spring - SpringBoot 2.0.1.RELEASE 中的 AuthenticationManagerBuilder

Question

我有一个 SpringBoot 2.0.1.RELEASE mvc 应用程序，因此在安全配置中我定义了此方法:

@Autowired
 public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth
                    .inMemoryAuthentication()
                    .withUser(User
                            .withDefaultPasswordEncoder()
                            .username(DEV_USER)
                            .password(DEV_PWD)
                            .roles("ADMIN").build());
        }

但是似乎 User 类型的方法 withDefaultPasswordEncoder() 已被弃用，但我不知道我必须使用哪个，

Answer 1

来自Spring Framework Doc

@Deprecated
public static User.UserBuilder withDefaultPasswordEncoder()

Deprecated. Using this method is not considered safe for production, but is acceptable for demos and getting started. For production purposes, ensure the password is encoded externally. See the method Javadoc for additional details.

WARNING: This method is considered unsafe for production and is only intended for sample applications.

UserDetails user = User.withDefaultPasswordEncoder()
     .username("user")
     .password("password")
     .roles("USER")
     .build();
 // outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
 System.out.println(user.getPassword());

This is not safe for production (it is intended for getting started experience) because the password "password" is compiled into the source code and then is included in memory at the time of creation. This means there are still ways to recover the plain text password making it unsafe. It does provide a slight improvement to using plain text passwords since the UserDetails password is securely hashed. This means if the UserDetails password is accidentally exposed, the password is securely stored. In a production setting, it is recommended to hash the password ahead of time. For example:

PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
 // outputs {bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
 // remember the password that is printed out and use in the next step
 System.out.println(encoder.encode("password"));



UserDetails user = User.withUsername("user")
     .password("{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG")
     .roles("USER")
     .build();

返回: 一个 UserBuilder，它使用默认的 PasswordEncoder 自动对密码进行编码

要回答您的问题，您可以这样做:

public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        PasswordEncoder encoder = PasswordEncoderFactories.createDelegatingPasswordEncoder();
        UserDetails userDetails = User.withUsername(DEV_USER)
                 .password(encoder.encode(DEV_PWD))
                 .roles("ADMIN")
                 .build();
        auth.inMemoryAuthentication().withUser(userDetails);
    }