Java Spring Security bcrypt不';不匹配
我使用Java Spring Security bcrypt不';不匹配,java,spring-security,bcrypt,Java,Spring Security,Bcrypt,我使用BCryptPasswordEncoder 哈希后我的密码如下所示: $2a$04$oPljpAgVziMVABHS.z.znOhhu7oi8N5pxt0MS6IbOTWn.onfulze 当我测试时,它在控制台上写下密码看起来不像BCrypt 我在BCryptPasswordEncoder类(\A\$2a?\$\d\d\$[/0-9A-Za-z]{53})中用正则表达式测试了它,但它不匹配 我在开头尝试了一个a,它是匹配的。 我已使用我的应用程序重试,但出现了相同的错误。 你知道是什么吗
BCryptPasswordEncoder
哈希后我的密码如下所示:
$2a$04$oPljpAgVziMVABHS.z.znOhhu7oi8N5pxt0MS6IbOTWn.onfulze
当我测试时,它在控制台上写下密码看起来不像BCrypt
我在BCryptPasswordEncoder
类(\A\$2a?\$\d\d\$[/0-9A-Za-z]{53}
)中用正则表达式测试了它,但它不匹配
我在开头尝试了一个a
,它是匹配的。我已使用我的应用程序重试,但出现了相同的错误。
你知道是什么吗 编辑 Encoders.java
public class Encoders {
@Bean
public PasswordEncoder oauthClientPasswordEncoder() {
return new BCryptPasswordEncoder(4);
}
@Bean
public PasswordEncoder userPasswordEncoder() {
return new BCryptPasswordEncoder(8);
}
}
SecurityConfig.java
@Configuration
@EnableAuthorizationServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Import(SecurityConfig.class)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("dataSource")
private DataSource dataSource;
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private PasswordEncoder oauthClientPasswordEncoder;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
return new OAuth2AccessDeniedHandler();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager).userDetailsService(userDetailsService);
}
}
@配置
@启用Web安全性
@顺序(SecurityProperty.ACCESS\u OVERRIDE\u顺序)
@导入(Encoders.class)
公共类SecurityConfig扩展了WebSecurity配置适配器{
@自动连线
私有用户详细信息服务用户详细信息服务;
@自动连线
私有密码编码器用户密码编码器;
@凌驾
@豆子
公共AuthenticationManager authenticationManagerBean()引发异常{
返回super.authenticationManagerBean();
}
@凌驾
受保护的无效配置(AuthenticationManagerBuilder auth)引发异常{
auth.userDetailsService(userDetailsService).passwordEncoder(userPasswordEncoder);
}
}
ResourceServerConfig.java
@Configuration
@EnableAuthorizationServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Import(SecurityConfig.class)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("dataSource")
private DataSource dataSource;
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private PasswordEncoder oauthClientPasswordEncoder;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
return new OAuth2AccessDeniedHandler();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager).userDetailsService(userDetailsService);
}
}
@配置
@EnableResourceServer
公共类ResourceServerConfig扩展了ResourceServerConfigurerAdapter{
私有静态最终字符串RESOURCE\u ID=“资源服务器rest api”;
私有静态最终字符串安全_READ_SCOPE=“#oauth2.hasScope('READ')”;
私有静态最终字符串安全_WRITE_SCOPE=“#oauth2.hasScope('WRITE')”;
私有静态最终字符串安全_PATTERN=“/api/**”;
@凌驾
public void配置(ResourceServerSecurityConfigure资源){
resources.resourceId(RESOURCE\u ID);
}
@凌驾
public void configure(HttpSecurity http)引发异常{
http.requestMatchers()
.antMatchers(安全模式)。和()
.antMatchers(HttpMethod.POST,安全模式)。访问(安全写入范围)
.anyRequest().access(安全读取范围);
}
}
AuthorizationServerConfig.java
@Configuration
@EnableAuthorizationServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Import(SecurityConfig.class)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {
@Autowired
@Qualifier("dataSource")
private DataSource dataSource;
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private PasswordEncoder oauthClientPasswordEncoder;
@Bean
public TokenStore tokenStore() {
return new JdbcTokenStore(dataSource);
}
@Bean
public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
return new OAuth2AccessDeniedHandler();
}
@Override
public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.jdbc(dataSource);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager).userDetailsService(userDetailsService);
}
}
data.sql
插入OAUTH\u客户端详细信息(客户端ID、资源ID、客户端机密、范围、授权授予类型、权限、访问令牌有效性、刷新令牌有效性)
值('moha_security'、'resource server rest api'、'A$2a$04$oPljpAgVziMVABHS.z.znohu7oi8n5pxt0ms6ibotwn.onfulze',
“读取”、“密码、授权码、刷新令牌、隐式”、“用户”、10800、2592000);
我在邮递员处的请求
curl -X POST \
http://localhost:8080/oauth/token \
-H 'Postman-Token: 75a237ed-2e27-4af6-bca5-de558627f460' \
-H 'cache-control: no-cache' \
-H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
-F grant_type=password \
-F username=201806ALE199501 \
-F 'password=$2a$08$c.LqCdhrpAiF2Qn7yPGEw.6uL/phlSDW.QNXfMMWtnzSVX/paf2nK' \
-F client_id=moha_security
我在IntelliJ控制台中的结果
2018-10-22 14:48:05.180 WARN 3483 --- [nio-8080-exec-5] o.s.s.c.bcrypt.BCryptPasswordEncoder : Encoded password does not look like BCrypt
你的代码完全正确 来自维基百科: 影子密码文件中哈希字符串中的前缀“$2a$”或“$2b$”(或“$2y$”)表示哈希字符串是模块化加密格式的bcrypt哈希。散列字符串的其余部分包括cost参数、128位salt(基数64编码为22个字符)和结果散列值的184位 关于A,它只是让人困惑, 这里有一个小的解释:
我认为您缺少用户角色定义。首先在数据库中填充您的角色。感谢您的精确性。你知道为什么BCryptPasswordEncoder与我的密码不匹配吗?你的SQL脚本是错误的,请从
A$2a$04$oPljpAgVziMVABHS.z.znOhhu7oi8N5pxt0MS6IbOTWn.onfulrZe中删除A
。此外,cURL命令错误,请用纯文本密码替换$2a$08$c.LqCdhrpAiF2Qn7yPGEw.6uL/phlSDW.QNXfMMWtnzSVX/paf2nK
。