在SpringBoot 2.1.4中,编码后的密码看起来不像BCrypt。

时间:2019-04-15 08:58:18

标签: spring spring-boot spring-security spring-security-oauth2 bcrypt

我有一个SpringBoot 2.1.4.RELEASE RESTful Web Service应用程序,该应用程序使用Spring Initializer,嵌入式Tomcat,Thymeleaf模板引擎并将其打包为可执行JAR文件。

我有此配置文件:

@Profile("dev")
@Configuration
@EnableWebSecurity
public class DevWebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOG = LoggerFactory.getLogger(DevWebSecurityConfig.class);

    @Autowired
    private UserSecurityService userSecurityService;

    @Autowired
    private Environment env;

    @Value("${server.servlet.context-path}")
    private String serverContextPath;

    /** The encryption SALT. */
    private static final String SALT = "12323*&^%of";

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(12, new SecureRandom(SALT.getBytes()));
    }



    @Override
    protected void configure(HttpSecurity http) throws Exception {

        final List<String> activeProfiles = Arrays.asList(env.getActiveProfiles());
        if (activeProfiles.contains("dev")) {
            http.csrf().disable();
            http.headers().frameOptions().disable();
        }

        http
                .authorizeRequests()
                .antMatchers(publicMatchers()).permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login").defaultSuccessUrl("/guerrilla/teatre")
                .failureUrl("/login?error").permitAll()
                .and()
                .logout().permitAll();
    }




    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
         auth
                        .inMemoryAuthentication()
                        .withUser("carles.xuriguera@gmail.com").password("password")
                        .roles("ADMIN");        
    }


    private String[] publicMatchers() {

         /** Public URLs. */
        final String[] PUBLIC_MATCHERS = {
                "/webjars/**",
                serverContextPath + "/css/**",
                serverContextPath + "/js/**",
                serverContextPath + "/fonts/**",
                serverContextPath + "/images/**",                
                serverContextPath ,
                "/",
                "/error/**/*",
                "/console/**",
                SignupController.SIGNUP_URL_MAPPING,
                SignupController.USER_VALIDATION_URL_MAPPING
        };

        return PUBLIC_MATCHERS;

    }

}

但是当我使用以下凭据登录系统时:carles.xuriguera@gmail.com / password我在登录页面上收到了此消息:Error ! "Bad credentials",并且在控制台上看到了此消息:

2019-04-15 10:50  [http-nio-2233-exec-4] WARN  o.s.s.c.b.BCryptPasswordEncoder.matches(90) - Encoded password does not look like BCrypt

我也尝试使用

$2y$12$EE25qVSZ2Td1D5k9mFHoYubKRqrRqCUGuwnLc9aNjosKMLeY/7/72 that is the Bcrypt of password, but neverheless I got the same error:

Encoded password does not look like BCrypt

2 个答案:

答案 0 :(得分:3)

您必须指定加密密码,而不是原始密码。

还要确保加密的密码以“ $ 2a $”开头,因为2a是BCryptPasswordEncoder唯一接受的版本。

Spring Security版本5.2.0.M1支持2a,2b和2y。

Issue from spring security

答案 1 :(得分:0)

尝试一下。

 @Override
 public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
    User user = userRepository.findByuserName(userName);
    if (user == null) {
        throw new UsernameNotFoundException("userName" + userName + "Not found in the database");
    }

    return new org.springframework.security.core.userdetails.User(user.getName(), new BCryptPasswordEncoder().encode(user.getPassword()), getGrantedAuth(user));
}