LDAP是否支持BCrypt?尝试在Java Spring Security中实现BCrypt [英] Does LDAP Support BCrypt? Trying to implement BCrypt in Java Spring Security
问题描述
我目前正在尝试在Spring Security中用LDAP实现BCrypt.我的问题是LDAP是否支持此功能,如果支持,如何实现?查看下面的图像,我在LDAP透视图的密码编辑器视图中没有看到BCrypt作为选项.我当前的基本身份验证可使用纯文本密码.但是,我想增强安全性.
I'm currently trying to implement BCrypt with LDAP in my Spring Security. The question I have is does LDAP support this, and if so, how do I implement? Looking at the image below, I do not see BCrypt as an option within the Password Editor view in the LDAP perspective. My current Basic authentication works with plain-text passwords; however, I would like to enhance the security.
我当前的security-context.xml是:
My current security-context.xml is:
<authentication-manager>
<ldap-authentication-provider
user-search-filter="(uid={0})"
user-search-base="ou=users,${ldap.base}"
group-search-filter="(uniqueMember={0})"
group-search-base="ou=roles,${ldap.base}"
group-role-attribute="cn"
role-prefix="ROLE_">
</ldap-authentication-provider>
</authentication-manager>
我该如何实施BCrypt?我在某处读到我们可能必须使用UserDetailsService?
How do I implement BCrypt in my case? I read somewhere that we may have to use UserDetailsService?
任何帮助将不胜感激.谢谢.
Any help would be greatly appreciated. Thanks.
推荐答案
听起来您可能误解了启用bcrypt(或任何其他哈希)将实际实现什么以及在何处实现.例如,它对基本身份验证的工作方式没有任何影响.那样仍然会将密码以纯文本形式发送到您的应用程序.然后将在服务器端进行密码哈希处理,并对照存储的哈希值进行检查.在非LDAP应用程序中,Spring Security在从数据库加载密码哈希之后将执行此验证.
It sounds like you may be misunderstanding what enabling bcrypt (or any other hash) would actually achieve, and where it would be implemented. It wouldn't make any difference to how basic authentication works, for example. That would still send the password to your application in plain text. The password hashing would then be done on the server side and checked against the stored hashed value. In a non-LDAP app, Spring Security would do this validation, after loading the password hash from a database.
LDAP添加另一层.在这种情况下,Spring Security是LDAP服务器的客户端,并且将在LDAP绑定操作中使用提供的用户名和密码来尝试以用户身份进行身份验证.再次以明文形式发送密码,这一次,哈希和比较由LDAP服务器完成.
LDAP adds another layer. In this case, Spring Security is a client of the LDAP server and will use the supplied username and password in an LDAP bind operation to attempt to authenticate as the user. Again the password is sent in plaintext, and this time the hashing and comparison is done by the LDAP server.
因此,如果您的目标是保护传输中的密码,则散列无关紧要.这就是为什么您需要使用安全连接.
So if your aim is to secure passwords in transit, hashing is irrelevant. That is why you need to use a secure connection.
从理论上讲,您可以像使用数据库一样使用LDAP,以所需的任何哈希格式存储密码,并让Spring Security读取密码并自行进行验证.这可能是您引用的UserDetailsService选项.但是,这不是正常的做法,它可能会中断绑定身份验证的使用(因为LDAP服务器本身不理解密码编码),并且需要授予对密码字段的读取访问权限,而密码字段通常是不受欢迎的.
In theory, you could use LDAP more like a database, store the passwords in whatever hash format you wish, and have Spring Security read them and do the validation itself. This is possibly the UserDetailsService option you refer to. However that isn't normal practice, it would likely break the use of bind authentication (since the LDAP server itself wouldn't understand the password encoding), and it would require giving read access to the password field, which is usually frowned on.
因此,正如@EJP所说,您应该坚持使用SSHA选项,并与应用程序以及与LDAP服务器的连接都使用安全连接.
So as @EJP says, you should probably stick with an SSHA option and use a secure connection to your application, and possibly to your LDAP server as well.
这篇关于LDAP是否支持BCrypt?尝试在Java Spring Security中实现BCrypt的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
