使用摘要过滤器的 Spring-boot 摘要身份验证失败
Posted
技术标签:
【中文标题】使用摘要过滤器的 Spring-boot 摘要身份验证失败【英文标题】:Spring-boot Digest authentication failure using Digest filter 【发布时间】:2018-10-04 15:16:03 【问题描述】:我是这项技术的新手。我试图为我的 Springboot 应用程序实现 Digest Authentication。我在尝试调用我的应用程序时遇到以下错误:没有为 id \"null\"","path":"/countryId/"* 关闭连接 0
映射 PasswordEncoder我用来调用的 curl 命令: curl -iv --digest -u test:5f4dcc3b5aa765d61d8327deb882cf99 -d "CountryCode": "INDIA" http://localhost:9090/countryId/
课程详情:
package com.sg.config;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.WebSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserCache;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.authentication.www.DigestAuthenticationFilter;
import org.springframework.stereotype.Component;
@Component
@Configuration
@EnableWebSecurity
public class SpringSecurityConfig extends WebSecurityConfigurerAdapter
@Autowired
CustomDigestAuthenticationEntryPoint customDigestAuthenticationEntryPoint;
/*@Bean
public BCryptPasswordEncoder encoder()
return new BCryptPasswordEncoder();
*/
@Bean
public UserDetailsService userDetailsServiceBean()
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withUsername("test").password("nooppassword").roles("USER").build());
return manager;
@Override
protected void configure(HttpSecurity http) throws Exception
http.csrf().disable().authorizeRequests().antMatchers("/hello/**").permitAll().anyRequest().authenticated()
.and().exceptionHandling().authenticationEntryPoint(customDigestAuthenticationEntryPoint).and()
.addFilter(digestAuthenticationFilter());
//@Bean
DigestAuthenticationFilter digestAuthenticationFilter() throws Exception
DigestAuthenticationFilter digestAuthenticationFilter = new DigestAuthenticationFilter();
digestAuthenticationFilter.setUserDetailsService(userDetailsServiceBean());
digestAuthenticationFilter.setAuthenticationEntryPoint(customDigestAuthenticationEntryPoint);
return digestAuthenticationFilter;
package com.sg.config;
import org.springframework.security.web.authentication.www.DigestAuthenticationEntryPoint;
import org.springframework.stereotype.Component;
@Component
public class CustomDigestAuthenticationEntryPoint extends DigestAuthenticationEntryPoint
@Override
public void afterPropertiesSet() throws Exception
setRealmName("Digest-Realm");
setKey("MySecureKey");
setNonceValiditySeconds(300);
super.afterPropertiesSet();
【问题讨论】:
【参考方案1】:我已经解决了这个问题。我先解释一下哪里出了问题,在当前的 Spring security 中,你不能使用纯文本密码,所以必须保留一些加密逻辑。但不幸的是,Digest 不适用于加密密码。 我找到了一个解决方法,而不是使用 Bean (Bycrypt),我直接实现了 PasswordEncoder 接口,在某种程度上,它应该能够保存纯文本密码。
@Bean
public PasswordEncoder passwordEncoder()
return new PasswordEncoder()
@Override
public String encode(CharSequence rawPassword)
return rawPassword.toString();
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword)
return rawPassword.toString().equals(encodedPassword);
;
【讨论】:
此解决方案有效,但绝对是不好的做法。密码必须以加密形式存储在数据库中。 Bycrypt 是最佳解决方案之一。最好使用 Basic Auth 然后 DigestAuth。以上是关于使用摘要过滤器的 Spring-boot 摘要身份验证失败的主要内容,如果未能解决你的问题,请参考以下文章