Spring security 3.1.4 和 ShaPasswordEncoder 弃用 [英] Spring security 3.1.4 and ShaPasswordEncoder deprecation
问题描述
今天我将我正在开发的应用程序的 spring 安全版本从 3.1.3 升级到 3.1.4,我注意到 org.springframework.security.authentication.encoding.ShaPasswordEncoder 类.
所以我切换到新的 org.springframework.security.crypto.password.StandardPasswordEncoder 实现.
我让它工作了,我能够注册一个新用户并登录我的应用程序,但是,正如我所担心的,我无法使用以前的 ShaPasswordEncoder 和我的自定义盐生成的密码登录.
由于我有一个已经注册了很多用户的数据库,我应该怎么做才能在不使旧的编码密码失效的情况下切换实现?甚至有可能吗?
另见:如何使用 Spring Security 的新 PasswordEncoder
如果你想切换到更安全的密码编码机制,那么我建议你使用 BCrypt.我会使用这样的东西来迁移您的用户:
//实现旧的 PasswordEncoder 接口公共类 MigrateUsersPasswordEncoder 实现 PasswordEncoder {@自动连线ShaPasswordEncoder legacyEncoder;@自动连线JdbcTemplate 模板;BCryptPasswordEncoder bcryptEncoder = new BCryptPasswordEncoder();@覆盖public String encodePassword(String rawPass, Object salt) {返回 bcryptEncoder.encode(rawPass);}@覆盖public boolean isPasswordValid(String encPass, String rawPass, Object salt) {if (legacyEncoder.isPasswordValid(encPass, rawPass, salt)) {template.update("更新用户设置密码 = ? where password = ?", bcryptEncoder.encode(rawPass), encPass);返回真;}返回 bcryptEncoder.matches(rawPass, encPass);}}您可以通过密码字段的格式查看迁移的用户比例.BCrypt 字符串具有以 $ 符号开头的独特语法.
其他答案之一指出此代码可能会意外地同时更新多个密码.该问题指出正在使用自定义盐,因此如果随机选择盐,则冲突的可能性可以忽略不计,但情况可能并非总是如此.如果更新了两个密码,会出现什么问题?然后可以从 bcrypt 哈希中检测到帐户具有相同的密码.无论如何都是这种情况,因为它要求 SHA 哈希值相同才能进行更新.如果您认为这可能是一个问题(例如,由于盐选择不当,甚至使用了未加盐的散列),修改 SQL 以检测此问题并使用单独的 BCrypt 散列值执行多次更新将是微不足道的.
Today I upgraded the spring security version of the application I'm working on from 3.1.3 to 3.1.4, and I noticed a deprecation warning on the org.springframework.security.authentication.encoding.ShaPasswordEncoder class.
So I switched to the new org.springframework.security.crypto.password.StandardPasswordEncoder implementation.
I had it working and I'm able to register a new user and login in my application, but, as I feared, I'm not able to login using passwords generated with the previous ShaPasswordEncoder and my custom salt.
Since I have a database with many users already registered, what should I do to switch implementation without invalidating the old encoded passwords? Is it even possible?
See also: How to use new PasswordEncoder from Spring Security
If you want to switch to a more secure password encoding mechanism, then I would recommend you use BCrypt. I would use something like this to migrate your users:
// Implement the old PasswordEncoder interface
public class MigrateUsersPasswordEncoder implements PasswordEncoder {
@Autowired
ShaPasswordEncoder legacyEncoder;
@Autowired
JdbcTemplate template;
BCryptPasswordEncoder bcryptEncoder = new BCryptPasswordEncoder();
@Override
public String encodePassword(String rawPass, Object salt) {
return bcryptEncoder.encode(rawPass);
}
@Override
public boolean isPasswordValid(String encPass, String rawPass, Object salt) {
if (legacyEncoder.isPasswordValid(encPass, rawPass, salt)) {
template.update("update users set password = ? where password = ?", bcryptEncoder.encode(rawPass), encPass);
return true;
}
return bcryptEncoder.matches(rawPass, encPass);
}
}
You can check what proportion of users have been migrated by the format of the password field. BCrypt strings have a distinctive syntax beginning with a $ sign.
One of the other answers points out that this code could accidentally update multiple passwords at the same time. The question stated that a custom salt was being used, so the chance of collisions is negligible if the salt is randomly chosen, but this might not always be the case. If two passwords were updated, what would the problem be? It would then be possible to detect that accounts have the same password from the bcrypt hashes. That's the case anyway since it requires that the SHA hashes were the same for the update to occur. If you think it might be a problem (e.g. because of poor salt choice or even the use of unsalted hashes) it would be trivial to modify the SQL to detect this and perform multiple updates with separate BCrypt hash values.
这篇关于Spring security 3.1.4 和 ShaPasswordEncoder 弃用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
