Fatal编程技术网
  • java/
  • Java Spring Security bcrypt不';不匹配

Java Spring Security bcrypt不';不匹配

java spring-security

Java Spring Security bcrypt不';不匹配,java,spring-security,bcrypt,Java,Spring Security,Bcrypt,我使用BCryptPasswordEncoder 哈希后我的密码如下所示: $2a$04$oPljpAgVziMVABHS.z.znOhhu7oi8N5pxt0MS6IbOTWn.onfulze 当我测试时,它在控制台上写下密码看起来不像BCrypt 我在BCryptPasswordEncoder类(\A\$2a?\$\d\d\$[/0-9A-Za-z]{53})中用正则表达式测试了它,但它不匹配 我在开头尝试了一个a,它是匹配的。 我已使用我的应用程序重试,但出现了相同的错误。 你知道是什么吗

我使用
BCryptPasswordEncoder

哈希后我的密码如下所示:

$2a$04$oPljpAgVziMVABHS.z.znOhhu7oi8N5pxt0MS6IbOTWn.onfulze

当我测试时,它在控制台上写下密码看起来不像BCrypt

我在
BCryptPasswordEncoder
类(
\A\$2a?\$\d\d\$[/0-9A-Za-z]{53}
)中用正则表达式测试了它,但它不匹配

我在开头尝试了一个
a
,它是匹配的。
我已使用我的应用程序重试,但出现了相同的错误。
你知道是什么吗

编辑

Encoders.java

public class Encoders {

    @Bean
    public PasswordEncoder oauthClientPasswordEncoder() {
        return new BCryptPasswordEncoder(4);
    }
    @Bean
    public PasswordEncoder userPasswordEncoder() {
        return new BCryptPasswordEncoder(8);
    }
}
SecurityConfig.java

@Configuration
@EnableAuthorizationServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Import(SecurityConfig.class)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    @Qualifier("dataSource")
    private DataSource dataSource;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private PasswordEncoder oauthClientPasswordEncoder;

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Bean
    public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
        return new OAuth2AccessDeniedHandler();
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.jdbc(dataSource);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager).userDetailsService(userDetailsService);
    }
}

@配置
@启用Web安全性
@顺序(SecurityProperty.ACCESS\u OVERRIDE\u顺序)
@导入(Encoders.class)
公共类SecurityConfig扩展了WebSecurity配置适配器{
@自动连线
私有用户详细信息服务用户详细信息服务;
@自动连线
私有密码编码器用户密码编码器;
@凌驾
@豆子
公共AuthenticationManager authenticationManagerBean()引发异常{
返回super.authenticationManagerBean();
}
@凌驾
受保护的无效配置(AuthenticationManagerBuilder auth)引发异常{
auth.userDetailsService(userDetailsService).passwordEncoder(userPasswordEncoder);
}
}
ResourceServerConfig.java

@Configuration
@EnableAuthorizationServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Import(SecurityConfig.class)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    @Qualifier("dataSource")
    private DataSource dataSource;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private PasswordEncoder oauthClientPasswordEncoder;

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Bean
    public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
        return new OAuth2AccessDeniedHandler();
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.jdbc(dataSource);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager).userDetailsService(userDetailsService);
    }
}

@配置
@EnableResourceServer
公共类ResourceServerConfig扩展了ResourceServerConfigurerAdapter{
私有静态最终字符串RESOURCE\u ID=“资源服务器rest api”;
私有静态最终字符串安全_READ_SCOPE=“#oauth2.hasScope('READ')”;
私有静态最终字符串安全_WRITE_SCOPE=“#oauth2.hasScope('WRITE')”;
私有静态最终字符串安全_PATTERN=“/api/**”;
@凌驾
public void配置(ResourceServerSecurityConfigure资源){
resources.resourceId(RESOURCE\u ID);
}
@凌驾
public void configure(HttpSecurity http)引发异常{
http.requestMatchers()
.antMatchers(安全模式)。和()
.antMatchers(HttpMethod.POST,安全模式)。访问(安全写入范围)
.anyRequest().access(安全读取范围);
}
}
AuthorizationServerConfig.java

@Configuration
@EnableAuthorizationServer
@EnableGlobalMethodSecurity(prePostEnabled = true)
@Import(SecurityConfig.class)
public class AuthorizationServerConfig extends AuthorizationServerConfigurerAdapter {

    @Autowired
    @Qualifier("dataSource")
    private DataSource dataSource;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    private UserDetailsService userDetailsService;

    @Autowired
    private PasswordEncoder oauthClientPasswordEncoder;

    @Bean
    public TokenStore tokenStore() {
        return new JdbcTokenStore(dataSource);
    }

    @Bean
    public OAuth2AccessDeniedHandler oauthAccessDeniedHandler() {
        return new OAuth2AccessDeniedHandler();
    }

    @Override
    public void configure(AuthorizationServerSecurityConfigurer oauthServer) {
        oauthServer.tokenKeyAccess("permitAll()").checkTokenAccess("isAuthenticated()").passwordEncoder(oauthClientPasswordEncoder);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.jdbc(dataSource);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) {
        endpoints.tokenStore(tokenStore()).authenticationManager(authenticationManager).userDetailsService(userDetailsService);
    }
}
data.sql

插入OAUTH\u客户端详细信息(客户端ID、资源ID、客户端机密、范围、授权授予类型、权限、访问令牌有效性、刷新令牌有效性)
值('moha_security'、'resource server rest api'、'A$2a$04$oPljpAgVziMVABHS.z.znohu7oi8n5pxt0ms6ibotwn.onfulze',
“读取”、“密码、授权码、刷新令牌、隐式”、“用户”、10800、2592000);
我在邮递员处的请求

curl -X POST \
  http://localhost:8080/oauth/token \
  -H 'Postman-Token: 75a237ed-2e27-4af6-bca5-de558627f460' \
  -H 'cache-control: no-cache' \
  -H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
  -F grant_type=password \
  -F username=201806ALE199501 \
  -F 'password=$2a$08$c.LqCdhrpAiF2Qn7yPGEw.6uL/phlSDW.QNXfMMWtnzSVX/paf2nK' \
  -F client_id=moha_security
我在IntelliJ控制台中的结果

2018-10-22 14:48:05.180  WARN 3483 --- [nio-8080-exec-5] o.s.s.c.bcrypt.BCryptPasswordEncoder     : Encoded password does not look like BCrypt
你的代码完全正确

来自维基百科: 影子密码文件中哈希字符串中的前缀“$2a$”或“$2b$”(或“$2y$”)表示哈希字符串是模块化加密格式的bcrypt哈希。散列字符串的其余部分包括cost参数、128位salt(基数64编码为22个字符)和结果散列值的184位

关于A,它只是让人困惑, 这里有一个小的解释:

我认为您缺少用户角色定义。首先在数据库中填充您的角色。

感谢您的精确性。你知道为什么BCryptPasswordEncoder与我的密码不匹配吗?你的SQL脚本是错误的,请从
A$2a$04$oPljpAgVziMVABHS.z.znOhhu7oi8N5pxt0MS6IbOTWn.onfulrZe中删除
A
。此外,cURL命令错误,请用纯文本密码替换
$2a$08$c.LqCdhrpAiF2Qn7yPGEw.6uL/phlSDW.QNXfMMWtnzSVX/paf2nK