Spring Security bcrypt 编码登录不起作用

Posted

技术标签:

【中文标题】Spring Security bcrypt 编码登录不起作用【英文标题】:Spring Security bcrypt encoding login is not working 【发布时间】:2015-05-09 03:33:23 【问题描述】:

我的应用程序处于休眠和 Spring MVC 中。以前登录可以工作,但现在我为密码实现了 bcrypt 编码。之后没有任何工作。我几乎改变了一切。在这里,我给你我的代码和配置文件。请帮我找出问题所在。

app-security.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:security="http://www.springframework.org/schema/security"
       xmlns:p="http://www.springframework.org/schema/p" 
       xsi:schemaLocation="http://www.springframework.org/schema/beans
                           http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
                           http://www.springframework.org/schema/context
                           http://www.springframework.org/schema/context/spring-context-3.0.xsd
                           http://www.springframework.org/schema/security
                           http://www.springframework.org/schema/security/spring-security-3.2.xsd">

    <security:global-method-security secured-annotations="enabled" />

    <!-- These beans handle successful login and failure cases of login -->
    <bean id="myAuthenticationSuccessHandler" class="com.app.security.handler.MySimpleUrlAuthenticationSuccessHandler" />
    <bean id="myAuthenticationFailureHandler" class="com.app.security.handler.MySimpleUrlAuthenticationFailureHandler" />

    <!-- Encrypter to encrypt password -->
    <bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

    <security:http auto-config="true"><!-- 
        <security:intercept-url pattern="/home*"    access="ROLE_USER" /> -->
        <security:intercept-url pattern="/admin"    access="ROLE_ADMIN" />
        <security:intercept-url pattern="/user"     access="ROLE_USER" />
        <security:intercept-url pattern="/group-admin"  access="ROLE_GROUP_ADMIN" />
        <security:intercept-url pattern="/sponsor"  access="ROLE_SPONSOR" />

        <security:form-login    login-page="/login" 
                                default-target-url="/home"
                                authentication-failure-handler-ref="myAuthenticationFailureHandler" 
                                authentication-success-handler-ref="myAuthenticationSuccessHandler"
        />
        <security:logout logout-success-url="/logout" />
    </security:http>

    <security:authentication-manager>
      <security:authentication-provider>
        <security:password-encoder ref="encoder" />
        <security:jdbc-user-service data-source-ref="dataSource"  
            users-by-username-query="select user_id as userId, username, password, email_address as emailAddress, active from users where username=?" 
            authorities-by-username-query="select us.user_id as userId, us.username as username, us.email_address as emailAddress, us.active as active, ur.roles from users us, user_roles ur 
              where us.role_id = ur.role_id and us.username =?  " 
        />
      </security:authentication-provider>
    </security:authentication-manager>

</beans>

用户服务.java

@Service
public class UserService 

    @Autowired
    private UserDaoImpl userDaoImpl;
    @Autowired
    BCryptPasswordEncoder passwordEncoder;
    /**
     * Save data in USER table
     * @param user
     */
    public void insert(User user) 
        //Encrypting password
        user.setPassword(passwordEncoder.encode(user.getPassword()));

        userDaoImpl.save(user);

用户.java

@Entity
@Table(name="USERS")
public class User implements Serializable 

    private static final long serialVersionUID = 2158419746939747203L;

    @Id
    @Column(name="USER_ID")
    @GeneratedValue(strategy=GenerationType.IDENTITY)
    private long userId;

    @Column(name="USERNAME", unique = true, length=45, nullable=false)
    @NotEmpty @NotNull @Size(min=6, max=20)
    @UniqueCheck(classname="User", fieldname="username")
    private String username;

    @Column(name="PASSWORD", length=100, nullable=false)
    @NotEmpty @NotNull @Size(min=6, max=100)
    private String password;

    @Column(name="EMAIL_ADDRESS", unique = true, length=100, nullable=false)
    @UniqueCheck(classname="User", fieldname="emailAddress")
    @NotEmpty
    private String emailAddress;

    @Column(name="ACTIVE", nullable=false )
    private Integer active;

    @Column(name="ROLE_ID", nullable=false)
    private String roleid;
//getter setters

如果需要任何其他信息,请告诉我

【问题讨论】:

bcrypt 不是加密。 表示要加密的 BCryptPasswordEncoder 类 我会重复我所说的。 bcrypt 是不是加密。 抱歉....编码...我说的对吗? 并非如此。 bcrypt 是一个key derivation function,在本例中用作cryptographic hash function。 【参考方案1】:

在这两个地方(java 文件和 xml 配置文件)给编码器提供力量......它开始工作了。

所以, config.xml

<bean 
id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">        
        <constructor-arg value="12"></constructor-arg>
</bean>

服务层代码:

/**
     * Encoding data
     * bcrypt is a key derivation function which is used in this instance as a cryptographic hash function
     * @param data
     * @return
     */
    public static String bCrypt(String data) 
        BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(12);
        return passwordEncoder.encode(data);

【讨论】:

以上是关于Spring Security bcrypt 编码登录不起作用的主要内容,如果未能解决你的问题,请参考以下文章

spring security 使用 bcrypt 算法对密码进行编码

在 Grails 3.0 中配置 Spring Boot Security 以使用 BCrypt 密码编码

Spring Boot Security:编码密码看起来不像 BCrypt

使用 OAuth2 和 JWT 的 Spring Security:编码密码看起来不像 BCrypt

使用Spring Security为实时Grails应用程序增加BCrypt logrounds而不重新编码所有密码是否安全?

Spring Security 报:Encoded password does not look like BCrypt