0
問題は、BCryptPasswordEncoderはログインプロセスでパスワードを暗号化しないためログインが失敗したとします。パスワード123はinvalid_grantsを返しますが、ハッシュされたパスワードがクライアントから送信されると、アクセストークンを返します。また、パスワードエンコーダにコメントが付いているときにパスワードを入力してもOKです。春の起動休憩セキュリティ基本的な認証パスワードエンコーダはログイン時にパスワードを暗号化しません
App.java
@SpringBootApplication
public class App {
@Bean
BCryptPasswordEncoder getPasswordEncoder() {
return new BCryptPasswordEncoder();
}
public static void main(String[] args) throws Exception {
SpringApplication.run(App.class, args);
}
@Autowired
public void authenticationManager(AuthenticationManagerBuilder authenticationManagerBuilder, final UserRepository userRepository, UserService userService) throws Exception {
if(userRepository.count() == 0) {
User user = new User();
Role role = new Role();
role.setName("SA");
user.setEmail("test");
user.setPassword("123");
user.setRoles(Arrays.asList(role));
user.setBlocked(false);
user.setEnable(true);
userService.save(user);
}
authenticationManagerBuilder.userDetailsService(email -> {
return userService.loadUserByUsername(email);
});
}
}
WebSecurityConfiguration.java
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled=true)
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
static final String SIGNING_KEY = "kKSMJ92Mknk38njs9HJ8KNALiuc938FH";
static final int ENCODING_STRENGTH = 256;
static final String SECURITY_REALM = "Task Manager";
@Autowired
private BCryptPasswordEncoder passwordEncoder;
@Autowired
private UserDetailsService userDetailsService;
@Autowired
private DataSource dataSource;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(userDetailsService)
.passwordEncoder(passwordEncoder)
.and()
.authenticationProvider(authenticationProvider())
.jdbcAuthentication()
.dataSource(dataSource);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/sign-up", "/sign-in", "/").permitAll()
.antMatchers("/api/**").authenticated()
.and()
.httpBasic()
.realmName(SECURITY_REALM)
.and()
.csrf()
.disable();
}
@Bean
public UserDetailsService userDetailsService() {
return super.userDetailsService();
}
@Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authenticationProvider = new DaoAuthenticationProvider();
authenticationProvider.setUserDetailsService(userDetailsService);
authenticationProvider.setPasswordEncoder(passwordEncoder);
return authenticationProvider;
}
UserService.java
@Service
public class UserService implements UserDetailsService {
@Autowired
private UserRepository userRepository;
@Autowired
private BCryptPasswordEncoder passwordEncoder;
public void save(User user) {
user.setPassword(passwordEncoder.encode(user.getPassword()));;
userRepository.save(user);
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = this.userRepository.findUserByEmail(username);
if (user == null) {
throw new UsernameNotFoundException(username);
}
return new CustomUserDetails(user);
}
}
thx alot。助かりました。 –