Python中文网

一个关于 编程问题的解答网站.

有 Java 编程相关的问题?

你可以在下面搜索框中键入要查询的问题!

在用户创建和登录时使用JavaSpring安全性

6 月,1 周 Questions & Answers

我再次面临Spring Security的同样问题:“密码与存储值不匹配”

我用我的自定义GraphPopulator类在我的图中导入了4个帐户(我使用的是SpringData/Neo4J),并尝试用一个(“fbiville”/“s3cret”)登录

身份验证配置如下所示:

<beans:bean id="encoder" class="org.springframework.security.crypto.password.StandardPasswordEncoder">
    <beans:constructor-arg value="******" />
</beans:bean>

<beans:bean id="userService" class="com.lateralthoughts.devinlove.service.LoginService" />

<authentication-manager>
    <authentication-provider user-service-ref="userService">
        <password-encoder ref="encoder" />
    </authentication-provider>
</authentication-manager>

负责持久化帐户的类部分基于自定义SpringData存储库实现:

class PersonRepositoryImpl implements PersonRepositoryCustom {

    private final PasswordEncoder passwordEncoder;
    private final Neo4jOperations template;

    @Autowired
    public PersonRepositoryImpl(PasswordEncoder passwordEncoder,
                            Neo4jOperations template) {

        this.passwordEncoder = passwordEncoder;
        this.template = template;
    }

    @Override
    @Transactional
    public void persist(Person person) {
        person.setPassword(passwordEncoder.encode(person.getPassword()));
        template.save(person);
    }
}

最后,登录过程配置如下:

<http auto-config='true' use-expressions='true' realm="devinlove: love is just another algorithm">
    <form-login   login-page="/login"
                  default-target-url="/"
                  authentication-failure-url="/login" />
    <intercept-url pattern="/login" access="isAnonymous()" />
    <intercept-url pattern="/**" access="hasRole('USER')" />
</http>

我在帐户创建和用户登录尝试时调试了StandardPasswordEncoder,我注意到SALT不匹配,这显然导致了身份验证错误

如果要重现问题,可以克隆repository

提前谢谢

罗尔夫


共 (1) 个答案

  1. # 1 楼答案

    您需要使用org.springframework.security.authentication.encoding.PasswordEncoder实现,而不是org.springframework.security.crypto.password.PasswordEncoder

    因此,您可以简单地按如下方式使用:

    <authentication-manager>
    <authentication-provider user-service-ref="userService">
        <password-encoder hash="sha" base64="true">
            <! Single salt - the very same as you are using in `encoder` instance >
            <salt-source system-wide="********"/>
        </password-encoder>
    </authentication-provider>
</authentication-manager>

    注意,这将在@Autowired属性中正常工作,尽管不应该有@Qualifier,bean只需要表示一次

    它公开了这样的接口的实现:org.springframework.security.authentication.encoding.PasswordEncoderorg.springframework.security.authentication.dao.SaltSource

    因此,在您的特定情况下,它将如下所示:

    class PersonRepositoryImpl implements PersonRepositoryCustom {

    private final PasswordEncoder passwordEncoder;
    private final Neo4jOperations template;

    @Autowired
    public PersonRepositoryImpl(PasswordEncoder passwordEncoder,
                                SaltSource saltSource
                                Neo4jOperations template) {

        this.passwordEncoder = passwordEncoder;
        this.saltSource = saltSource;
        this.template = template;
    }

    @Override
    @Transactional
    public void persist(Person person) {
        person.setPassword(passwordEncoder.encode(person.getPassword(), saltSource));
        template.save(person);
    }
}