编码后的密码在 SpringBoot 2.1 中看起来不像 BCrypt。4.RELEASE

Encoded password does not look like BCrypt in SpringBoot 2.1.4.RELEASE

我有一个 SpringBoot 2.1.4.RELEASE RESTful Web 服务应用程序,使用 Spring 初始化程序,嵌入 Tomcat,Thymeleaf 模板引擎,并打包为可执行 JAR 文件。

我有这个配置文件:

@Profile("dev")
@Configuration
@EnableWebSecurity
public class DevWebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOG = LoggerFactory.getLogger(DevWebSecurityConfig.class);

    @Autowired
    private UserSecurityService userSecurityService;

    @Autowired
    private Environment env;

    @Value("${server.servlet.context-path}")
    private String serverContextPath;

    /** The encryption SALT. */
    private static final String SALT = "12323*&^%of";

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(12, new SecureRandom(SALT.getBytes()));
    }



    @Override
    protected void configure(HttpSecurity http) throws Exception {

        final List<String> activeProfiles = Arrays.asList(env.getActiveProfiles());
        if (activeProfiles.contains("dev")) {
            http.csrf().disable();
            http.headers().frameOptions().disable();
        }

        http
                .authorizeRequests()
                .antMatchers(publicMatchers()).permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login").defaultSuccessUrl("/guerrilla/teatre")
                .failureUrl("/login?error").permitAll()
                .and()
                .logout().permitAll();
    }




    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
         auth
                        .inMemoryAuthentication()
                        .withUser("carles.xuriguera@gmail.com").password("password")
                        .roles("ADMIN");        
    }


    private String[] publicMatchers() {

         /** Public URLs. */
        final String[] PUBLIC_MATCHERS = {
                "/webjars/**",
                serverContextPath + "/css/**",
                serverContextPath + "/js/**",
                serverContextPath + "/fonts/**",
                serverContextPath + "/images/**",                
                serverContextPath ,
                "/",
                "/error/**/*",
                "/console/**",
                SignupController.SIGNUP_URL_MAPPING,
                SignupController.USER_VALIDATION_URL_MAPPING
        };

        return PUBLIC_MATCHERS;

    }

}

但是当我使用凭据登录系统时:carles.xuriguera@gmail.com / 密码我在登录页面上收到了这条消息:Error ! "Bad credentials" 我在控制台:

2019-04-15 10:50  [http-nio-2233-exec-4] WARN  o.s.s.c.b.BCryptPasswordEncoder.matches(90) - Encoded password does not look like BCrypt

我也试过使用

y$EE25qVSZ2Td1D5k9mFHoYubKRqrRqCUGuwnLc9aNjosKMLeY/7/72 that is the Bcrypt of password, but neverheless I got the same error:

Encoded password does not look like BCrypt

您必须指定加密密码而不是原始密码。

还要确保加密密码以“$2a$”开头,因为 2a 是 BCryptPasswordEncoder 接受的唯一版本。

spring 安全版本 5.2.0.M1 支持 2a、2b 和 2y。

Issue from spring security

试试这个。

 @Override
 public UserDetails loadUserByUsername(String userName) throws UsernameNotFoundException {
    User user = userRepository.findByuserName(userName);
    if (user == null) {
        throw new UsernameNotFoundException("userName" + userName + "Not found in the database");
    }

    return new org.springframework.security.core.userdetails.User(user.getName(), new BCryptPasswordEncoder().encode(user.getPassword()), getGrantedAuth(user));
}