猿问

Spring Security:数据库和applicationContext中的密码编码

具有配置(applicationContext-security.xml):


<authentication-manager alias="authenticationManager">

    <authentication-provider>

    <password-encoder hash="sha"/>

        <jdbc-user-service data-source-ref="dataSource"/>

    </authentication-provider>

</authentication-manager>

从另一端dataSource(我的JdbcDaoImpl)有SQL :


...

    public static final String DEF_USERS_BY_USERNAME_QUERY =

            "select username,password,enabled " +

            "from users " +

            "where username = ?";

...

sha此代码中现在有一个单词,因此从标准Spring Security users表中选择的密码未编码。


也许,我应该在休眠映射配置中sha为password列提供一些属性:


<class name="model.UserDetails" table="users">

    <id name="id">

        <generator class="increment"/>

    </id>

    <property name="username" column="username"/>

    <property name="password" column="password"/>

    <property name="enabled" column="enabled"/>

    <property name="mail" column="mail"/>

    <property name="city" column="city"/>

    <property name="confirmed" column="confirmed"/>

    <property name="confirmationCode" column="confirmation_code"/>


    <set name="authorities" cascade="all" inverse="true">

        <key column="id" not-null="true"/>

        <one-to-many class="model.Authority"/>

    </set>


</class>

目前,密码原样保存到DB,但是应该进行编码。


如何让applicationContextconfig和DB查询成为相同的密码编码?


慕容3067478
浏览 734回答 3
3回答

慕桂英4014372

如果您自己选择一个哈希系统,而不是使用已经包含哈希密码的现有数据库来构建应用程序,则应确保哈希算法也使用了盐。不要只使用简单的摘要。bcrypt是一个不错的选择,现在我们可以通过BCryptPasswordEncoder(使用jBCrypt实现)在Spring Security 3.1中直接支持bcrypt 。这会自动生成一个盐,并将其与哈希值在单个String中连接。一些数据库内置了对哈希的支持(例如Postgres)。否则,您需要先对密码进行哈希处理,然后再将其传递给JDBC:String password = "plaintextPassword";PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();String hashedPassword = passwordEncoder.encode(password);创建用户时,只需要做这些即可对密码进行编码。对于身份验证,您将使用类似以下的内容:<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/><bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">&nbsp; <property name="userDetailsService" ref="yourJdbcUserService" />&nbsp; <property name="passwordEncoder" ref="encoder" /></bean>
0

繁星coding

您可以通过简单的方式在applicationContext-security.xml中执行类似操作<authentication-manager alias="authenticationManager">&nbsp; &nbsp;<authentication-provider>&nbsp; &nbsp; <password-encoder ref="encoder"/>&nbsp; &nbsp; <jdbc-user-service data-source-ref="dataSource"&nbsp; &nbsp; &nbsp; &nbsp;users-by-username-query="&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; select username,password, enabled&nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; from principal where username=?"&nbsp;&nbsp; &nbsp; &nbsp; &nbsp;authorities-by-username-query="&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; select p.username, a.authority from principal p, authority a&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; where p.id = a.principal_id and p.username=?"&nbsp;&nbsp; &nbsp; />&nbsp; &nbsp;</authentication-provider></authentication-manager>&nbsp;&nbsp; <beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>在Java中public static String encodePasswordWithBCrypt(String plainPassword){&nbsp; &nbsp; return new BCryptPasswordEncoder().encode(plainPassword);}然后测试System.out.println(encodePasswordWithBCrypt("fsdfd"));
0
随时随地看视频慕课网APP

相关分类

SQL Server
我要回答