Java Spring Security - User.withDefaultPasswordEncoder() 已弃用?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/49847791/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Java Spring Security - User.withDefaultPasswordEncoder() is deprecated?
提问by sammyjjohnson71
I am very new to java spring security, and was following the Spring.io tutorial guide.
As part of this, I edited the WebSecurityConfigclass as required:
我对 java spring security 非常陌生,并且正在遵循 Spring.io教程指南。作为其中的一部分,我WebSecurityConfig根据需要编辑了课程:
@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.permitAll()
.and()
.logout()
.permitAll();
}
@Bean
@Override
public UserDetailsService userDetailsService() {
UserDetails user =
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
Within the userDetailService()method, it uses withDefaultPasswordEncoder()which is now deprecated as seen in the docs: withDefaultPasswordEncoder()
在该userDetailService()方法中,它使用withDefaultPasswordEncoder()现在已弃用的方法,如文档中所示:withDefaultPasswordEncoder()
Unfortunately, I have not been able to find an alternative to this, to complete this tutorial without using the deprecated method. Would somebody be able to provide an alternative for this if possible?
不幸的是,我无法找到替代方法来完成本教程而不使用已弃用的方法。如果可能的话,有人能够为此提供替代方案吗?
Thanks!
谢谢!
note:I have attached a couple of screen shots of my error, as well as my gradle file
注意:我附上了一些错误的屏幕截图,以及我的 gradle 文件
回答by TwiN
EDIT: deleted old answer, misunderstood the question. Here's the new one:
编辑:删除旧答案,误解了问题。这是新的:
User.withDefaultPasswordEncoder()can still be used for demos, you don't have to worry if that's what you're doing - even if it's deprecated - but in production, you shouldn't have a plain text password in your source code.
User.withDefaultPasswordEncoder()仍然可以用于演示,您不必担心这是否是您正在做的 - 即使它已被弃用 - 但在生产中,您的源代码中不应有纯文本密码。
What you should be doing instead of using your current userDetailsService()method is the following:
您应该做的而不是使用当前的userDetailsService()方法如下:
private static final String ENCODED_PASSWORD = "a$AIUufK8g6EFhBcumRRV2L.AQNz3Bjp7oDQVFiO5JJMBFZQ6x2/R/2";
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.passwordEncoder(passwordEncoder())
.withUser("user").password(ENCODED_PASSWORD).roles("USER");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
Where ENCODED_PASSWORDis secret123encoded with BCrypt. You can also encode it programmatically like so: passwordEncoder().encode("secret123").
凡ENCODED_PASSWORD被secret123编码与BCrypt。您也可以通过编程方式进行编码,就像这样:passwordEncoder().encode("secret123")。
That way, even if you push your code to a public repository, people won't know the password because ENCODED_PASSWORDonly shows the encoded version of the password and not the plain text version, but because you know that $2a$10$AIUufK8g6EFhBcumRRV2L.AQNz3Bjp7oDQVFiO5JJMBFZQ6x2/R/2is actually the encoded password of the string secret123whereas others don't, your in-memory user with the credentials user:secret123won't be compromised.
这样,即使您将代码推送到公共存储库,人们也不会知道密码,因为ENCODED_PASSWORD只显示密码的编码版本而不是纯文本版本,但因为您知道这$2a$10$AIUufK8g6EFhBcumRRV2L.AQNz3Bjp7oDQVFiO5JJMBFZQ6x2/R/2实际上是字符串的编码密码secret123而其他人则没有,您的具有凭据的内存用户user:secret123不会受到损害。
Note that I'm using leaving it in a static variable for the sake of the example.
请注意,为了示例,我将其保留在静态变量中。
回答by martosfre
Using the passwordEncoder.encode() would be like this
使用 passwordEncoder.encode() 就像这样
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.passwordEncoder(passwordEncoder())
.withUser("user")
.password(passwordEncoder().encode("miClave"))
.roles("USER");
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
