在上一篇文章中,我们使用jdbc和md5密码编码将密码编码添加到了我们的spring安全配置中。
但是,在定制UserDetailsServices的情况下,我们需要对安全配置进行一些调整。
我们需要创建一个DaoAuthenticationProvider bean,并将其设置为AuthenticationManagerBuilder。
由于我们需要一个Custom UserDetailsService,因此我将使用Spring Security / MongoDB示例代码库。
我们要做的是更改我们的Spring Security配置。
package com.gkatzioura.spring.security.config;
import com.gkatzioura.spring.security.service.CustomerUserDetailsService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Profile;
import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
import org.springframework.security.authentication.encoding.Md5PasswordEncoder;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import javax.sql.DataSource;
/**
* Created by gkatzioura on 10/5/16.
*/
@EnableWebSecurity
@Profile("encodedcustompassword")
public class PasswordCustomEncodedSecurityConfig extends WebSecurityConfigurerAdapter {
@Bean
public UserDetailsService mongoUserDetails() {
return new CustomerUserDetailsService();
}
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(mongoUserDetails());
authProvider.setPasswordEncoder(new BCryptPasswordEncoder());
return authProvider;
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authProvider());
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/public").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.permitAll();
}
}
在大多数情况下,这可以。 但是,我们也可能希望推出自己的PasswordEncoder,这非常简单。
package com.gkatzioura.spring.security.encoder;
import org.springframework.security.crypto.bcrypt.BCrypt;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* Created by gkatzioura on 10/5/16.
*/
public class CustomPasswordEncoder implements PasswordEncoder {
@Override
public String encode(CharSequence rawPassword) {
String hashed = BCrypt.hashpw(rawPassword.toString(), BCrypt.gensalt(12));
return hashed;
}
@Override
public boolean matches(CharSequence rawPassword, String encodedPassword) {
return BCrypt.checkpw(rawPassword.toString(), encodedPassword);
}
}
因此,我们将更改配置以使用新的PasswordEncoder
@Bean
public DaoAuthenticationProvider authProvider() {
DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
authProvider.setUserDetailsService(mongoUserDetails());
authProvider.setPasswordEncoder(new CustomPasswordEncoder());
return authProvider;
}
下一步将是创建编码后的密码。
@Test
public void customEncoder() {
CustomPasswordEncoder customPasswordEncoder = new CustomPasswordEncoder();
String encoded = customPasswordEncoder.encode("custom_pass");
LOGGER.info("Custom encoded "+encoded);
}
然后将具有哈希密码的用户添加到我们的mongodb数据库中。
db.users.insert({"name":"John","surname":"doe","email":"john2@doe.com","password":"$2a$12$qB.L7buUPi2RJHZ9fYceQ.XdyEFxjAmiekH9AEkJvh1gLFPGEf9mW","authorities":["user","admin"]})
我们所需要做的就是更改gradle脚本上的默认配置文件,我们一切顺利。
bootRun {
systemProperty "spring.profiles.active", "encodedcustompassword"
}
您可以在github上找到源代码。
翻译自: https://www.javacodegeeks.com/2016/10/spring-security-custom-password-encoding.html