java - Spring 安全5 : There is no PasswordEncoder mapped for the id "null"

Question

我正在从 Spring Boot 1.4.9 迁移到 Spring Boot 2.0 以及 Spring Security 5，并且我尝试通过 OAuth 2 进行身份验证。但我收到此错误:

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null

来自 Spring Security 5 的文档，我了解到 密码存储格式已更改。

在我当前的代码中，我创建了密码编码器 bean:

@Bean
public BCryptPasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

但是它给了我以下错误:

Encoded password does not look like BCrypt

所以我按照 Spring Security 5 更新编码器文件发送至:

@Bean
public PasswordEncoder passwordEncoder() {
    return PasswordEncoderFactories.createDelegatingPasswordEncoder();
}

现在，如果我可以在数据库中看到密码，它存储为

{bcrypt}$2a$10$LoV/3z36G86x6Gn101aekuz3q9d7yfBp3jFn7dzNN/AL5630FyUQ

随着第一个错误消失，现在当我尝试进行身份验证时，我收到以下错误:

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null

为了解决这个问题，我尝试了 Stackoverflow 中的以下所有问题:

• Spring Boot PasswordEncoder Error

• Spring Oauth2. Password encoder is not set in DaoAuthenticationProvider

这是一个与我类似但未得到解答的问题:

• Spring Security 5 - Password Migration

注意:我已经将加密密码存储在数据库中，因此无需在 UserDetailsS​​ervice 中再次编码。

在 Spring security 5他们建议您可以使用以下方法处理此异常:

DelegatingPasswordEncoder.setDefaultPasswordEncoderForMatches(PasswordEncoder)

如果这是解决办法，那么我应该把它放在哪里？我尝试将其放入 PasswordEncoder bean 中，如下所示，但它不起作用:

DelegatingPasswordEncoder def = new DelegatingPasswordEncoder(idForEncode, encoders);
def.setDefaultPasswordEncoderForMatches(passwordEncoder);

MyWebSecurity 类

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    private UserDetailsService userDetailsService;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Override
    public void configure(WebSecurity web) throws Exception {

        web
                .ignoring()
                .antMatchers(HttpMethod.OPTIONS)
                .antMatchers("/api/user/add");
    }

    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }
}

MyOauth2 配置

@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {

    @Bean
    public TokenStore tokenStore() {
        return new InMemoryTokenStore();
    }

    @Autowired
    @Qualifier("authenticationManagerBean")
    private AuthenticationManager authenticationManager;


    @Bean
    public TokenEnhancer tokenEnhancer() {
        return new CustomTokenEnhancer();
    }

    @Bean
    public DefaultAccessTokenConverter accessTokenConverter() {
        return new DefaultAccessTokenConverter();
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints)
            throws Exception {
        endpoints
                .tokenStore(tokenStore())
                .tokenEnhancer(tokenEnhancer())
                .accessTokenConverter(accessTokenConverter())
                .authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
                .inMemory()
                .withClient("test")
                .scopes("read", "write")
                .authorities(Roles.ADMIN.name(), Roles.USER.name())
                .authorizedGrantTypes("password", "refresh_token")
                .secret("secret")
                .accessTokenValiditySeconds(1800);
    }
}

请指导我解决这个问题。我花了几个小时来解决这个问题，但无法解决。

Answer 1

当您配置 ClientDetailsS​​erviceConfigurer 时，您还必须应用新的 password storage format客户端 secret 。

.secret("{noop}secret")