers("/login").permitAll()
                        .antMatchers("/addGame").hasRole("USER")
                    .and()
                    .exceptionHandling()
                        .authenticationEntryPoint(authenticationEntryPoint)
                    .and()
                    .formLogin()
                        .successHandler(authenticationSuccessHandler)
                        .failureHandler(authenticationFailureHandler);

    }

        @Override
        protected void configure(AuthenticationManagerBuilder auth) throws Exception {
            auth.authenticationProvider(authenticationProvider());
        }

        @Bean
        public DaoAuthenticationProvider authenticationProvider() {
            DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
            authProvider.setUserDetailsService(userAuthService);
            authProvider.setPasswordEncoder(encoder());
            return authProvider;
        }

        @Bean
        public PasswordEncoder encoder() {
            return new BCryptPasswordEncoder();
        }

}

的UserDetailsService：

@Service 
public class UserAuthService implements UserDetailsService{
    @Autowired
    UserDatabaseService userDatabaseService;

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        UserDto user = userDatabaseService.getUserByUsername(username);
        if ( user == null ){
            throw new UsernameNotFoundException(username);
        } else{
            return new MyUserPrincipal(user);
        }

    }

}

UserDatabaseService（使用Spring Data实现）：

@Service
public class UserDatabaseService {

    @Autowired
    UserDatabaseRepository userDatabaseRepository;

    @Autowired
    UserToUserDtoConverter userToUserDtoConverter;

    @Autowired
    UserDtoToUserEntityConverter userDtoToUserEntityConverter;

    @Autowired 
    PasswordEncoder passwordEncoder;

    public UserDto getUserByUsername(String username){
        return userToUserDtoConverter.convert( userDatabaseRepository.findByUsername(username) );
    }

    public boolean saveUser(UserDto user){
        user.setPassword(passwordEncoder.encode(user.getPassword()));
        if ( userDatabaseRepository.save( userDtoToUserEntityConverter.convert(user) ) != null ){
            return true;
        } else{
            return false;
        }
    }

}

说实话，我真的不知道什么是错的。我一直在关注这两个教程： http://www.baeldung.com/spring-security-authentication-with-a-database http://www.baeldung.com/spring-security-registration-password-encoding-bcrypt

非常感谢所有帮助。

编辑：用于将DTO类转换为实体的转换器（反之亦然）

@Service 
public class UserDtoToUserEntityConverter {
    public UserEntity convert(UserDto user){
        return new UserEntity(user.getFirstName(), user.getLastName(), user.getUsername(), user.getPassword() , user.getEmail() );
    }

    public Collection<UserEntity> convertAll(Collection<UserDto> fElements){
        Collection<UserEntity> convertedElement =
                fElements.stream()
                        .map(element -> convert(element))
                        .collect(Collectors.toList());
        return convertedElement;
    }

}

@Service 
public class UserToUserDtoConverter implements UserDtoConverter {

    @Override
    public UserDto convert(UserEntity from) {
        return new BaseUserDto( from.getFirstName(), from.getLastName(), 
                                from.getUsername(), from.getPassword(),
                                from.getEmail() );
    }

}

MyUserPrincipal：

public class MyUserPrincipal implements UserDetails{
    private UserDto user;

    public MyUserPrincipal(UserDto user) {
        this.user = user;
    }

    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        throw new UnsupportedOperationException("Not supported yet.");
    }

    @Override
    public String getPassword() {
        return user.getPassword();
    }

    @Override
    public String getUsername() {
        return user.getUsername();
    }

    @Override
    public boolean isAccountNonExpired() {
        return true;
    }

    @Override
    public boolean isAccountNonLocked() {
        return true;
    }

    @Override
    public boolean isCredentialsNonExpired() {
        return true;
    }

    @Override
    public boolean isEnabled() {
        return true;
    }



}

Answer 1

如果有人想知道问题是什么 - 数据库返回密码和结尾处的空格......这就是为什么它永远不能进行身份验证，提供的密码始终是＆＃34;不同＆＃34;从存储在db中的那个...该死的。

Spring Security不承认自己的加密

1 个答案: