en *_*ris 2 spring spring-mvc spring-security password-encryption spring-boot
I have a SpringBoot 2.0.1.RELEASE mvc application, so in the security config I've defined this method:
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser(User
.withDefaultPasswordEncoder()
.username(DEV_USER)
.password(DEV_PWD)
.roles("ADMIN").build());
}
but It seems that The method withDefaultPasswordEncoder() from the type User is deprecated but I don't know which I have to use instead,
@Deprecated
public static User.UserBuilder withDefaultPasswordEncoder()
已弃用。使用这种方法对于生产来说并不安全,但对于演示和入门来说是可以接受的。出于生产目的,请确保密码在外部进行编码。有关其他详细信息,请参阅方法 Javadoc。
警告:此方法被认为对生产不安全,仅适用于样品应用。
UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
// outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
System.out.println(user.getPassword());
这对于生产来说是不安全的(它旨在用于入门体验),因为密码“password”被编译到源代码中,然后在创建时包含在内存中。这意味着仍然有方法可以恢复纯文本密码,使其不安全。由于 UserDetails 密码经过安全散列,因此它确实为使用纯文本密码提供了一些改进。这意味着如果 UserDetails 密码被意外暴露,密码会被安全存储。在生产环境中,建议提前散列密码。例如:
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
// outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
// remember the password that is printed out and use in the next step
System.out.println(encoder.encode("password"));
UserDetails user = User.withUsername("user")
.password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
.roles("USER")
.build();
返回: 使用默认 PasswordEncoder 自动编码密码的 UserBuilder
要回答您的问题,您可以执行以下操作:
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
UserDetails userDetails = User.withUsername(DEV_USER)
.password(encoder.encode(DEV_PWD))
.roles("ADMIN")
.build();
auth.inMemoryAuthentication().withUser(userDetails);
}
| 归档时间: |
|
| 查看次数: |
2640 次 |
| 最近记录: |