Spring Security bcrypt 编码登录不起作用
Posted
技术标签:
【中文标题】Spring Security bcrypt 编码登录不起作用【英文标题】:Spring Security bcrypt encoding login is not working 【发布时间】:2015-05-09 03:33:23 【问题描述】:我的应用程序处于休眠和 Spring MVC 中。以前登录可以工作,但现在我为密码实现了 bcrypt 编码。之后没有任何工作。我几乎改变了一切。在这里,我给你我的代码和配置文件。请帮我找出问题所在。
app-security.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:p="http://www.springframework.org/schema/p"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<security:global-method-security secured-annotations="enabled" />
<!-- These beans handle successful login and failure cases of login -->
<bean id="myAuthenticationSuccessHandler" class="com.app.security.handler.MySimpleUrlAuthenticationSuccessHandler" />
<bean id="myAuthenticationFailureHandler" class="com.app.security.handler.MySimpleUrlAuthenticationFailureHandler" />
<!-- Encrypter to encrypt password -->
<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>
<security:http auto-config="true"><!--
<security:intercept-url pattern="/home*" access="ROLE_USER" /> -->
<security:intercept-url pattern="/admin" access="ROLE_ADMIN" />
<security:intercept-url pattern="/user" access="ROLE_USER" />
<security:intercept-url pattern="/group-admin" access="ROLE_GROUP_ADMIN" />
<security:intercept-url pattern="/sponsor" access="ROLE_SPONSOR" />
<security:form-login login-page="/login"
default-target-url="/home"
authentication-failure-handler-ref="myAuthenticationFailureHandler"
authentication-success-handler-ref="myAuthenticationSuccessHandler"
/>
<security:logout logout-success-url="/logout" />
</security:http>
<security:authentication-manager>
<security:authentication-provider>
<security:password-encoder ref="encoder" />
<security:jdbc-user-service data-source-ref="dataSource"
users-by-username-query="select user_id as userId, username, password, email_address as emailAddress, active from users where username=?"
authorities-by-username-query="select us.user_id as userId, us.username as username, us.email_address as emailAddress, us.active as active, ur.roles from users us, user_roles ur
where us.role_id = ur.role_id and us.username =? "
/>
</security:authentication-provider>
</security:authentication-manager>
</beans>
用户服务.java
@Service
public class UserService
@Autowired
private UserDaoImpl userDaoImpl;
@Autowired
BCryptPasswordEncoder passwordEncoder;
/**
* Save data in USER table
* @param user
*/
public void insert(User user)
//Encrypting password
user.setPassword(passwordEncoder.encode(user.getPassword()));
userDaoImpl.save(user);
用户.java
@Entity
@Table(name="USERS")
public class User implements Serializable
private static final long serialVersionUID = 2158419746939747203L;
@Id
@Column(name="USER_ID")
@GeneratedValue(strategy=GenerationType.IDENTITY)
private long userId;
@Column(name="USERNAME", unique = true, length=45, nullable=false)
@NotEmpty @NotNull @Size(min=6, max=20)
@UniqueCheck(classname="User", fieldname="username")
private String username;
@Column(name="PASSWORD", length=100, nullable=false)
@NotEmpty @NotNull @Size(min=6, max=100)
private String password;
@Column(name="EMAIL_ADDRESS", unique = true, length=100, nullable=false)
@UniqueCheck(classname="User", fieldname="emailAddress")
@NotEmpty
private String emailAddress;
@Column(name="ACTIVE", nullable=false )
private Integer active;
@Column(name="ROLE_ID", nullable=false)
private String roleid;
//getter setters
如果需要任何其他信息,请告诉我
【问题讨论】:
bcrypt 不是加密。 表示要加密的 BCryptPasswordEncoder 类 我会重复我所说的。 bcrypt 是不是加密。 抱歉....编码...我说的对吗? 并非如此。 bcrypt 是一个key derivation function,在本例中用作cryptographic hash function。 【参考方案1】:在这两个地方(java 文件和 xml 配置文件)给编码器提供力量......它开始工作了。
所以, config.xml
<bean
id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
<constructor-arg value="12"></constructor-arg>
</bean>
服务层代码:
/**
* Encoding data
* bcrypt is a key derivation function which is used in this instance as a cryptographic hash function
* @param data
* @return
*/
public static String bCrypt(String data)
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder(12);
return passwordEncoder.encode(data);
【讨论】:
以上是关于Spring Security bcrypt 编码登录不起作用的主要内容,如果未能解决你的问题,请参考以下文章
spring security 使用 bcrypt 算法对密码进行编码
在 Grails 3.0 中配置 Spring Boot Security 以使用 BCrypt 密码编码
Spring Boot Security:编码密码看起来不像 BCrypt
使用 OAuth2 和 JWT 的 Spring Security:编码密码看起来不像 BCrypt
使用Spring Security为实时Grails应用程序增加BCrypt logrounds而不重新编码所有密码是否安全?
Spring Security 报:Encoded password does not look like BCrypt