doudang1890 2018-10-23 12:16
浏览 69

使用安全编码器和使用lexik jwt Authenticator的Symfony 4项目感到困惑

It's my first time doing security stuff.

I followed the Lexik Auntication Bundle Installation chapter and the Lexik Authentication Sandbox Readme file.

And it's confusing me. I think one page is telling me to encode in SHA-2, while the other one is using bcrypt and I've set it at bcrypt encoding at the moment.

I have the following security settings:

security:
  encoders:
    App\Security\User\WebserviceUser: bcrypt

  role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: ROLE_ADMIN

  providers:
    webservice:
      id: App\Security\User\WebserviceUserProvider
    jwt:
      lexik_jwt:
        class: App\Security\User\WebserviceUser

  firewalls:
    dev:
      pattern: ^/(_(profiler|wdt)|css|images|js)/
      security: false

    login:
      pattern:  ^/login
      stateless: true
      anonymous: true
      provider: webservice
      json_login:
        check_path: /login_check
        success_handler: lexik_jwt_authentication.handler.authentication_success
        failure_handler: lexik_jwt_authentication.handler.authentication_failure

    client_list:
      pattern:  ^/api/client/active
      stateless: true
      anonymous: true

    secured_area:
      pattern: ^/api/
      provider: webservice
      stateless: true
      guard:
        authenticators:
        - lexik_jwt_authentication.jwt_token_authenticator

  access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api,       roles: IS_AUTHENTICATED_FULLY }
    - { path: ^/api/client/active, roles: IS_AUTHENTICATED_ANONYMOUSLY }

And I created the following keys:

$ openssl genrsa -out config/jwt/private.pem -aes256 4096
Enter pass phrase for config/jwt/private.pem:
Verifying - Enter pass phrase for config/jwt/private.pem:
$ openssl rsa -pubout -in config/jwt/private.pem -out config/jwt/public.pem
Enter pass phrase for config/jwt/private.pem:
writing RSA key

When I want to do a login check it however fails:

$ curl -X POST -H "Content-Type: application/json" http://localhost:8000/login_check -d '{"username":"Pete","password":"password"}'
{"code":401,"message":"Bad credentials"}

I've checked the username and password. They are both correct and have tried others.

I've tried plaintext encoders and created keys as such:

openssl genpkey -algorithm RSA -out config/jwt/private.pem -pkeyopt rsa_keygen_bits:4096
openssl rsa -pubout -in config/jwt/private.pem -out /config/jwt/public.pem

This does work.

But plaintext does not sound safe.

What am I doing wrong?

  • 写回答

0条回答 默认 最新

    报告相同问题?

    悬赏问题

    • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
    • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
    • ¥20 有关区间dp的问题求解
    • ¥15 多电路系统共用电源的串扰问题
    • ¥15 slam rangenet++配置
    • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
    • ¥15 ubuntu子系统密码忘记
    • ¥15 保护模式-系统加载-段寄存器
    • ¥15 电脑桌面设定一个区域禁止鼠标操作
    • ¥15 求NPF226060磁芯的详细资料