如何使用Spring Security的新PasswordEncoder [英] How to use new PasswordEncoder from Spring Security
问题描述
从Spring Security 3.1.4.RELEASE开始,旧的 org.springframework.security.authentication.encoding.PasswordEncoder
已被弃用,转而使用 org.springframework.security .crypto.password.PasswordEncoder
。由于我的申请还没有向公众发布,我决定转向新的,而不是弃用的API。
As of Spring Security 3.1.4.RELEASE, the old org.springframework.security.authentication.encoding.PasswordEncoder
has been deprecated in favour of org.springframework.security.crypto.password.PasswordEncoder
. As my application has not been released to the public yet, I decided to move to the new, not deprecated API.
到现在为止,我有一个 ReflectionSaltSource
自动使用用户的注册日期作为每用户盐密码。
Until now, I had a ReflectionSaltSource
that automatically used the user's registration date as per-user salt for password.
String encodedPassword = passwordEncoder.encodePassword(rawPassword, saltSource.getSalt(user));
在登录过程中,Spring还使用我的bean来验证用户是否可以登录我无法在新密码编码器中实现这一点,因为SHA-1的默认实现 - StandardPasswordEncoder
只能在编码器创建期间添加全局密码盐。
During login process, Spring also used my beans to appropriate verify if the user can or can not sign in. I can't achieve this in the new password encoder, because the default implementation of SHA-1 - StandardPasswordEncoder
has only ability to add a global secret salt during the encoder creation.
有没有合理的方法如何使用未弃用的API进行设置?
Is there any reasonable method of how to set it up with the non-deprecated API?
推荐答案
如果您实际上没有使用现有格式注册任何用户,那么您最好切换到使用 BCrypt密码编码器而不是。
If you haven't actually registered any users with your existing format then you would be best to switch to using the BCrypt password encoder instead.
它不那么麻烦,因为你根本不必担心盐 - 细节完全封装在编码器。使用BCrypt比使用普通哈希算法更强大,它也是与使用其他语言的应用程序兼容的标准。
It's a lot less hassle, as you don't have to worry about salt at all - the details are completely encapsulated within the encoder. Using BCrypt is stronger than using a plain hash algorithm and it's also a standard which is compatible with applications using other languages.
没有理由选择任何其他选项对于新的申请。
There's really no reason to choose any of the other options for a new application.
这篇关于如何使用Spring Security的新PasswordEncoder的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!