主页 / 问题 / 1097931
Accepted
invzbl3
Asked:2020-03-22 09:44:29 +0000 UTC2020-03-22 09:44:29 +0000 UTC

Spring Security:为 id “null”映射的 PasswordEncoder

  • 772

我正在使用 Spring 2.2.5.RELEASE

使用用户名和密码发送 GET 请求时,我收到如下错误:

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"
    at org.springframework.security.crypto.password.DelegatingPasswordEncoder$UnmappedIdPasswordEncoder.matches(DelegatingPasswordEncoder.java:250) ~[spring-security-core-5.2.2.RELEASE.jar:5.2.2.RELEASE]
    at org.springframework.security.crypto.password.DelegatingPasswordEncoder.matches(DelegatingPasswordEncoder.java:198) ~[spring-security-core-5.2.2.RELEASE.jar:5.2.2.RELEASE]
    at org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$LazyPasswordEncoder.matches(AuthenticationConfiguration.java:312) ~[spring-security-config-5.2.2.RELEASE.jar:5.2.2.RELEASE]
    at org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:90) ~[spring-security-core-5.2.2.RELEASE.jar:5.2.2.RELEASE]
    at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:166) ~[spring-security-core-5.2.2.RELEASE.jar:5.2.2.RELEASE]
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:175) ~[spring-security-core-5.2.2.RELEASE.jar:5.2.2.RELEASE]
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:195) ~[spring-security-core-5.2.2.RELEASE.jar:5.2.2.RELEASE]

配置是这样写的:

@Configuration
public class SpringSecurityConfiguration_InMemory extends WebSecurityConfigurerAdapter {
    @Autowired
    protected void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.inMemoryAuthentication().
                withUser("user").password("password")
                .roles("USER");
        auth.
                inMemoryAuthentication().withUser("admin").
                password("password")
                .roles("USER", "ADMIN");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .httpBasic().and()
                .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/api/user/")
                .hasRole("USER")
                .antMatchers(HttpMethod.POST, "/api/user/")
                .hasRole("USER")
                .antMatchers(HttpMethod.PUT, "/api/user/**")
                .hasRole("USER")
                .antMatchers(HttpMethod.DELETE, "/api/user/**")
                .hasRole("ADMIN")
                .and()
                .csrf()
                .disable();
    }
}

如何纠正错误?

java

1 个回答

  1. Best Answer

    问题原因

    密码无法解码,因为没有为我们的内存身份验证设置密码编码器。
    资源

    从 Spring Security 5.0 开始,它被用来DelegatingPasswordEncoder代替NoOpPasswordEncoder. 它也可能是一种替代方案BCryptPasswordEncoder,但更好DelegatingPasswordEncoder

    为了解决这个错误,在方法中使用NoOpPasswordEncoderinMemoryAuthentication ,按照原理添加{noop}(简写为No Operation):

       @Autowired
   protected void configureGlobal(AuthenticationManagerBuilder auth)
            throws Exception {
        auth.inMemoryAuthentication().
                withUser("user").password("{noop}password")
                .roles("USER");
        auth.
                inMemoryAuthentication().withUser("admin").
                password("{noop}password")
                .roles("USER", "ADMIN");
    }

    但这并不安全,因为。NoOpPasswordEncoder已弃用:

    已弃用。 此 PasswordEncoder 不安全。而是使用自适应单向函数,如 BCryptPasswordEncoder、Pbkdf2PasswordEncoder 或 SCryptPasswordEncoder。更好地使用支持密码升级的 DelegatingPasswordEncoder。

    同样,您可以使用BCryptPasswordEncoder

    @Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}

@Autowired
protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {

    auth.inMemoryAuthentication()
            .withUser("user").password(passwordEncoder().encode("password"))
            .roles("USER");
    auth.inMemoryAuthentication()
            .withUser("admin").password(passwordEncoder().encode("password"))
            .roles("USER", "ADMIN");
}

    否则DelegatingPasswordEncoder

       protected void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        PasswordEncoder encoder =
                PasswordEncoderFactories.createDelegatingPasswordEncoder();
        auth.inMemoryAuthentication()
                .withUser("user").password(encoder.encode("password"))
                .roles("USER");
        auth.inMemoryAuthentication()
                .withUser("admin").password(encoder.encode("password"))
                .roles("USER", "ADMIN");
    }

    另见英文示例。.

    • 1

相关问题