我在使用 Spring Security 时遇到了一种奇怪的情况。使用过:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.0.3.RELEASE</version>
</parent>
具有以下简单的安全配置:
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
UserDetails user = User.builder().username("1").password("1").roles("USER").build();
auth.inMemoryAuthentication().withUser(user).passwordEncoder(new BCryptPasswordEncoder());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable().authorizeRequests().antMatchers("/inquiry").authenticated().anyRequest().permitAll().and()
.httpBasic();
}
}
我不断收到 401
Http 状态代码。但我更深入地研究了代码,我意识到在 Spring Security 核心中存在一个小问题。
类 DaoAuthenticationProvider
尝试检查提供的密码是否与手中的密码编码器(在我的情况下 BCrypt
)中的实际凭证匹配。所以
if (!passwordEncoder.matches(presentedPassword, userDetails.getPassword()))
但是在编码器中,matches
的方法签名是:
public boolean matches(CharSequence rawPassword, String encodedPassword)
所以认证失败。
最佳答案
当您在安全配置中使用 BCrypt 内存中身份验证时,您需要首先对密码字符串进行加密。
所以你可以尝试
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
// First encrypt the password string
String encodedPassword = passwordEncoder().encode("1");
// Set the password
UserDetails user = User.builder()
.username("1")
.password(encodedPassword)
.roles("USER")
.build();
// Use in-memory authentication with BCryptEncoder
auth.inMemoryAuthentication()
.withUser(user)
.passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
关于java - Spring安全身份验证问题: HTTP 401,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/52566716/