BCryptPasswordEncoder - 编码后的密码看起来不像 BCrypt
BCryptPasswordEncoder - Encoded password does not look like BCrypt
我有一个 SpringBoot 2.0.1.RELEASE mvc 应用程序,这是我的配置文件
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private Environment env;
@Override
protected void configure(HttpSecurity http) throws Exception {
final List<String> activeProfiles = Arrays.asList(env.getActiveProfiles());
if (activeProfiles.contains("dev")) {
http.csrf().disable();
http.headers().frameOptions().disable();
}
http
.authorizeRequests()
.antMatchers(publicMatchers()).permitAll()
.and()
.formLogin().loginPage("/login").defaultSuccessUrl("/elcordelaciutat/config")
.failureUrl("/login?error").permitAll()
.and()
.logout().permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
UserDetails userDetails = User.withUsername("elcor")
.password(encoder.encode("elcor"))
.roles("ADMIN")
.build();
auth.inMemoryAuthentication().withUser(userDetails);
}
private String[] publicMatchers() {
/** Public URLs. */
final String[] PUBLIC_MATCHERS = {
"/webjars/**",
"/css/**",
"/js/**",
"/images/**",
"/",
"/about/**",
"/contact/**",
"/error/**/*",
"/console/**"
};
return PUBLIC_MATCHERS;
}
}
但是当我登录到应用程序时,我在日志文件中收到了这条消息:
2018-04-11 11:27 [http-nio-5678-exec-7] WARN o.s.s.c.b.BCryptPasswordEncoder - Encoded password does not look like BCrypt
我无法登录...但密码正确。将我的应用程序从 SpringBoot 1 更新到 SpringBoot 2 后出现此错误
Spring 安全性在版本 5 中引入了一些重大更改。其中之一是在哈希中包含用于对密码进行哈希处理的算法。这样可以更轻松地迁移。
密码的一般格式为:
{id}encodedPassword
附带说明:如果您将密码存储在数据库中并设置了固定长度,这也可能导致您不小心截断哈希的末尾,因为它前面的 id哈希的长度增加。
我还将一个项目从 Spring Boot 1 / Spring 4 迁移到 Spring Boot 2 / Spring 5,然后从 BCrypt 迁移到 PBKDF2。
我的密码编码器现在看起来像这样:
public PasswordEncoder passwordEncoder() {
// This is the ID we use for encoding.
String currentId = "pbkdf2.2018";
// List of all encoders we support. Old ones still need to be here for rolling updates
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put("bcrypt", new BCryptPasswordEncoder());
encoders.put(currentId, new Pbkdf2PasswordEncoder(PBKDF2_2018_SECRET, PBKDF2_2018_ITERATIONS, PBKDF2_2018_HASH_WIDTH));
return new DelegatingPasswordEncoder(currentId, encoders);
}
它还需要更新数据库并为所有当前哈希添加前缀 {bcrypt}(我之前只使用 BCrypt)
来源:Spring Blog
我有一个 SpringBoot 2.0.1.RELEASE mvc 应用程序,这是我的配置文件
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private Environment env;
@Override
protected void configure(HttpSecurity http) throws Exception {
final List<String> activeProfiles = Arrays.asList(env.getActiveProfiles());
if (activeProfiles.contains("dev")) {
http.csrf().disable();
http.headers().frameOptions().disable();
}
http
.authorizeRequests()
.antMatchers(publicMatchers()).permitAll()
.and()
.formLogin().loginPage("/login").defaultSuccessUrl("/elcordelaciutat/config")
.failureUrl("/login?error").permitAll()
.and()
.logout().permitAll();
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
UserDetails userDetails = User.withUsername("elcor")
.password(encoder.encode("elcor"))
.roles("ADMIN")
.build();
auth.inMemoryAuthentication().withUser(userDetails);
}
private String[] publicMatchers() {
/** Public URLs. */
final String[] PUBLIC_MATCHERS = {
"/webjars/**",
"/css/**",
"/js/**",
"/images/**",
"/",
"/about/**",
"/contact/**",
"/error/**/*",
"/console/**"
};
return PUBLIC_MATCHERS;
}
}
但是当我登录到应用程序时,我在日志文件中收到了这条消息:
2018-04-11 11:27 [http-nio-5678-exec-7] WARN o.s.s.c.b.BCryptPasswordEncoder - Encoded password does not look like BCrypt
我无法登录...但密码正确。将我的应用程序从 SpringBoot 1 更新到 SpringBoot 2 后出现此错误
Spring 安全性在版本 5 中引入了一些重大更改。其中之一是在哈希中包含用于对密码进行哈希处理的算法。这样可以更轻松地迁移。
密码的一般格式为:
{id}encodedPassword
附带说明:如果您将密码存储在数据库中并设置了固定长度,这也可能导致您不小心截断哈希的末尾,因为它前面的 id哈希的长度增加。
我还将一个项目从 Spring Boot 1 / Spring 4 迁移到 Spring Boot 2 / Spring 5,然后从 BCrypt 迁移到 PBKDF2。
我的密码编码器现在看起来像这样:
public PasswordEncoder passwordEncoder() {
// This is the ID we use for encoding.
String currentId = "pbkdf2.2018";
// List of all encoders we support. Old ones still need to be here for rolling updates
Map<String, PasswordEncoder> encoders = new HashMap<>();
encoders.put("bcrypt", new BCryptPasswordEncoder());
encoders.put(currentId, new Pbkdf2PasswordEncoder(PBKDF2_2018_SECRET, PBKDF2_2018_ITERATIONS, PBKDF2_2018_HASH_WIDTH));
return new DelegatingPasswordEncoder(currentId, encoders);
}
它还需要更新数据库并为所有当前哈希添加前缀 {bcrypt}(我之前只使用 BCrypt)
来源:Spring Blog