使用OAuth2和JWT的Spring Security:编码的密码看起来不像BCrypt
我正在尝试使用JWT实现Spring AuthorizationServer。 我能够生成JWT令牌并登录,直到我将BCrypt添加到混音中。 现在,当我尝试登录时,我从API获得“错误凭据”。
OAuth2Configuration.java
@Configuration @EnableAuthorizationServer public class OAuth2Configuration extends AuthorizationServerConfigurerAdapter { private DataSource dataSource; private AuthenticationManager authenticationManager; private BCryptPasswordEncoder passwordEncoder; public OAuth2Configuration(AuthenticationManager authenticationManager) { this.authenticationManager = authenticationManager; this.dataSource = new Jdbc3PoolingDataSource(); this.passwordEncoder = new BCryptPasswordEncoder(); } @Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security.passwordEncoder(passwordEncoder); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients.inMemory() .withClient("api-client") .secret("verysecretivesecret") .scopes("READ", "WRITE", "DELETE") .authorizedGrantTypes("implicit", "refresh_tokens", "password", "authorization_code"); } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authorizationCodeServices(authorizationCodeServices()) .tokenStore(tokenStore()) .tokenEnhancer(jwtTokenEnhancer()) .authenticationManager(authenticationManager); } @Bean public TokenStore tokenStore() { return new JwtTokenStore(jwtTokenEnhancer()); } @Bean protected JwtAccessTokenConverter jwtTokenEnhancer() { return new JwtAccessTokenConverter(); } @Bean protected AuthorizationCodeServices authorizationCodeServices() { return new JdbcAuthorizationCodeServices(dataSource); } } WebSecurityConfig.java
@Configuration class WebSecurityConfig extends WebSecurityConfigurerAdapter { private AccountDetailsService accountDetailsService; private BCryptPasswordEncoder passwordEncoder; private DataSource dataSource; WebSecurityConfig(AccountDetailsService accountDetailsService) { this.accountDetailsService = accountDetailsService; this.dataSource = new Jdbc3PoolingDataSource(); this.passwordEncoder = new BCryptPasswordEncoder(); } @Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(accountDetailsService).passwordEncoder(passwordEncoder).and().jdbcAuthentication().dataSource(dataSource); } }
SeedData.java
@Override public void run(String... args) throws Exception { Stream.of("alan,test").map(x -> x.split(",")) .forEach(tuple -> { Account user = new Account(); user.setUsername(tuple[0]); user.setPassword(new BCryptPasswordEncoder().encode(tuple[1])); user.setEmail(tuple[0]); user.setRoles(Collections.singletonList(role)); user.setActive(true); this.accountRepository.save(user); }); }
谢谢你的帮助。
我需要进行以下更改才能使其正常工作。 如果有人需要它。
@Override protected void configure(AuthenticationManagerBuilder auth) throws Exception { auth.userDetailsService(accountDetailsService) .passwordEncoder(passwordEncoder) .and() .authenticationProvider(authenticationProvider()) .jdbcAuthentication() .dataSource(dataSource); } @Bean public DaoAuthenticationProvider authenticationProvider() { DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider(); authenticationProvider.setUserDetailsService(accountDetailsService); authenticationProvider.setPasswordEncoder(passwordEncoder); return authenticationProvider; }
这是因为您将BCrypt应用于WebSecurity和AuthorizationServer。 因此,您不仅需要在商店中保留BCrypt加密的用户密码,还需要为OAuth2保留BCrypt加密的客户端密码。 我想这不是你试图接近的。
为了使您的代码正常工作,请删除
@Override public void configure(AuthorizationServerSecurityConfigurer security) throws Exception { security.passwordEncoder(passwordEncoder); }
或手动加密你的“verysecretivesecret”