All geek questions in one place

Spring Security 5 - Password Migration

This is a continuation of an earlier question.

I'm trying to port an OAuth2 application to Spring Boot 2 / Security 5. According to one of the comments in my previous question (and this ), it looks like the password storage format is changing.

In my original (Spring 1.5.9) application, I explicitly specified BCrypt

// AppConfig

   @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

// SecurityConfig

@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {


auth.userDetailsService(userService)    
.passwordEncoder(passwordEncoder);
}

This led to the error that the password "did not look like BCrypt (the reason for my previous question).

Thanks to the comment in response to my previous question, it seemed that I would need to prefix the saved password with {bcrypt}. I also replaced my PassowrdEncoder @Beanwith:

PasswordEncoder passwordEncoder =
    PasswordEncoderFactories.createDelegatingPasswordEncoder();

However, this led to the following error:

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "null"

Next, I tried to change @Beanto the following:

@Bean
public PasswordEncoder passwordEncoder() {

    String idForEncode = "bcrypt";
    Map encoders = new HashMap<>();
    encoders.put(idForEncode, new BCryptPasswordEncoder());

    encoders.put("pbkdf2", new Pbkdf2PasswordEncoder());
    encoders.put("scrypt", new SCryptPasswordEncoder());

    return new DelegatingPasswordEncoder(idForEncode, encoders);

}

. , , . :

    @Bean
    public CommandLineRunner demo(UserRepository repository) {
        return(args) -> {
            OAuthUser user = new OAuthUser();


            user.setFirstName("K");
            user.setLastName("M");
            user.setPassword(passwordEncoder.encode("L"));
            user.setUserName("KLM");

repository.save(user);
        };
    }

{bcrypt}$2a$10$p/W7UV.fkghBRMzuDhh7z.G0uPLze9yFMLarbHdmwinzlqAHrMUQi.

. :

curl --request POST \
  --url http://web:secret@localhost:8090/oauth/token \
  --header 'content-type: multipart/form-data; boundary=---011000010111000001101001' \
  --form grant_type=password \
  --form username=KLM \
  --form 'pasword =L'

"": " PasswordEncoder id" null ".

-, , , .

-, . , .. {id]password, - Spring ? , , BCrypt, # . , , , BCrypt. Spring ?

.

:

Spring Boot 2/Security 5 OAuth2. ( Spring ), , - , .

, bean:

    @Bean
    public PasswordEncoder passwordEncoder() {
return  PasswordEncoderFactories.createDelegatingPasswordEncoder();
        //return new BCryptPasswordEncoder();
    }

, AuthorizationServerSecurityConifgurer, ClientDetailsServiceConfigurer.

  @EnableAuthorizationServer
@Configuration
public class AuthConfig extends AuthorizationServerConfigurerAdapter {

// Some code omitted for brevity

    @Override
    public void configure(AuthorizationServerSecurityConfigurer security) throws Exception {
        security.passwordEncoder(passwordEncoder);
        security.checkTokenAccess("permitAll()");
        security.tokenKeyAccess("permitAll()");
    }


    @Override
    public void configure(ClientDetailsServiceConfigurer configurer) throws Exception {
        JdbcClientDetailsService details = new JdbcClientDetailsService(appConfig.dataSource());
        details.setPasswordEncoder(passwordEncoder);

        configurer.withClientDetails(details);
    }


    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        TokenEnhancerChain enhancerChain = new TokenEnhancerChain();
        endpoints.tokenStore(tokenStore).accessTokenConverter(converter)
        .userDetailsService(userService)
        .authenticationManager(authenticationManager);
    }

SecurityConfig , AuthenticationManagerBuilder.

@Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userService).passwordEncoder(passwordEncoder);
    }

, ResourceServer, HttpSecurity.

EnableResourceServer
@Configuration
public class ResourceConfig extends ResourceServerConfigurerAdapter {

    private AppConfig appConfig;

    @Autowired
    private ResourceServerTokenServices tokenService;

    @Autowired
    private AuthenticationManager authenticationManager;

    @Autowired
    public ResourceConfig(AuthenticationManager authenticationManager, AppConfig appConfig) {
        this.authenticationManager = authenticationManager;
        this.appConfig = appConfig;
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.resourceId("321");
        resources.tokenServices(tokenService);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.headers().frameOptions().disable().and().requestMatchers().and().authorizeRequests()
                .antMatchers("/user/**").hasAuthority("ROLE_ADMIN").antMatchers("/h2/**").permitAll();

    }

, @Config . UserDetailsService , , ( , @Config).

+4

:

:

0

Source: https://habr.com/ru/post/1694775/

More articles:


All Articles