Spring Boot BCryptPasswordEncoder编码密码看起来不像BCrypt

时间:2018-04-28 12:11:03

标签: mysql rest spring-boot jpa oauth-2.0

我正在使用OAuth2和JPA编写Spring boot REST安全API。在访问访问令牌时,我收到WARN,因为编码密码看起来不像BCrypt。 我从邮递员那里点击了URL http://localhost:8080/oauth/token?grant_type=password&username=user&password=user 我得到了

-lboost_serialization -lboost_thread -lboost_system

在使用Basic Auth结果的邮递员中返回401 

WARN 26648 --- [nio-8080-exec-2] o.s.s.c.bcrypt.BCryptPasswordEncoder     : Encoded password does not look like BCrypt

我定义的Bean和存储库。 我使用了秘密(“{bcrypt}和秘密(”{noop}),但两者都没有帮助。对此的任何帮助都会非常感激。 以下是申请详情

授权服务器

{
    "timestamp": "2018-04-28T12:05:53.462+0000",
    "status": 401,
    "error": "Unauthorized",
    "message": "Unauthorized",
    "path": "/oauth/token"
}

资源服务器

@Configuration
@EnableAuthorizationServer

public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    private AuthenticationManager authenticationManager;

@Autowired
private PasswordEncoder passwordEncoder;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        // TODO Auto-generated method stub
        endpoints.authenticationManager(authenticationManager);
         //.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);;
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        // TODO Auto-generated method stub
        security.checkTokenAccess("isAuthenticated()");
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        // TODO Auto-generated method stub


        clients.inMemory().withClient("my-trusted-client")
        .authorizedGrantTypes("client_credentials", "password")
        .authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT").scopes("read","write","trust")
        .resourceIds("oauth2-resource").accessTokenValiditySeconds(5000).secret("{bcrypt}secret");
    }

}

服务

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    @Override
    public void configure(HttpSecurity http) throws Exception {

        http.headers().frameOptions().disable().and()
        .authorizeRequests()
        .antMatchers("/","/home","/register","/login").permitAll()
        .antMatchers("/asd/**").authenticated();
    }

}

我的CustomUserDetails 

@Service
public class UserService extends WebSecurityConfigurerAdapter {
     @Autowired
        private UserRepository repo;

     @Autowired
     private BCryptPasswordEncoder  passwordEncoder;


     public void save(User user){
          // user.setPassword(getPasswordEncoder().encode(user.getPassword()));
         user.setPassword(passwordEncoder.encode(user.getPassword()));
         // user.setPassword(user.getPassword());
         repo.save(user);
        }


     @Bean
        @Override
        public AuthenticationManager authenticationManager() throws Exception {

            return super.authenticationManager();
        }
}

主要课程

public class CustomUserDetails implements UserDetails {

    private String username;
    private String password;
    Collection <? extends GrantedAuthority> authorities;

    public CustomUserDetails(User username) {
        this.username= username.getUsername();
        this.password=username.getPassword();
         this.authorities = translate(username.getRoles());

    }

    private Collection<? extends GrantedAuthority> translate(List<Role> roles) {
        List<GrantedAuthority> authorities = new ArrayList<>();
        for (Role role : roles) {
            String name = role.getName().toUpperCase();
            //Make sure that all roles start with "ROLE_"
            if (!name.startsWith("ROLE_"))
                name = "ROLE_" + name;
            authorities.add(new SimpleGrantedAuthority(name));
        }
        return authorities;
    }


    @Override
    public Collection<? extends GrantedAuthority> getAuthorities() {
        // TODO Auto-generated method stub
        return authorities;
    }

    @Override
    public String getPassword() {
        // TODO Auto-generated method stub
        return password;
    }

    @Override
    public String getUsername() {
        // TODO Auto-generated method stub
        return username;
    }

    @Override
    public boolean isAccountNonExpired() {
        // TODO Auto-generated method stub
        return true;
    }

application.properties 

@ComponentScan
@SpringBootApplication
@Configuration
@EnableWebSecurity
public class SpringBootOauth2Application {

    /*@Autowired
    private PasswordEncoder passwordEncoder;
    */
    public static void main(String[] args) {
        SpringApplication.run(SpringBootOauth2Application.class, args);
    }


    @Bean
    public BCryptPasswordEncoder  getPasswordEncoder() {
       return new BCryptPasswordEncoder();

 }

    @Autowired
    public void authenticationManager(AuthenticationManagerBuilder builder, UserRepository user, UserService service) throws Exception
    {
        if(user.count()==0)
            service.save(new User("user","user", Arrays.asList(new Role("USER"), new Role("ACTUATOR"))));

        builder.userDetailsService(userDetailsService(user)).passwordEncoder(getPasswordEncoder());
    }
    private UserDetailsService userDetailsService(final UserRepository repository) {
        return username -> new CustomUserDetails(repository.findByUsername(username));
    }

}

1 个答案:

答案 0 :(得分:0)

在以下代码中,您实际上并没有使用Bcrypt编码客户端机密。

clients.inMemory().withClient("my-trusted-client")
        .authorizedGrantTypes("client_credentials", "password")
        .authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT").scopes("read","write","trust")
        .resourceIds("oauth2-resource").accessTokenValiditySeconds(5000).secret("{bcrypt}secret");

使用类似... 

accessTokenValiditySeconds(5000).secret("{bcrypt}$2a$10$ePPx/3nSFjJA2ZQTr2T1rOnpO3hWiWt.GmUj0wL.Xh9sEzUSWrrYm");
相关问题
最新问题