编码密码看起来不像 SpringBoot 2.1.4.RELEASE 中的 BCrypt

Question

我有一个 SpringBoot 2.1.4.RELEASE RESTful Web 服务应用程序，使用 Spring Initializer、嵌入式 Tomcat、Thymeleaf 模板引擎，并打包为可执行 JAR 文件。

我有这个配置文件：

@Profile("dev")
@Configuration
@EnableWebSecurity
public class DevWebSecurityConfig extends WebSecurityConfigurerAdapter {

    private static final Logger LOG = LoggerFactory.getLogger(DevWebSecurityConfig.class);

    @Autowired
    private UserSecurityService userSecurityService;

    @Autowired
    private Environment env;

    @Value("${server.servlet.context-path}")
    private String serverContextPath;

    /** The encryption SALT. */
    private static final String SALT = "12323*&^%of";

    @Bean
    public BCryptPasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder(12, new SecureRandom(SALT.getBytes()));
    }



    @Override
    protected void configure(HttpSecurity http) throws Exception {

        final List<String> activeProfiles = Arrays.asList(env.getActiveProfiles());
        if (activeProfiles.contains("dev")) {
            http.csrf().disable();
            http.headers().frameOptions().disable();
        }

        http
                .authorizeRequests()
                .antMatchers(publicMatchers()).permitAll()
                .anyRequest().authenticated()
                .and()
                .formLogin().loginPage("/login").defaultSuccessUrl("/guerrilla/teatre")
                .failureUrl("/login?error").permitAll()
                .and()
                .logout().permitAll();
    }




    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
         auth
                        .inMemoryAuthentication()
                        .withUser("carles.xuriguera@gmail.com").password("password")
                        .roles("ADMIN");        
    }


    private String[] publicMatchers() {

         /** Public URLs. */
        final String[] PUBLIC_MATCHERS = {
                "/webjars/**",
                serverContextPath + "/css/**",
                serverContextPath + "/js/**",
                serverContextPath + "/fonts/**",
                serverContextPath + "/images/**",                
                serverContextPath ,
                "/",
                "/error/**/*",
                "/console/**",
                SignupController.SIGNUP_URL_MAPPING,
                SignupController.USER_VALIDATION_URL_MAPPING
        };

        return PUBLIC_MATCHERS;

    }

}

但是当我使用凭据登录系统时：carles.xuriguera@gmail.com /密码我在登录页面上收到此消息：Error ! "Bad credentials"并且我在控制台上看到此消息：

2019-04-15 10:50  [http-nio-2233-exec-4] WARN  o.s.s.c.b.BCryptPasswordEncoder.matches(90) - Encoded password does not look like BCrypt

我也尝试过使用

$2y$12$EE25qVSZ2Td1D5k9mFHoYubKRqrRqCUGuwnLc9aNjosKMLeY/7/72 that is the Bcrypt of password, but neverheless I got the same error:

Encoded password does not look like BCrypt

Answer 1

您必须指定加密密码而不是原始密码。

另请确保加密密码以“$2a$”开头，因为 2a 是 BCryptPasswordEncoder 接受的唯一版本。

Spring Security版本5.2.0.M1支持2a、2b和2y。

Spring Security 的问题