Spring 安全性 (3.2) BCrypt 未对登录密码进行哈希处理
Spring Security (3.2) BCrypt isn't hashing the password from login
我正在尝试使用 MySQL 中的数据库在 Spring Web 应用程序登录中使用哈希,但是当我输入正确的密码时,登录总是将我再次发送到登录?错误=真。
我确定,如果我准确输入 table 'users' 中的密码(即散列密码),我可以正确访问主页。由于项目的规范,所有配置都在 XML 文件中进行。我是 Spring 的新手,我无法确定上下文文件中的错误位置。我使用两个身份验证提供程序,但我只需要一个 BCrypt enconder。
我使用 BCryptPasswordEncoder class 来编写测试密码并将结果保存在我的数据库中。 table 有一个类型为 varchar(60) 的列密码。我在控制台上没有收到任何错误,但我无法访问主页。如果我不对密码进行编码,则登录工作正常。 UserDetails对象user正确获取用户信息
项目在:
- Spring 框架 3.2.0.RELEASE
- Spring 安全 3.2.0.RELEASE
securityContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:c="http://www.springframework.org/schema/c"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- Rutas que se ignoraran -->
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/assets/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/js/**" security="none"/>
<security:http pattern="/login*" security="none"/>
<security:http pattern="/recovery/*" security="none"/>
<security:http pattern="/recovery/initRecovery/*" security="none"/>
<security:http pattern="/lock*" use-expressions="true" auto-config="true">
<security:intercept-url pattern="/lock*" access="permitAll" />
</security:http>
<security:http
auto-config="true" use-expressions="true"
authentication-manager-ref="authenticationManager"
access-denied-page="/denegado" >
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:form-login login-page="/login" default-target-url="/init" authentication-failure-url="/loginfailed" />
<security:logout invalidate-session="true" logout-success-url="/" />
</security:http>
<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<constructor-arg name="strength" value="10" />
</bean>
<bean id="authenticationProviderCrece"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsServicecrece"/>
</bean>
<bean id="authenticationProviderSac"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsServicesac"/>
</bean>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="authenticationProviderCrece"/>
<ref local="authenticationProviderSac"/>
</list>
</property>
</bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsServicecrece"/>
<security:authentication-provider user-service-ref="userDetailsServicesac">
<security:password-encoder ref="encoder"/>
</security:authentication-provider>
</security:authentication-manager>
UsuariosDetailsServiceImpl.java
package com.segurosargos.sac.service.impl;
import java.util.ArrayList;
import java.util.Collection;
import javax.annotation.Resource;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.segurosargos.sac.modelo.entidad.Usuario;
import com.segurosargos.sac.service.UsuarioService;
@Service("userDetailsServicesac")
public class UsuariosDetailsServiceImpl implements UserDetailsService {
@Resource
private UsuarioService usuarioService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
System.out.println("Buscando usuario en BD SAC...");
Usuario usuario = usuarioService.findByUsername(username);
if (usuario != null) {
boolean enabled = usuario.isEnabled();
boolean accountNonExpired = usuario.isAccountNonExpired();
boolean credentialsNonExpired = usuario.isCredentialsNonExpired();
boolean accountNonLocked = usuario.isAccountNonLocked();
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
User user = new User(usuario.getUsername(), usuario.getPassword(),
enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
return user;
}
return null;
}
}
谢谢大家的回复。我只需要修改 securityContext.xml 直接在 DaoAuthenticationProvider 中更改 PasswordEnconder 的注入。 passwordEncoder 是添加了 class BCryptPasswordEncoder 的 bean 的 ID。
<bean id="authenticationProviderSac"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsServicesac"/>
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="authenticationProviderCrece"/>
<ref local="authenticationProviderSac"/>
</list>
</property>
</bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsServicecrece"/>
<security:authentication-provider user-service-ref="userDetailsServicesac" />
</security:authentication-manager>
我正在尝试使用 MySQL 中的数据库在 Spring Web 应用程序登录中使用哈希,但是当我输入正确的密码时,登录总是将我再次发送到登录?错误=真。
我确定,如果我准确输入 table 'users' 中的密码(即散列密码),我可以正确访问主页。由于项目的规范,所有配置都在 XML 文件中进行。我是 Spring 的新手,我无法确定上下文文件中的错误位置。我使用两个身份验证提供程序,但我只需要一个 BCrypt enconder。
