有没有办法为默认的spring security密码配置密码编码器

Question

我对 spring security 用户名和密码使用覆盖值。以下属性在我的

application.properties

spring.security.user.name=myUser
spring.security.user.password=myPassword
spring.security.user.roles=admin

我想按如下方式加密密码值：

spring.security.user.name=myUser
spring.security.user.password={bcrypt}hashedpassword valuevalue
spring.security.user.roles=admin

我在我的 SpringConfig 中添加了 PasswordEncoder：

@Bean
public PasswordEncoder encoder() {
    return new BCryptPasswordEncoder();
}

在某些示例中，我注意到有 AuthenitcationManagerBuilder 但我不知道应该使用什么数据源。我还需要为默认用户使用加密密码吗？

@Autowired
public void configAuthentication(AuthenticationManagerBuilder auth) 
        throws Exception {

添加我的 spring 安全配置作为参考：

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf()
            .disable()
            .authorizeRequests().antMatchers("/api/v1/custom").hasRole("admin")
            .anyRequest()
            .authenticated()
            .and()
            .httpBasic();

        http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }

    @Bean
    public PasswordEncoder encoder() {
        return new BCryptPasswordEncoder();
    }

Answer 1

抓取：

$2a$12$7Bg57uTtN7GWIdiqRW4h5e/aOUFagHwkEGv9byUr0bb/QbUU8S4rS

输入：

hello

... 来自（例如 thx）：https://bcrypt-generator.com/

和：

• spring-starter (web, security),
• application.properties:

  spring.security.user.password={bcrypt}$2a$12$7Bg57uTtN7GWIdiqRW4h5e/aOUFagHwkEGv9byUr0bb/QbUU8S4rS
  

• 和任何（休息）控制器：

  @GetMapping("secured")
  public String secured() {
     return "secured";
  }
  

• 我们可以用user=user和password=hello登录。

添加：

@Bean
public PasswordEncoder encoder() {
  return new BCryptPasswordEncoder();
}

休息这种行为！！要“修复它”，我们可以 (application.properties)：

spring.security.user.password=$2a$12$7Bg57uTtN7GWIdiqRW4h5e/aOUFagHwkEGv9byUr0bb/QbUU8S4rS

..省略“标签”{bcrypt}！ ...

负责“标签”/能够使用多种算法的是 DelegatingPasswordEncoder，它是自动配置的（通过 [AuthenticationConfiguration|HttpSecurityConfiguration].LazyPasswordEncoder ..if没有别的找到 PasswordEncoder bean）并使用 PasswordEncoderFactories 在幕后，喜欢 (currently) 这个：

@SuppressWarnings("deprecation")
public static PasswordEncoder createDelegatingPasswordEncoder() {
  String encodingId = "bcrypt";
  Map<String, PasswordEncoder> encoders = new HashMap<>();
  encoders.put(encodingId, new BCryptPasswordEncoder());
  encoders.put("ldap", new org.springframework.security.crypto.password.LdapShaPasswordEncoder());
  encoders.put("MD4", new org.springframework.security.crypto.password.Md4PasswordEncoder());
  encoders.put("MD5", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("MD5"));
  encoders.put("noop", org.springframework.security.crypto.password.NoOpPasswordEncoder.getInstance());
  encoders.put("pbkdf2", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_5());
  encoders.put("pbkdf2@SpringSecurity_v5_8", Pbkdf2PasswordEncoder.defaultsForSpringSecurity_v5_8());
  encoders.put("scrypt", SCryptPasswordEncoder.defaultsForSpringSecurity_v4_1());
  encoders.put("scrypt@SpringSecurity_v5_8", SCryptPasswordEncoder.defaultsForSpringSecurity_v5_8());
  encoders.put("SHA-1", new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-1"));
  encoders.put("SHA-256",
          new org.springframework.security.crypto.password.MessageDigestPasswordEncoder("SHA-256"));
  encoders.put("sha256", new org.springframework.security.crypto.password.StandardPasswordEncoder());
  encoders.put("argon2", Argon2PasswordEncoder.defaultsForSpringSecurity_v5_2());
  encoders.put("argon2@SpringSecurity_v5_8", Argon2PasswordEncoder.defaultsForSpringSecurity_v5_8());
  return new DelegatingPasswordEncoder(encodingId, encoders);
}