我不能在Spring使用MongoDB使用spring安全性进行身份验证。
实体 :
@Document(collection = "users")
public class Users {
@Id
private String id;
private String username;
private String email;
private String password;
private List<Notification> preferences;
public Users(String username, String email, String password, List<Notification> preferences) {
this.username = username;
this.email = email;
this.password = password;
this.preferences = preferences;
}
public String getUsername() {
return username;
}
public void setUsername(String username) {
this.username = username;
}
public String getEmail() {
return email;
}
public void setEmail(String email) {
this.email = email;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
public List<Notification> getPreferences() {
return preferences;
}
public void setPreferences(List<Notification> preferences) {
this.preferences = preferences;
}
}
服务:
@Component
public class MongoUserDetailsService implements UserDetailsService {
@Autowired
private UserRepository repository;
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
Users user = repository.findByUsername(username);
if(user == null) {
throw new UsernameNotFoundException("User not found");
}
List<SimpleGrantedAuthority> authorities = Arrays.asList(new SimpleGrantedAuthority("user"));
return new User(user.getUsername(), user.getPassword(), authorities);
}
}
存储库:
import com.example.Start.entities.Users;
import org.springframework.data.mongodb.repository.MongoRepository;
import org.springframework.stereotype.Repository;
@Repository
public interface UserRepository extends MongoRepository<Users, String> {
Users findByUsername(String username);
}
配置:
@Configuration
@EnableConfigurationProperties
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Autowired
MongoUserDetailsService userDetailsService;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests().anyRequest().authenticated()
.and().httpBasic()
.and().sessionManagement().disable();
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Override
public void configure(AuthenticationManagerBuilder builder) throws Exception {
builder.userDetailsService(userDetailsService);
}
}
当我尝试验证时,它给了我:enter image description here
在我的数据库中,我有这个用户:
{
"_id" : ObjectId("5b855813d03cce0264de3ab6"),
"username" : "username",
"email" : "[email protected]",
"password" : "123"
}
知道是什么导致了这个吗?
问题是您已将BCryptPasswordEncoder
注册为passwordEncoder
bean,但您已将密码以明文形式存储在数据库中。现在,在进行身份验证时,它使用BCrypt算法对来自HTTP请求的传入密码进行编码,并将其与明文密码进行比较,该密码显然会失败。这就是为什么你得到“编码密码看起来不像BCrypt”,因为它不是。
简短的修复是编辑你的mongodb用户记录,使用用户名为“username”的用户的密码字段具有以下值,如下所示:
{
"_id" : ObjectId("5b855813d03cce0264de3ab6"),
"username" : "username",
"email" : "[email protected]",
"password" : "$2a$10$pIUUIHClmGYBnsJzlOHQkeecSwRGAgYlxzRfBFjEqhk6rkQdilTYC"
}
当您使用BCrypt算法对字符串“123”进行编码时,您将获得“$ 2a $ 10 $ pIUUIHClmGYBnsJzlOHQkeecSwRGAgYlxzRfBFjEqhk6rkQdilTYC”。
但正确的修复方法是添加代码来编码密码,然后在应用程序中保存Mongo数据库,如下所示:
@Autowired
private PasswordEncoder passwordEncoder;
public void saveUser(Users user) {
user.setPassword(passwordEncoder.encoder(user.getPassword()));
// Save in mongodb
}