Spring Security的自定义身份验证和密码编码 [英] Spring Security Custom Authentication and Password Encoding

问题描述

有一个教程在那里或有没有人对如何做弹簧安全以下？指针

Is there a tutorial out there or does anyone have pointers on how to do the following with Spring-Security?

任务：

我需要从我的数据库的用户名认证获得盐，并用它来加密提供的密码（从登录页面），比较它存储的加密密码（又称为认证用户）。

I need to get the salt from my database for the authenticating username and use it to encrypt the provided password (from the login page) to compare it to the stored encrypted password (a.k.a. authenticate the user).

其他信息：

我使用自定义的数据库结构。 A 的UserDetails 对象通过自定义的的UserDetailsS​​ervice 从而使用自定义DAOProvider来从数据库中的信息创建的。

I use a custom database structure. A UserDetails object is created via a custom UserDetailsService which in turn uses a custom DAOProvider to get the information from the database.

我的 security.xml文件到目前为止文件：

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
    </authentication-provider>
</authentication-manager>

现在我想我需要

        <password-encoder hash="sha" />

但还有什么？我如何告诉春季安全使用databaseprovided盐，以EN code中的密码？

but what else? How do I tell spring security to use the databaseprovided salt in order to encode the password?

修改

我发现这SO 职位是informatative但不是充分的：如果我定义我的XML盐源的密码连接codeR使用，就像这样：

I found This SO post to be informatative but not sufficient: If I define a salt source in my xml to be used by the password encoder, like so:

        <password-encoder ref="passwordEncoder">                
            <salt-source ref="saltSource"/>
        </password-encoder>

我将不得不编写自定义SaltSource使用个性化的盐。但是，这不是的UserDetails 对象中被发现。所以......

I'll have to write a custom SaltSource to use my custom salt. But that's not to be found inside the UserDetails object. So...

方案1：

我可以使用的UserDetails的自定义实现，那么它可能具有盐的财产？

Can I use a custom Implementation of UserDetails which might then have the salt property?

<beans:bean id="saltSource" class="path.to.MySaltSource"
    p:userPropertyToUse="salt"/>

和

@Service("userDetailsService") 
public class UserDetailsServiceImpl implements UserDetailsService {
    public UserDetails loadUserByUsername(String username)
            throws UsernameNotFoundException, DataAccessException {

        // ...
        return buildUserFromAccount(account);
    }

    @Transactional(readOnly = true)

    UserDetailsImpl buildUserFromAccount(Account account){

        // ... build User object that contains salt property
}

自定义的用户类别：

custom User Class:

public class UserDetailsImpl extends User{

    // ...

    private String salt;

    public String getSalt() { return salt; }

    public void setSalt(String salt) { this.salt = salt; }
}

security.xml文件：

security.xml:

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder hash="sha">                
        <salt-source ref="saltSource"/>
    </password-encoder>
    </authentication-provider>
</authentication-manager>

<beans:bean id="saltSource" class="org.springframework.security.authentication.dao.ReflectionSaltSource" p:userPropertyToUse="salt"/>

选择2：

否则，我不得不注入我accountDAO到 SaltSource 来提取盐对于给定的的userName 从数据库。

Otherwise I'd have to inject my accountDAO into the SaltSource to extract the salt for a given userName from the database.

但是：如何Spring Security的调用 SaltSource ？始终以 saltSource.getSalt（为userDetails）？

BUT: How does Spring Security call the SaltSource? Always with saltSource.getSalt(userDetails)?

然后我只是要确保我的 SaltSource 使用 userDetails.accountName 我的 accountDAO 来获取盐。

Then I'd just have to make sure my SaltSource uses userDetails.accountName on my accountDAO to retrieve the salt.

EDIT2：

刚刚得知，我的做法是..遗留.. :(所以我想我就用 StandardPasswordEn codeR （我还是要图如何准确使用）。

Just learned that my approach is.. legacy.. :( So I guess I'll just use the StandardPasswordEncoder (which I still have to figure out how to use exactly).

顺便说一句：我实现与自定义的UserDetails类延伸的用户类，只是加入其中，然后被传递给SaltSource作为userPropertyToUse就像它已经在编辑1中提到的SO交提出了一种盐属性的第一个选项...

BTW: I implemented the first option with a custom UserDetails class extending the User class and just adding a salt property which an then be passed to the SaltSource as a userPropertyToUse just like it has been proposed in the SO post mentioned in Edit 1...

修改3：

刚拿到StandardPasswordEn codeR工作，所以我会离开这里一些提示：

Just got the StandardPasswordEncoder working, so I'll leave some pointers here:

使用的StandardPasswordEn codeR身份验证：

Use the StandardPasswordEncoder for Authentication:

<beans:bean id="encoder" 
    class="org.springframework.security.crypto.password.StandardPasswordEncoder">
</beans:bean>


<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder ref="encoder" />         
    </authentication-provider>
</authentication-manager>

这需要版本3.1.0.RC弹簧安全加密模块？据我所知。找不到具有3.0的存储库。版本（即使某处它的版本中列出，其中包括3.0.6等）。另外关于Spring 3.1的安全性，所以我想通了单证的会谈，我就试着用用。

This requires the spring-security-crypto module in version 3.1.0.RC? as far as I know. Couldn't find any repository that has a 3.0. version (even though somewhere it had the versions listed that included 3.0.6 and so on). Also the documentations talks about spring security 3.1 so I figured, I'll just go with that.

在创建用户（对我来说只有一个管理员可以做到这一点），我只是用

When creating a user (for me only an admin can do that), I just use

        StandardPasswordEncoder encoder = new StandardPasswordEncoder();
        String result = encoder.encode(password);

和我完成了。

春季安全将随机产生盐和它在数据库中存储它，之前加入到密码字符串的是不再需要无盐柱

Spring security will randomly create a salt and add it to the password string before storing it in the database so no salt column is needed anymore.

一个可以但是也可以提供一个全球性的盐作为构造函数的参数（新StandardPasswordEn codeR（12345）; ），但我不知道如何设置我的安全配置来从一个bean的值，而不是与提供静态字符串＆LT;构造带参数的名称=秘密值12345/＆GT; 。但我不知道有多少是需要反正

One can however also provide a global salt as a constructor argument (new StandardPasswordEncoder("12345");), but I didn't know how to set up my security configuration to retrieve that value from a bean instead of supplying a static string with <constructor-arg name="secret" value "12345" />. But I don't know how much that is needed anyway.

推荐答案

我要纪念这个作为回答，因为我解决我的问题，并给予没有其他意见或答案：

I'll mark this as answered, as I solved my problem and no other comments or answers were given:

修改1 - 替代1 回答了原来的问题

BUT 我必须知道自定义密码盐是不是在春季安全3.1更多的需要一种传统的做法，正如我在

BUT I had to learn that customized password salting is a legacy approach that is not needed in Spring Security 3.1 any more, as I describe in

修改3 在那里我留下了如何使用 StandardPasswordEn codeR 为存储的密码自动盐一些指点。

Edit 3 where I left some pointers on how to use the StandardPasswordEncoder for automated Salts that are stored with the password.

这篇关于Spring Security的自定义身份验证和密码编码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！