我使用 BCryptPasswordEncoder class 来编写测试密码并将结果保存在我的数据库中。 table 有一个类型为 varchar(60) 的列密码。我在控制台上没有收到任何错误,但我无法访问主页。如果我不对密码进行编码,则登录工作正常。 UserDetails对象user正确获取用户信息
项目在:
- Spring 框架 3.2.0.RELEASE
- Spring 安全 3.2.0.RELEASE
securityContext.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:c="http://www.springframework.org/schema/c"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- Rutas que se ignoraran -->
<security:http pattern="/css/**" security="none"/>
<security:http pattern="/assets/**" security="none"/>
<security:http pattern="/img/**" security="none"/>
<security:http pattern="/js/**" security="none"/>
<security:http pattern="/login*" security="none"/>
<security:http pattern="/recovery/*" security="none"/>
<security:http pattern="/recovery/initRecovery/*" security="none"/>
<security:http pattern="/lock*" use-expressions="true" auto-config="true">
<security:intercept-url pattern="/lock*" access="permitAll" />
</security:http>
<security:http
auto-config="true" use-expressions="true"
authentication-manager-ref="authenticationManager"
access-denied-page="/denegado" >
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:form-login login-page="/login" default-target-url="/init" authentication-failure-url="/loginfailed" />
<security:logout invalidate-session="true" logout-success-url="/" />
</security:http>
<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<constructor-arg name="strength" value="10" />
</bean>
<bean id="authenticationProviderCrece"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsServicecrece"/>
</bean>
<bean id="authenticationProviderSac"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsServicesac"/>
</bean>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="authenticationProviderCrece"/>
<ref local="authenticationProviderSac"/>
</list>
</property>
</bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsServicecrece"/>
<security:authentication-provider user-service-ref="userDetailsServicesac">
<security:password-encoder ref="encoder"/>
</security:authentication-provider>
</security:authentication-manager>
UsuariosDetailsServiceImpl.java
package com.segurosargos.sac.service.impl;
import java.util.ArrayList;
import java.util.Collection;
import javax.annotation.Resource;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
import com.segurosargos.sac.modelo.entidad.Usuario;
import com.segurosargos.sac.service.UsuarioService;
@Service("userDetailsServicesac")
public class UsuariosDetailsServiceImpl implements UserDetailsService {
@Resource
private UsuarioService usuarioService;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
System.out.println("Buscando usuario en BD SAC...");
Usuario usuario = usuarioService.findByUsername(username);
if (usuario != null) {
boolean enabled = usuario.isEnabled();
boolean accountNonExpired = usuario.isAccountNonExpired();
boolean credentialsNonExpired = usuario.isCredentialsNonExpired();
boolean accountNonLocked = usuario.isAccountNonLocked();
Collection<GrantedAuthority> authorities = new ArrayList<GrantedAuthority>();
authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
User user = new User(usuario.getUsername(), usuario.getPassword(),
enabled, accountNonExpired, credentialsNonExpired, accountNonLocked, authorities);
return user;
}
return null;
}
}
谢谢大家的回复。我只需要修改 securityContext.xml 直接在 DaoAuthenticationProvider 中更改 PasswordEnconder 的注入。 passwordEncoder 是添加了 class BCryptPasswordEncoder 的 bean 的 ID。
<bean id="authenticationProviderSac"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<property name="userDetailsService" ref="userDetailsServicesac"/>
<property name="passwordEncoder" ref="passwordEncoder" />
</bean>
<bean id="authenticationManager"
class="org.springframework.security.authentication.ProviderManager">
<property name="providers">
<list>
<ref local="authenticationProviderCrece"/>
<ref local="authenticationProviderSac"/>
</list>
</property>
</bean>
<security:authentication-manager>
<security:authentication-provider user-service-ref="userDetailsServicecrece"/>
<security:authentication-provider user-service-ref="userDetailsServicesac" />
</security:authentication-manager>