我已經實現了春季安全中的摘要式身份驗證,它工作正常,直到我將它設置爲使用BCrypt進行加密。春季安全,BCrypt和春季數據休息的摘要認證
@Bean
public DigestAuthenticationEntryPoint digestEntryPoint() {
DigestAuthenticationEntryPoint digestAuthenticationEntryPoint = new DigestAuthenticationEntryPoint();
digestAuthenticationEntryPoint.setKey("myKey");
digestAuthenticationEntryPoint.setRealmName("Digest Realm");
return digestAuthenticationEntryPoint;
}
@Bean
public DigestAuthenticationFilter digestAuthenticationFilter(
DigestAuthenticationEntryPoint digestAuthenticationEntryPoint) {
DigestAuthenticationFilter digestAuthenticationFilter = new DigestAuthenticationFilter();
digestAuthenticationFilter.setAuthenticationEntryPoint(digestEntryPoint());
// digestAuthenticationFilter.setPasswordAlreadyEncoded(true);
digestAuthenticationFilter.setUserDetailsService(userDetailsServiceBean());
return digestAuthenticationFilter;
}
這是我設置爲啓用消化豆類和使用他們:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling()
.authenticationEntryPoint(digestEntryPoint())
.and()
.addFilter(digestAuthenticationFilter(digestEntryPoint()))
//.httpBasic()
//.and()
.antMatcher("/**")
.csrf()
.disable()
.authorizeRequests()
.anyRequest()
.authenticated()
.and()
.formLogin()
.permitAll()
.and()
.logout()
.deleteCookies("remove")
.invalidateHttpSession(true)
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login")
.permitAll();
}
的問題是服務器端生成MD5響應和我自己的響應不匹配。 在DigestAuthenticationFilter.java
if (!serverDigestMd5.equals(digestAuth.getResponse())) {
if (logger.isDebugEnabled()) {
logger.debug("Expected response: '" + serverDigestMd5
+ "' but received: '" + digestAuth.getResponse()
+ "'; is AuthenticationDao returning clear text passwords?");
}
fail(request,
response,
new BadCredentialsException(messages.getMessage(
"DigestAuthenticationFilter.incorrectResponse",
"Incorrect response")));
return;
}
服務器「serverDigestMd5」使用密碼散列來創建md5digest,但在客戶端側(使用郵遞員)我使用如何生成響應中的無鹽密碼並且那。如果我在客戶端使用鹽漬密碼,它可以工作,但這不是非常可選的。 有沒有辦法讓它在客戶端不使用鹽漬密碼的情況下工作?
如果我記得正確Http摘要認證總是基於MD5。所以不知道你將如何切換。 –
[將Spring-Security PasswordEncoder與默認身份驗證提供程序一起使用?](http://stackoverflow.com/questions/27317368/using-spring-security-passwordencoder-with-default-authentication-provider) – holmis83