gpt4 book ai didi

spring - SpringBoot 2.0.1.RELEASE 中的 AuthenticationManagerBuilder

转载 作者:行者123 更新时间:2023-12-02 20:26:27 24 4
gpt4 key购买 nike

我有一个 SpringBoot 2.0.1.RELEASE mvc 应用程序,因此在安全配置中我定义了此方法:

@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth
.inMemoryAuthentication()
.withUser(User
.withDefaultPasswordEncoder()
.username(DEV_USER)
.password(DEV_PWD)
.roles("ADMIN").build());
}

但是似乎 User 类型的方法 withDefaultPasswordEncoder() 已被弃用,但我不知道我必须使用哪个,

最佳答案

来自Spring Framework Doc

@Deprecated
public static User.UserBuilder withDefaultPasswordEncoder()

Deprecated. Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details.

WARNING: This method is considered unsafe for production and is only intended for sample applications.

UserDetails user = User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
// outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
System.out.println(user.getPassword());

This is not safe for production (it is intended for getting started experience) because the password "password" is compiled into the source code and then is included in memory at the time of creation. This means there are still ways to recover the plain text password making it unsafe. It does provide a slight improvement to using plain text passwords since the UserDetails password is securely hashed. This means if the UserDetails password is accidentally exposed, the password is securely stored. In a production setting, it is recommended to hash the password ahead of time. For example:

PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
// outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
// remember the password that is printed out and use in the next step
System.out.println(encoder.encode("password"));



UserDetails user = User.withUsername("user")
.password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
.roles("USER")
.build();

返回: 一个 UserBuilder,它使用默认的 PasswordEncoder 自动对密码进行编码

要回答您的问题,您可以这样做:

public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
UserDetails userDetails = User.withUsername(DEV_USER)
.password(encoder.encode(DEV_PWD))
.roles("ADMIN")
.build();
auth.inMemoryAuthentication().withUser(userDetails);
}

关于spring - SpringBoot 2.0.1.RELEASE 中的 AuthenticationManagerBuilder,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/49755413/

24 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com