我到处都是堆栈溢出,试图找出发生此问题的原因,但是找不到答案。
这是我的设置:
SecurityConfig
@Autowired
private IUserService userService;
@Override
public void configure(final AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
}
@Override
protected void configure(final HttpSecurity http) throws Exception {
// @formatter:off
http.
authorizeRequests().
antMatchers("/api/**"). // if you want a more explicit mapping here
//anyRequest().
// authenticated().antMatchers("/api/users/**").
permitAll().
and().
httpBasic().
and().
sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).
and().csrf().disable();
// @formatter:on
}
@Bean
public PasswordEncoder passwordEncoder(){
PasswordEncoder encoder = new BCryptPasswordEncoder();
return encoder;
}
UserService创建方法:
@Override
public User create(User u) {
User newUser = new User();
newUser.setUsername(u.getUsername());
newUser.setEmail(u.getEmail());
newUser.setPhoneNum(u.getPhoneNum());
newUser.setPassword(passwordEncoder.encode(u.getPassword()));
// Add default roles
Role userRole = roleService.findByName("ROLE_USER");
newUser.setRoles(Sets.<Role>newHashSet(userRole));
dao.save(newUser);
return newUser;
}
请注意,用户实现UserDetails,而IUserService实现UserDetailsService。
根据其他文章,这里提供了更多信息:
我不是要尝试OAUTH,所以请不要建议我也对客户端机密进行编码
我检查了我的数据库,它是VARCHAR(68),所以我相信有足够的空间来存储编码的密码。
数据库确实存储了编码后的密码(我看过但不是纯文本)
以下是来自拒绝请求的一些调试日志:
DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Basic Authentication Authorization header found for user 'wowz'
23:17:57.187 [http-nio-8082-exec-8] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
23:17:57.471 [http-nio-8082-exec-8] WARN o.s.s.c.bcrypt.BCryptPasswordEncoder - Encoded password does not look like BCrypt
23:17:57.472 [http-nio-8082-exec-8] DEBUG o.s.s.a.d.DaoAuthenticationProvider - Authentication failed: password does not match stored value
23:17:57.472 [http-nio-8082-exec-8] DEBUG o.s.s.w.a.w.BasicAuthenticationFilter - Authentication request for failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
23:17:57.472 [http-nio-8082-exec-8] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - Trying to match using RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]
23:17:57.473 [http-nio-8082-exec-8] DEBUG o.s.s.w.a.DelegatingAuthenticationEntryPoint - No match found. Using default entry point org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint@42da9490
23:17:57.473 [http-nio-8082-exec-8] DEBUG o.s.s.w.h.writers.HstsHeaderWriter - Not injecting HSTS header since it did not match the requestMatcher org.springframework.security.web.header.writers.HstsHeaderWriter$SecureRequestMatcher@115f4872
23:17:57.473 [http-nio-8082-exec-8] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
还请注意,这是REST API的安全性,不是MVC应用程序
答案 0 :(得分:0)
识别此问题的最佳方法“编码后的密码看起来不像BCrypt” 是在org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder类中设置了中断密码。然后检查警告的根本原因。
if (!BCRYPT_PATTERN.matcher(encodedPassword).matches()) {
logger.warn("Encoded password does not look like BCrypt");
return false;
}