Article Directory
- SpringSecurity user authentication three ways to set the user name and password
-
- First understand the meaning of a few words:
- Spring Security default user authentication
- 1. User authentication through configuration file
- 2. User authentication through configuration class
- 3. Perform user authentication by custom writing user details implementation class (need to query the database)
SpringSecurity user authentication three ways to set the user name and password
First understand the meaning of a few words:
Authentication: Authentication
AuthenticationManagerBuilder: Authentication Manager Builder
encoder: compiler
PasswordEncoder: Password compiler
Spring Security default user authentication
Let's first take a look at what is the user name and password if Spring Security default user authentication is used?
1. User authentication through configuration file
Let's take a look at the SecurityAutoConfiguration.class automatic configuration class, as shown below
Let's take a look at the SecurityProperties.class class, as shown below:
2. User authentication through configuration class
First, the configuration class needs to inherit the WebSecurityConfigurerAdapter adapter class. The WebSecurityConfigurerAdapter class is an adapter. When configuring, we need to write a configuration class to inherit it, and then write our own special needs configuration.
You can also store multiple user information and their permissions in the memory at the same time, just use the and() method to connect between multiple user information.
// 自定义配置认证规则
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("zhangsan").password("12345").roles("SuperAdmin")
.and()
.withUser("lisi").password("12345").roles("Admin")
.and()
.withUser("wangwu").password("12345").roles("Employee");
}
There is no PasswordEcoder mapped for the id "null"异常
Cause of abnormality
The following focuses on the There is no PasswordEcoder mapped for the id "null" exception mentioned in the figure above, and talks about its solutions:
A variety of encryption methods have been added to Spring Security 5.0, and the default password format has also been changed.
Let's take a look at the official documentation:
The general format for a password is:
{id}encodedPassword
Such that id is an identifier used to look up which PasswordEncoder should be used and encodedPassword is the original encoded password for the selected PasswordEncoder. The id must be at the beginning of the password, start with { and end with }. If the id cannot be found, the id will be null. For example, the following might be a list of passwords encoded using different id. All of the original passwords are "password".
{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG
{noop}password
{pbkdf2}5d923b44a6d129f3ddf3e3c8d29412723dcbde72445e8ef6bf3b508fbf17fa4ed4d6b99ca763d8dc
{scrypt}$e0801$8bWJaSu2IKSn9Z9kM+TPXfOc/9bdYSrN1oD9qfVThWEwdRTnO7re7Ei+fUZRJ68k9lTyuTeUp4of4g24hHnazw==$OAOec05+bXxvuu/1qZ6NUR+xQYvYv7BeL1QxwRpY5Pc=
{sha256}97cde38028ad898ebc02e690819fa220e88c62e0699403e94fff291cfffaf8410849f27605abcbc0
**This passage means that the storage format of passwords in Spring Security is "{id}…………". The id in front is the encryption method, and the id can be bcrypt, sha256, etc., followed by encryption That is to say, when the program gets the passed password, it will first look for the id included by "{" and "}" to determine how the password is encrypted, if it cannot be found I think the id is null. **This is why our program will report an error: There is no PasswordEncoder mapped for the id "null". The example in the official document is a storage form where various encryption methods are encrypted for the same password. The original password is "password".
Solution
You need to modify the code in configure.We need to encrypt the password passed from the front end in some way.The official recommendation of Spring Security is to use bcrypt encryption.
Access password in memory
Is such that:
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
//inMemoryAuthentication 从内存中获取
auth.inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder()).withUser("user1").password(new BCryptPasswordEncoder().encode("123")).roles("USER");
}
inMemoryAuthentication().passwordEncoder(new BCryptPasswordEncoder())", which is equivalent to using BCrypt encryption to process user passwords when logging in. The previous ".password("123")" becomes ".password(new BCryptPasswordEncoder() .encode("123"))", which is equivalent to Bcrypt encoding and encrypting the password in the memory. If the password is the same when compared, it means that the password is correct before login is allowed.
Summary: When the user logs in for user authentication, the password from the front end will be encrypted with BCrpt encryption. The encrypted password format is {id}password, and then the programmer will first obtain the encryption method, which is {id} , Assuming that the passwordEncoder(new BCryptPasswordEncoder()) is not written, then the value transmitted from the front end will not be encrypted with BCrpt encryption, so the programmer cannot find the {id} in the password when obtaining the value transmitted from the front end. Encrypted, so it will report There is no PasswordEcoder mapped for the id "null" exception. passwordEncoder(new BCryptPasswordEncoder()) can be understood as telling the system what encryption method is used to encrypt the data from the front end. Assuming that the passwordEncoder (new BCryptPasswordEncoder()) is used in the program, the password encrypted by bcrypt will be compared with the password encrypted by bcrypt stored in the memory. If the same, then the password entered by the user and the password in the memory will be compared. If the passwords are the same, login is allowed.
PasswordEncoder interface
BCryptPasswordEncoder is the implementation class of the PasswordEncoder interface
When encrypting the password, it is necessary to call the encode method of the relevant implementation class such as BCryptPasswordEncoder. When the user logs in, the matches method will be automatically called for password comparison.
3. Perform user authentication by custom writing user details implementation class (need to query the database)
Table in the database
First look at the users table in the database, as shown below:
Java bean entity class corresponding to the table in the database
User-specific implementation class based on database customization
The custom user-specific implementation class is as follows: