认证流程

(六)Spring Security 认证流程 - 图1
图片来自于:黑马程序员 SpringSecurity 认证课程

认证过程:

  1. 用户提交用户名、密码被 SecurityFilterChain 中的 UsernamePasswordAuthenticationFilter 过滤器获取到,封装为请求 Authentication,通常情况下是 UsernamePasswordAuthenticationToken 这个实现类。
  2. 然后过滤器将 Authentication 提交至认证管理器(AuthenticationManager)进行认证
  3. 认证成功后, AuthenticationManager 身份管理器返回一个被填充满了信息的(包括上面提到的权限信息,身份信息,细节信息,但密码通常会被移除) Authentication 实例。
  4. SecurityContextHolder 安全上下文容器将第 3 步填充了信息的 Authentication ,通过 SecurityContextHolder.getContext().setAuthentication(…) 方法,设置到其中。可以看出 AuthenticationManager 接口(认证管理器)是认证相关的核心接口,也是发起认证的出发点,它
    的实现类为 ProviderManager。而 Spring Security 支持多种认证方式,因此 ProviderManager 维护着一个
    List 列表,存放多种认证方式,最终实际的认证工作是由
    AuthenticationProvider 完成的。咱们知道 web 表单的对应的 AuthenticationProvider 实现类为
    DaoAuthenticationProvider,它的内部又维护着一个 UserDetailsService 负责 UserDetails 的获取。最终
    AuthenticationProvider 将 UserDetails 填充至 Authentication。
    认证核心组件的大体关系如下:
    (六)Spring Security 认证流程 - 图2
    图片来自于:黑马程序员 SpringSecurity 认证课程

知识点认识

Authentication

我们所面对的系统中的用户,在 Spring Security 中被称为主体(principal)。主体包含了所有能够经过验证而获得系统访问权限的用户、设备或其他系统。主体的概念实际上来自 Java Security,Spring Security 通过一层包装将其定义为一个 Authentication。

  1. public interface Authentication extends Principal, Serializable {
  2.     // 获取主体授权列表
  3.     Collection<? extends GrantedAuthority> getAuthorities();
  5.     // 获取主体凭证,一般为密码
  6.     Object getCredentials();
  8.     // 获取主体携带的详细信息
  9.     Object getDetails();
  11.     // 获取主体,通常为username
  12.     Object getPrincipal();
  14.     // 获取当前主体是否认证成功
  15.     boolean isAuthenticated();
  17.     // 设置当前主体是否认证成功状态
  18.     void setAuthenticated(boolean var1) throws IllegalArgumentException;
  19. }

AuthenticateProvider

Spring Security 认证的过程其实就是一个构建 Authentication 的过程。Authentication 在 Spring Security 的各个 AuthenticationProvider 中流动,AuthenticationProvider 被 Spring Security 定义为一个验证过程:

  1. public interface AuthenticationProvider {
  2.     // 验证完成,成功,返回一个验证完成的Authentication
  3.     Authentication authenticate(Authentication var1) throws AuthenticationException;
  5.     // 是否支持验证当前的Authentication类型
  6.     boolean supports(Class<?> var1);
  7. }

大部分场景下身份验证都是基于用户名和密码进行的,所以 Spring Security 提供了一个 UsernamePasswordAuthenticationToken 用于代指这一类证。,每一个登录用户即主体都被包装为一个 UsernamePasswordAuthenticationToken,从而在 Spring Security 的各个 AuthenticationProvider 中流动。

ProviderManager

一次完整的认证可以包含多个 AuthenticationProvider,一般由 ProviderManager 管理。

  1. public class ProviderManager implements AuthenticationManager, MessageSourceAware, InitializingBean {
  2.     private static final Log logger = LogFactory.getLog(ProviderManager.class);
  3.     private AuthenticationEventPublisher eventPublisher;
  5.     // AuthenticationProvider 列表
  6.     private List<AuthenticationProvider> providers;
  7.     protected MessageSourceAccessor messages;
  8.     private AuthenticationManager parent;
  9.     private boolean eraseCredentialsAfterAuthentication;
  11.     public ProviderManager(List<AuthenticationProvider> providers) {
  12.         this(providers, (AuthenticationManager)null);
  13.     }
  15.     public ProviderManager(List<AuthenticationProvider> providers, AuthenticationManager parent) {
  16.         this.eventPublisher = new ProviderManager.NullEventPublisher();
  17.         this.providers = Collections.emptyList();
  18.         this.messages = SpringSecurityMessageSource.getAccessor();
  19.         this.eraseCredentialsAfterAuthentication = true;
  20.         Assert.notNull(providers, "providers list cannot be null");
  21.         this.providers = providers;
  22.         this.parent = parent;
  23.         this.checkState();
  24.     }
  26.     public void afterPropertiesSet() {
  27.         this.checkState();
  28.     }
  30.     private void checkState() {
  31.         if (this.parent == null && this.providers.isEmpty()) {
  32.             throw new IllegalArgumentException("A parent AuthenticationManager or a list of AuthenticationProviders is required");
  33.         }
  34.     }
  36.     // 迭代AuthenticationProvider 列表,进行认证,返回最终结果
  37.     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
  38.         Class<? extends Authentication> toTest = authentication.getClass();
  39.         AuthenticationException lastException = null;
  40.         AuthenticationException parentException = null;
  41.         Authentication result = null;
  42.         Authentication parentResult = null;
  43.         boolean debug = logger.isDebugEnabled();
  44.         Iterator var8 = this.getProviders().iterator();
  46.         // 迭代
  47.         while(var8.hasNext()) {
  48.             AuthenticationProvider provider = (AuthenticationProvider)var8.next();
  49.             // 判断AuthenticationProvider 是否支持当前验证
  50.             if (provider.supports(toTest)) {
  51.                 if (debug) {
  52.                     logger.debug("Authentication attempt using " + provider.getClass().getName());
  53.                 }
  55.                 try {
  56.                     // 执行AuthenticationProvider的认证。
  57.                     result = provider.authenticate(authentication);
  58.                     if (result != null) {
  59.                         this.copyDetails(authentication, result);
  60.                         // 有一个验证通过,就返回
  61.                         break;
  62.                     }
  63.                 } catch (InternalAuthenticationServiceException | AccountStatusException var13) {
  64.                     this.prepareException(var13, authentication);
  65.                     throw var13;
  66.                 } catch (AuthenticationException var14) {
  67.                     lastException = var14;
  68.                 }
  69.             }
  70.         }
  72.         if (result == null && this.parent != null) {
  73.             try {
  74.                 result = parentResult = this.parent.authenticate(authentication);
  75.             } catch (ProviderNotFoundException var11) {
  76.             } catch (AuthenticationException var12) {
  77.                 parentException = var12;
  78.                 lastException = var12;
  79.             }
  80.         }
  82.         if (result != null) {
  83.             if (this.eraseCredentialsAfterAuthentication && result instanceof CredentialsContainer) {
  84.                 ((CredentialsContainer)result).eraseCredentials();
  85.             }
  87.             if (parentResult == null) {
  88.                 this.eventPublisher.publishAuthenticationSuccess(result);
  89.             }
  91.             return result;
  92.         } else {
  93.             if (lastException == null) {
  94.                 lastException = new ProviderNotFoundException(this.messages.getMessage("ProviderManager.providerNotFound", new Object[]{toTest.getName()}, "No AuthenticationProvider found for {0}"));
  95.             }
  97.             if (parentException == null) {
  98.                 this.prepareException((AuthenticationException)lastException, authentication);
  99.             }
  101.             throw lastException;
  102.         }
  103.     }
  105.     private void prepareException(AuthenticationException ex, Authentication auth) {
  106.         this.eventPublisher.publishAuthenticationFailure(ex, auth);
  107.     }
  109.     private void copyDetails(Authentication source, Authentication dest) {
  110.         if (dest instanceof AbstractAuthenticationToken && dest.getDetails() == null) {
  111.             AbstractAuthenticationToken token = (AbstractAuthenticationToken)dest;
  112.             token.setDetails(source.getDetails());
  113.         }
  115.     }
  117.     public List<AuthenticationProvider> getProviders() {
  118.         return this.providers;
  119.     }
  121.     public void setMessageSource(MessageSource messageSource) {
  122.         this.messages = new MessageSourceAccessor(messageSource);
  123.     }
  125.     public void setAuthenticationEventPublisher(AuthenticationEventPublisher eventPublisher) {
  126.         Assert.notNull(eventPublisher, "AuthenticationEventPublisher cannot be null");
  127.         this.eventPublisher = eventPublisher;
  128.     }
  130.     public void setEraseCredentialsAfterAuthentication(boolean eraseSecretData) {
  131.         this.eraseCredentialsAfterAuthentication = eraseSecretData;
  132.     }
  134.     public boolean isEraseCredentialsAfterAuthentication() {
  135.         return this.eraseCredentialsAfterAuthentication;
  136.     }
  138.     private static final class NullEventPublisher implements AuthenticationEventPublisher {
  139.         private NullEventPublisher() {
  140.         }
  142.         public void publishAuthenticationFailure(AuthenticationException exception, Authentication authentication) {
  143.         }
  145.         public void publishAuthenticationSuccess(Authentication authentication) {
  146.         }
  147.     }
  148. }

自定义 AuthenticationProvider

Spring Security 提供了多种常见的认证技术,包括但不限于以下几种:

  • HTTP 层面的认证技术,包括 HTTP 基本认证和 HTTP 摘要认证两种。
  • 基于 LDAP 的认证技术(Lightweight Directory Access Protocol,轻量目录访问协议)。
  • 聚焦于证明用户身份的 OpenID 认证技术。
  • 聚焦于授权的 OAuth 认证技术。
  • 系统内维护的用户名和密码认证技术。
    其中,使用最为广泛的是由系统维护的用户名和密码认证技术,通常会涉及数据库访问。为了更好地按需定制,Spring Security 并没有直接糅合整个认证过程,而是提供了一个抽象的 AuthenticationProvider,AbstractUserDetailsAuthenticationProvider:
  1. public abstract class AbstractUserDetailsAuthenticationProvider implements AuthenticationProvider, InitializingBean, MessageSourceAware {
  2.     protected final Log logger = LogFactory.getLog(this.getClass());
  3.     protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
  4.     private UserCache userCache = new NullUserCache();
  5.     private boolean forcePrincipalAsString = false;
  6.     protected boolean hideUserNotFoundExceptions = true;
  7.     private UserDetailsChecker preAuthenticationChecks = new AbstractUserDetailsAuthenticationProvider.DefaultPreAuthenticationChecks();
  8.     private UserDetailsChecker postAuthenticationChecks = new AbstractUserDetailsAuthenticationProvider.DefaultPostAuthenticationChecks();
  9.     private GrantedAuthoritiesMapper authoritiesMapper = new NullAuthoritiesMapper();
  11.     public AbstractUserDetailsAuthenticationProvider() {
  12.     }
  14.     // 附件认证过程
  15.     protected abstract void additionalAuthenticationChecks(UserDetails var1, UsernamePasswordAuthenticationToken var2) throws AuthenticationException;
  17.     public final void afterPropertiesSet() throws Exception {
  18.         Assert.notNull(this.userCache, "A user cache must be set");
  19.         Assert.notNull(this.messages, "A message source must be set");
  20.         this.doAfterPropertiesSet();
  21.     }
  23.     // 主体认证过程
  24.     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
  25.         Assert.isInstanceOf(UsernamePasswordAuthenticationToken.class, authentication, () -> {
  26.             return this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.onlySupports", "Only UsernamePasswordAuthenticationToken is supported");
  27.         });
  28.         String username = authentication.getPrincipal() == null ? "NONE_PROVIDED" : authentication.getName();
  29.         boolean cacheWasUsed = true;
  30.         UserDetails user = this.userCache.getUserFromCache(username);
  31.         if (user == null) {
  32.             cacheWasUsed = false;
  34.             try {
  35.                 // 先检索用户
  36.                 user = this.retrieveUser(username, (UsernamePasswordAuthenticationToken)authentication);
  37.             } catch (UsernameNotFoundException var6) {
  38.                 this.logger.debug("User '" + username + "' not found");
  39.                 if (this.hideUserNotFoundExceptions) {
  40.                     throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
  41.                 }
  43.                 throw var6;
  44.             }
  46.             Assert.notNull(user, "retrieveUser returned null - a violation of the interface contract");
  47.         }
  49.         try {
  50.             // 认证前检查,检查账号是否可用
  51.             this.preAuthenticationChecks.check(user);
  52.             // 执行附加认证
  53.             this.additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken)authentication);
  54.         } catch (AuthenticationException var7) {
  55.             if (!cacheWasUsed) {
  56.                 throw var7;
  57.             }
  58.             cacheWasUsed = false;
  59.             user = this.retrieveUser(username, (UsernamePasswordAuthenticationToken)authentication);
  60.             this.preAuthenticationChecks.check(user);
  61.             this.additionalAuthenticationChecks(user, (UsernamePasswordAuthenticationToken)authentication);
  62.         }
  63.         // 认证后检查,一般是检查账号密码是否过期
  64.         this.postAuthenticationChecks.check(user);
  65.         if (!cacheWasUsed) {
  66.             this.userCache.putUserInCache(user);
  67.         }
  69.         Object principalToReturn = user;
  70.         if (this.forcePrincipalAsString) {
  71.             principalToReturn = user.getUsername();
  72.         }
  74.         // 返回一个认证通过的Authentication
  75.         return this.createSuccessAuthentication(principalToReturn, authentication, user);
  76.     }
  78.     protected Authentication createSuccessAuthentication(Object principal, Authentication authentication, UserDetails user) {
  79.         UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(principal, authentication.getCredentials(), this.authoritiesMapper.mapAuthorities(user.getAuthorities()));
  80.         result.setDetails(authentication.getDetails());
  81.         return result;
  82.     }
  84.     protected void doAfterPropertiesSet() throws Exception {
  85.     }
  87.     public UserCache getUserCache() {
  88.         return this.userCache;
  89.     }
  91.     public boolean isForcePrincipalAsString() {
  92.         return this.forcePrincipalAsString;
  93.     }
  95.     public boolean isHideUserNotFoundExceptions() {
  96.         return this.hideUserNotFoundExceptions;
  97.     }
  99.     // 检索用户
  100.     protected abstract UserDetails retrieveUser(String var1, UsernamePasswordAuthenticationToken var2) throws AuthenticationException;
  102.     public void setForcePrincipalAsString(boolean forcePrincipalAsString) {
  103.         this.forcePrincipalAsString = forcePrincipalAsString;
  104.     }
  106.     public void setHideUserNotFoundExceptions(boolean hideUserNotFoundExceptions) {
  107.         this.hideUserNotFoundExceptions = hideUserNotFoundExceptions;
  108.     }
  110.     public void setMessageSource(MessageSource messageSource) {
  111.         this.messages = new MessageSourceAccessor(messageSource);
  112.     }
  114.     public void setUserCache(UserCache userCache) {
  115.         this.userCache = userCache;
  116.     }
  118.     // 此认证支持UsernamePasswordAuthenticationToken及其衍生类认证
  119.     public boolean supports(Class<?> authentication) {
  120.         return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
  121.     }
  123.     protected UserDetailsChecker getPreAuthenticationChecks() {
  124.         return this.preAuthenticationChecks;
  125.     }
  127.     public void setPreAuthenticationChecks(UserDetailsChecker preAuthenticationChecks) {
  128.         this.preAuthenticationChecks = preAuthenticationChecks;
  129.     }
  131.     protected UserDetailsChecker getPostAuthenticationChecks() {
  132.         return this.postAuthenticationChecks;
  133.     }
  135.     public void setPostAuthenticationChecks(UserDetailsChecker postAuthenticationChecks) {
  136.         this.postAuthenticationChecks = postAuthenticationChecks;
  137.     }
  139.     public void setAuthoritiesMapper(GrantedAuthoritiesMapper authoritiesMapper) {
  140.         this.authoritiesMapper = authoritiesMapper;
  141.     }
  143.     private class DefaultPostAuthenticationChecks implements UserDetailsChecker {
  144.         private DefaultPostAuthenticationChecks() {
  145.         }
  147.         public void check(UserDetails user) {
  148.             if (!user.isCredentialsNonExpired()) {
  149.                 AbstractUserDetailsAuthenticationProvider.this.logger.debug("User account credentials have expired");
  150.                 throw new CredentialsExpiredException(AbstractUserDetailsAuthenticationProvider.this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.credentialsExpired", "User credentials have expired"));
  151.             }
  152.         }
  153.     }
  155.     private class DefaultPreAuthenticationChecks implements UserDetailsChecker {
  156.         private DefaultPreAuthenticationChecks() {
  157.         }
  159.         public void check(UserDetails user) {
  160.             if (!user.isAccountNonLocked()) {
  161.                 AbstractUserDetailsAuthenticationProvider.this.logger.debug("User account is locked");
  162.                 throw new LockedException(AbstractUserDetailsAuthenticationProvider.this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.locked", "User account is locked"));
  163.             } else if (!user.isEnabled()) {
  164.                 AbstractUserDetailsAuthenticationProvider.this.logger.debug("User account is disabled");
  165.                 throw new DisabledException(AbstractUserDetailsAuthenticationProvider.this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.disabled", "User is disabled"));
  166.             } else if (!user.isAccountNonExpired()) {
  167.                 AbstractUserDetailsAuthenticationProvider.this.logger.debug("User account is expired");
  168.                 throw new AccountExpiredException(AbstractUserDetailsAuthenticationProvider.this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.expired", "User account has expired"));
  169.             }
  170.         }
  171.     }
  172. }

在 AbstractUserDetailsAuthenticationProvider 中实现了基本的认证流程,通过继承 AbstractUserDetailsAuthenticationProvider,并实现 retrieveUser 和 additionalAuthenticationChecks 两个抽象方法即可自定义核心认证过程,灵活性非常高。示例,Spring Security 用于处理 UsernamePasswordAuthenticationToken 的 DaoAuthenticationProvider:

  1. public class DaoAuthenticationProvider extends AbstractUserDetailsAuthenticationProvider {
  2.     private static final String USER_NOT_FOUND_PASSWORD = "userNotFoundPassword";
  3.     // 密码加密
  4.     private PasswordEncoder passwordEncoder;
  5.     private volatile String userNotFoundEncodedPassword;
  7.     // UserDetailsService 用来获取用户信息
  8.     private UserDetailsService userDetailsService;
  9.     private UserDetailsPasswordService userDetailsPasswordService;
  11.     public DaoAuthenticationProvider() {
  12.         this.setPasswordEncoder(PasswordEncoderFactories.createDelegatingPasswordEncoder());
  13.     }
  15.     // 添加附加认证
  16.     @Override
  17.     protected void additionalAuthenticationChecks(UserDetails userDetails, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
  18.         if (authentication.getCredentials() == null) {
  19.             this.logger.debug("Authentication failed: no credentials provided");
  20.             throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
  21.         } else {
  22.             String presentedPassword = authentication.getCredentials().toString();
  23.             // 密码对比判断
  24.             if (!this.passwordEncoder.matches(presentedPassword, userDetails.getPassword())) {
  25.                 this.logger.debug("Authentication failed: password does not match stored value");
  26.                 throw new BadCredentialsException(this.messages.getMessage("AbstractUserDetailsAuthenticationProvider.badCredentials", "Bad credentials"));
  27.             }
  28.         }
  29.     }
  31.     protected void doAfterPropertiesSet() {
  32.         Assert.notNull(this.userDetailsService, "A UserDetailsService must be set");
  33.     }
  35.     // 获取用户
  36.     @Override
  37.     protected final UserDetails retrieveUser(String username, UsernamePasswordAuthenticationToken authentication) throws AuthenticationException {
  38.         this.prepareTimingAttackProtection();
  40.         try {
  41.             UserDetails loadedUser = this.getUserDetailsService().loadUserByUsername(username);
  42.             if (loadedUser == null) {
  43.                 throw new InternalAuthenticationServiceException("UserDetailsService returned null, which is an interface contract violation");
  44.             } else {
  45.                 return loadedUser;
  46.             }
  47.         } catch (UsernameNotFoundException var4) {
  48.             this.mitigateAgainstTimingAttack(authentication);
  49.             throw var4;
  50.         } catch (InternalAuthenticationServiceException var5) {
  51.             throw var5;
  52.         } catch (Exception var6) {
  53.             throw new InternalAuthenticationServiceException(var6.getMessage(), var6);
  54.         }
  55.     }
  57.     protected Authentication createSuccessAuthentication(Object principal, Authentication authentication, UserDetails user) {
  58.         boolean upgradeEncoding = this.userDetailsPasswordService != null && this.passwordEncoder.upgradeEncoding(user.getPassword());
  59.         if (upgradeEncoding) {
  60.             String presentedPassword = authentication.getCredentials().toString();
  61.             String newPassword = this.passwordEncoder.encode(presentedPassword);
  62.             user = this.userDetailsPasswordService.updatePassword(user, newPassword);
  63.         }
  65.         return super.createSuccessAuthentication(principal, authentication, user);
  66.     }
  68.     private void prepareTimingAttackProtection() {
  69.         if (this.userNotFoundEncodedPassword == null) {
  70.             this.userNotFoundEncodedPassword = this.passwordEncoder.encode("userNotFoundPassword");
  71.         }
  73.     }
  75.     private void mitigateAgainstTimingAttack(UsernamePasswordAuthenticationToken authentication) {
  76.         if (authentication.getCredentials() != null) {
  77.             String presentedPassword = authentication.getCredentials().toString();
  78.             this.passwordEncoder.matches(presentedPassword, this.userNotFoundEncodedPassword);
  79.         }
  81.     }
  83.     public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
  84.         Assert.notNull(passwordEncoder, "passwordEncoder cannot be null");
  85.         this.passwordEncoder = passwordEncoder;
  86.         this.userNotFoundEncodedPassword = null;
  87.     }
  89.     protected PasswordEncoder getPasswordEncoder() {
  90.         return this.passwordEncoder;
  91.     }
  93.     public void setUserDetailsService(UserDetailsService userDetailsService) {
  94.         this.userDetailsService = userDetailsService;
  95.     }
  97.     protected UserDetailsService getUserDetailsService() {
  98.         return this.userDetailsService;
  99.     }
  101.     public void setUserDetailsPasswordService(UserDetailsPasswordService userDetailsPasswordService) {
  102.         this.userDetailsPasswordService = userDetailsPasswordService;
  103.     }
  104. }

UserDetailsService

道 DaoAuthenticationProvider 处理了 web 表单的认证逻辑,认证成功后既得到一个 Authentication(UsernamePasswordAuthenticationToken 实现),里面包含了身份信息(Principal)。
这个身份信息就是一个 Object,大多数情况下它可以被强转为 UserDetails 对象。DaoAuthenticationProvider 中包含了一个 UserDetailsService 实例,它负责根据用户名提取用户信息 UserDetails(包含密码)。

而后 DaoAuthenticationProvider 会去对比 UserDetailsService 提取的用户密码与用户提交的密码是否匹配作为认证成功的关键依据。

因此可以通过将自定义的 UserDetailsService 公开为 spring bean 来定义自定义身份验证。

  1. public interface UserDetailsService {
  2.     UserDetails loadUserByUsername(String username) throws UsernameNotFoundException; 
  3. }

PasswordEncoder

DaoAuthenticationProvider 认证处理器通过 UserDetailsService 获取到 UserDetails 后,它是如何与请求 Authentication 中的密码做对比呢?

在这里 Spring Security 为了适应多种多样的加密类型,又做了抽象,DaoAuthenticationProvider 通过 PasswordEncoder 接口的 matches 方法进行密码的对比,而具体的密码对比细节取决于实现:

  1. public interface PasswordEncoder {
  2.     String encode(CharSequence var1);
  4.     boolean matches(CharSequence var1, String var2);
  6.     default boolean upgradeEncoding(String encodedPassword) {
  7.         return false;
  8.     }
  9. }

而 Spring Security 提供很多内置的 PasswordEncoder,能够开箱即用,使用某种 PasswordEncoder 只需要进行如下声明即可,如下:

  1. @Bean 
  2. public PasswordEncoder passwordEncoder() {
  3.     return  NoOpPasswordEncoder.getInstance();
  4. }