我正在使用 OAuth2 和 JPA 编写 Spring Boot REST 安全 API。在访问访问 token 时,我收到警告,因为编码密码看起来不像 BCrypt。 当我点击 postman 的网址时 http://localhost:8080/oauth/token?grant_type=password&username=user&password=user 我明白了
WARN 26648 --- [nio-8080-exec-2] o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
在 postman 中,基本身份验证结果返回为 401
{
"timestamp": "2018-04-28T12:05:53.462+0000",
"status": 401,
"error": "Unauthorized",
"message": "Unauthorized",
"path": "/oauth/token"
}
我已经定义了 Bean 和存储库。 我已经使用了 Secret("{bcrypt} 和 Secret("{noop}),但两者都没有帮助。对此的任何帮助将非常感激。 以下是申请详情
授权服务器
@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private PasswordEncoder passwordEncoder;
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
// TODO Auto-generated method stub
endpoints.authenticationManager(authenticationManager);
//.allowedTokenEndpointRequestMethods(HttpMethod.GET, HttpMethod.POST);;
}
@Override
public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
// TODO Auto-generated method stub
security.checkTokenAccess("isAuthenticated()");
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
// TODO Auto-generated method stub
clients.inMemory().withClient("my-trusted-client")
.authorizedGrantTypes("client_credentials", "password")
.authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT").scopes("read","write","trust")
.resourceIds("oauth2-resource").accessTokenValiditySeconds(5000).secret("{bcrypt}secret");
}
}
资源服务器
@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {
@Override
public void configure(HttpSecurity http) throws Exception {
http.headers().frameOptions().disable().and()
.authorizeRequests()
.antMatchers("/","/home","/register","/login").permitAll()
.antMatchers("/asd/**").authenticated();
}
}
服务
@Service
public class UserService extends WebSecurityConfigurerAdapter {
@Autowired
private UserRepository repo;
@Autowired
private BCryptPasswordEncoder passwordEncoder;
public void save(User user){
// user.setPassword(getPasswordEncoder().encode(user.getPassword()));
user.setPassword(passwordEncoder.encode(user.getPassword()));
// user.setPassword(user.getPassword());
repo.save(user);
}
@Bean
@Override
public AuthenticationManager authenticationManager() throws Exception {
return super.authenticationManager();
}
}
我的自定义用户详细信息
public class CustomUserDetails implements UserDetails {
private String username;
private String password;
Collection <? extends GrantedAuthority> authorities;
public CustomUserDetails(User username) {
this.username= username.getUsername();
this.password=username.getPassword();
this.authorities = translate(username.getRoles());
}
private Collection<? extends GrantedAuthority> translate(List<Role> roles) {
List<GrantedAuthority> authorities = new ArrayList<>();
for (Role role : roles) {
String name = role.getName().toUpperCase();
//Make sure that all roles start with "ROLE_"
if (!name.startsWith("ROLE_"))
name = "ROLE_" + name;
authorities.add(new SimpleGrantedAuthority(name));
}
return authorities;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
// TODO Auto-generated method stub
return authorities;
}
@Override
public String getPassword() {
// TODO Auto-generated method stub
return password;
}
@Override
public String getUsername() {
// TODO Auto-generated method stub
return username;
}
@Override
public boolean isAccountNonExpired() {
// TODO Auto-generated method stub
return true;
}
主类
@ComponentScan
@SpringBootApplication
@Configuration
@EnableWebSecurity
public class SpringBootOauth2Application {
/*@Autowired
private PasswordEncoder passwordEncoder;
*/
public static void main(String[] args) {
SpringApplication.run(SpringBootOauth2Application.class, args);
}
@Bean
public BCryptPasswordEncoder getPasswordEncoder() {
return new BCryptPasswordEncoder();
}
@Autowired
public void authenticationManager(AuthenticationManagerBuilder builder, UserRepository user, UserService service) throws Exception
{
if(user.count()==0)
service.save(new User("user","user", Arrays.asList(new Role("USER"), new Role("ACTUATOR"))));
builder.userDetailsService(userDetailsService(user)).passwordEncoder(getPasswordEncoder());
}
private UserDetailsService userDetailsService(final UserRepository repository) {
return username -> new CustomUserDetails(repository.findByUsername(username));
}
}
应用程序属性
spring.datasource.url=jdbc:mysql://localhost:3306/db1
spring.datasource.username=root
spring.datasource.password=root
spring.datasource.driver-class-name=com.mysql.jdbc.Driver
spring.security.oauth2.resource.filter-order=3
spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
spring.jpa.hibernate.ddl-auto=create-drop
spring.jpa.properties.hibernate.dialect = org.hibernate.dialect.MySQL5InnoDBDialect
spring.jpa.properties.hibernate.hbm2ddl.auto = update
spring.jpa.properties.hibernate.show_sql=true
最佳答案
在以下代码中,您实际上并未使用 Bcrypt 对客户端 key 进行编码。
clients.inMemory().withClient("my-trusted-client")
.authorizedGrantTypes("client_credentials", "password")
.authorities("ROLE_CLIENT","ROLE_TRUSTED_CLIENT").scopes("read","write","trust")
.resourceIds("oauth2-resource").accessTokenValiditySeconds(5000).secret("{bcrypt}secret");
使用类似...的东西
accessTokenValiditySeconds(5000).secret("{bcrypt}$2a$10$ePPx/3nSFjJA2ZQTr2T1rOnpO3hWiWt.GmUj0wL.Xh9sEzUSWrrYm");
关于mysql - Spring Boot BCryptPasswordEncoder 编码的密码看起来不像 BCrypt,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50076418/