如何使用 Spring Security 的新 PasswordEncoder [英] How to use new PasswordEncoder from Spring Security
问题描述
从 Spring Security 3.1.4.RELEASE 开始,旧的 org.springframework.security.authentication.encoding.PasswordEncoder 已弃用,取而代之的是org.springframework.security.crypto.password.PasswordEncoder.由于我的应用程序尚未向公众发布,因此我决定迁移到新的、未弃用的 API.
As of Spring Security 3.1.4.RELEASE, the old org.springframework.security.authentication.encoding.PasswordEncoder has been deprecated in favour of org.springframework.security.crypto.password.PasswordEncoder. As my application has not been released to the public yet, I decided to move to the new, not deprecated API.
直到现在,我有一个 ReflectionSaltSource 自动使用用户的注册日期作为每个用户的密码盐.
Until now, I had a ReflectionSaltSource that automatically used the user's registration date as per-user salt for password.
String encodedPassword = passwordEncoder.encodePassword(rawPassword, saltSource.getSalt(user));
在登录过程中,Spring也使用了我的bean来适当验证用户是否可以登录.我在新密码编码器中无法实现这一点,因为SHA-1的默认实现 - StandardPasswordEncoder 只能在编码器创建过程中添加全局秘密盐.
During login process, Spring also used my beans to appropriate verify if the user can or can not sign in. I can't achieve this in the new password encoder, because the default implementation of SHA-1 - StandardPasswordEncoder has only ability to add a global secret salt during the encoder creation.
是否有任何合理的方法可以使用未弃用的 API 进行设置?
Is there any reasonable method of how to set it up with the non-deprecated API?
推荐答案
如果您实际上还没有使用现有格式注册任何用户,那么您最好切换到使用 BCrypt 密码编码器.
If you haven't actually registered any users with your existing format then you would be best to switch to using the BCrypt password encoder instead.
它少了很多麻烦,因为您根本不必担心盐分 - 细节完全封装在编码器中.使用 BCrypt 比使用普通的哈希算法更强大,它也是一种标准,可以与使用其他语言的应用程序兼容.
It's a lot less hassle, as you don't have to worry about salt at all - the details are completely encapsulated within the encoder. Using BCrypt is stronger than using a plain hash algorithm and it's also a standard which is compatible with applications using other languages.
真的没有理由为新应用程序选择任何其他选项.
There's really no reason to choose any of the other options for a new application.
这篇关于如何使用 Spring Security 的新 PasswordEncoder的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
