How to use Spring security without password encoding?

前端 未结 4 2555
误落风尘
误落风尘 2021-02-20 10:49

I\'m trying to learn Spring security currently. I used BCryptPasswordEncoder to encode user password before persisting into a database

Code:



        
相关标签:
4条回答
  • 2021-02-20 11:07

    Did you try

    @Bean
    public static NoOpPasswordEncoder passwordEncoder() {
      return (NoOpPasswordEncoder) NoOpPasswordEncoder.getInstance();
    }
    

    And then in configure global security

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {
            auth.jdbcAuthentication().usersByUsernameQuery(usersQuery).dataSource(dataSource)
                    .authoritiesByUsernameQuery(rolesQuery).passwordEncoder(passwordEncoder());
        }
    
    0 讨论(0)
  • 2021-02-20 11:15

    Unsure if it is what you're after but a little cheap workaround I used so I didn't have to worry about encoding my database yet was

    @Configuration
    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
    @Autowired
      DataSource dataSource;
    
      @Autowired
      public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        auth.jdbcAuthentication().dataSource(dataSource)
            .usersByUsernameQuery("select username,CONCAT('{noop}',password),true from 
    public.\"Users\" where username=?")
            .authoritiesByUsernameQuery("select username,role from public.\"Users\" where 
    username=?");
    }
    ...
    

    Note instead of grabbing the password I am concatenating it with {noop} first to tell the system to not use encoding.

    Probably a sin but it works for now.

    0 讨论(0)
  • 2021-02-20 11:23

    With Spring Security 5 encryption on passwords is always enabled. The encryption used by default is bcrypt. What is neat about Spring Security 5 is that it actually allows you to specify, in your password, which encryption was used to create the has.

    For this see the Password Storage Format in the Spring Security Reference Guide. In short it allows you to prefix your password for a well known key to an algorithm. The storage format is {<encryption>}<your-password-hash>.

    When using nothing it would become {noop}your-password (which would use the NoOpPasswordEncoder and {bcrypt}$a2...... would use the BcryptPasswordEncoder. There are several algorithms supported out-of-the-box, but you can also define your own.

    To define your own create your own PasswordEncoder and register it under a key with the DelegatingPasswordEncoder.

    0 讨论(0)
  • 2021-02-20 11:23

    Maybe you can implement this simple code to evade Spring Encoder

    public class PasswordEnconderTest implements PasswordEncoder {
        @Override
        public String encode(CharSequence charSequence) {
            return charSequence.toString();
        }
    
        @Override
        public boolean matches(CharSequence charSequence, String s) {
            return charSequence.toString().equals(s);
        }
    }
    

    and add in your WebSecurityConfig:

    @Bean
    public PasswordEncoder passwordEncoder(){
        return new PasswordEnconderTest();
    }
    

    it's not recommended but you can implement

    0 讨论(0)
提交回复
热议问题