我无法在春季使用MongoDB使用Spring Security进行身份验证。
实体:
@Document(collection = "users")
public class Users {
@Id
private String id;
private String username;
private String email;
private String password;
private List<Notification> preferences;
public Users(String username, String email, String password, List<Notification> preferences) {
this.username = username;
this.email = email;
this.password = password;
this.preferences = preferences;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public List<Notification> getPreferences() {
return preferences;
}
public void setPreferences(List<Notification> preferences) {
this.preferences = preferences;
}
}
服务:
@Component
public class MongoUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository repository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Users user = repository.findByUsername(username);
if(user == null) {
throw new UsernameNotFoundException("User not found");
}
List<SimpleGrantedAuthority> authorities = Arrays.asList(new SimpleGrantedAuthority("user"));
return new User(user.getUsername(), user.getPassword(), authorities);
}
}
存储库:
import com.example.Start.entities.Users;
import org.springframework.data.mongodb.repository.MongoRepository;
import org.springframework.stereotype.Repository;
@Repository
public interface UserRepository extends MongoRepository<Users, String> {
Users findByUsername(String username);
}
配置:
@Configuration
@EnableConfigurationProperties
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
MongoUserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and().httpBasic()
.and().sessionManagement().disable();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void configure(AuthenticationManagerBuilder builder) throws Exception {
builder.userDetailsService(userDetailsService);
}
}
当我尝试进行身份验证时,它会给我以下信息: enter image description here
在我的数据库中,我有这个用户:
{
"_id" : ObjectId("5b855813d03cce0264de3ab6"),
"username" : "username",
"email" : "test@test.com",
"password" : "123"
}
你知道是什么原因造成的吗?
答案 0 :(得分:1)
问题是您已将BCryptPasswordEncoder注册为passwordEncoder bean,但密码已以明文形式存储在数据库中。现在,当进行身份验证时,它将使用BCrypt算法对来自HTTP请求的传入密码进行编码,并将其与明文密码进行比较,这显然会失败。这就是为什么您得到“编码密码看起来不像BCrypt”的原因,因为它不是。
简短的解决方法是将您的mongodb用户记录编辑为具有用户名“ username”的用户的密码字段具有以下值:
{
"_id" : ObjectId("5b855813d03cce0264de3ab6"),
"username" : "username",
"email" : "test@test.com",
"password" : "$2a$10$pIUUIHClmGYBnsJzlOHQkeecSwRGAgYlxzRfBFjEqhk6rkQdilTYC"
}
使用BCrypt算法对字符串“ 123”进行编码时,您将获得“ $ 2a $ 10 $ pIUUIHClmGYBnsJzlOHQkeecSwRGAgYlxzRfBFjEqhk6rkQdilTYC”。
但是正确的修复方法是添加代码以对密码进行编码,然后再将其保存在应用程序的Mongo数据库中,如下所示:
@Autowired
private PasswordEncoder passwordEncoder;
public void saveUser(Users user) {
user.setPassword(passwordEncoder.encoder(user.getPassword()));
// Save in mongodb
}