SpringBoot 2.0 中的 AuthenticationManagerBuilder.1.RELEASE
AuthenticationManagerBuilder in SpringBoot 2.0.1.RELEASE
我有一个 SpringBoot 2.0.1.RELEASE mvc 应用程序,所以在安全配置中我定义了这个方法:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser(User
.withDefaultPasswordEncoder()
.username(DEV_USER)
.password(DEV_PWD)
.roles("ADMIN").build());
}
但似乎不推荐使用类型为 User 的方法 withDefaultPasswordEncoder()
,但我不知道我必须使用哪个,
@Deprecated
public static User.UserBuilder withDefaultPasswordEncoder()
Deprecated. Using this method is not considered safe for production,
but is acceptable for demos and getting started. For production
purposes, ensure the password is encoded externally. See the method
Javadoc for additional details.
WARNING: This method is considered unsafe for production and is only
intended for sample applications.
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
// outputs {bcrypt}a$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
System.out.println(user.getPassword());
This is not safe for production (it is intended for getting started
experience) because the password "password" is compiled into the
source code and then is included in memory at the time of creation.
This means there are still ways to recover the plain text password
making it unsafe. It does provide a slight improvement to using plain
text passwords since the UserDetails password is securely hashed. This
means if the UserDetails password is accidentally exposed, the
password is securely stored. In a production setting, it is
recommended to hash the password ahead of time. For example:
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
// outputs {bcrypt}a$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
// remember the password that is printed out and use in the next step
System.out.println(encoder.encode("password"));
UserDetails user = User.withUsername("user")
.password("{bcrypt}a$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
.roles("USER")
.build();
Returns:
一个 UserBuilder,它使用默认的 PasswordEncoder
自动对密码进行编码
要回答您的问题,您可以这样做:
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
UserDetails userDetails = User.withUsername(DEV_USER)
.password(encoder.encode(DEV_PWD))
.roles("ADMIN")
.build();
auth.inMemoryAuthentication().withUser(userDetails);
}
我有一个 SpringBoot 2.0.1.RELEASE mvc 应用程序,所以在安全配置中我定义了这个方法:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser(User
.withDefaultPasswordEncoder()
.username(DEV_USER)
.password(DEV_PWD)
.roles("ADMIN").build());
}
但似乎不推荐使用类型为 User 的方法 withDefaultPasswordEncoder()
,但我不知道我必须使用哪个,
@Deprecated
public static User.UserBuilder withDefaultPasswordEncoder()
Deprecated. Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details.
WARNING: This method is considered unsafe for production and is only intended for sample applications.
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
// outputs {bcrypt}a$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
System.out.println(user.getPassword());
This is not safe for production (it is intended for getting started experience) because the password "password" is compiled into the source code and then is included in memory at the time of creation. This means there are still ways to recover the plain text password making it unsafe. It does provide a slight improvement to using plain text passwords since the UserDetails password is securely hashed. This means if the UserDetails password is accidentally exposed, the password is securely stored. In a production setting, it is recommended to hash the password ahead of time. For example:
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
// outputs {bcrypt}a$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
// remember the password that is printed out and use in the next step
System.out.println(encoder.encode("password"));
UserDetails user = User.withUsername("user")
.password("{bcrypt}a$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
.roles("USER")
.build();
Returns: 一个 UserBuilder,它使用默认的 PasswordEncoder
自动对密码进行编码要回答您的问题,您可以这样做:
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
UserDetails userDetails = User.withUsername(DEV_USER)
.password(encoder.encode(DEV_PWD))
.roles("ADMIN")
.build();
auth.inMemoryAuthentication().withUser(userDetails);
}