Spring LDAP-如何管理编码(SHA)密码 [英] Spring LDAP - How to manage encoded (SHA) password
问题描述
我想使用Spring LDAP及其对象目录映射(ODM)的概念来实现基本的用户存储库.
I want to implement a basic user repository using Spring LDAP and it's concept of Object-Directory Mapping (ODM).
我的User类非常简单:
My User class is pretty straightforward :
@Entry(objectClasses = { "inetOrgPerson", "organizationalPerson", "person", "shadowAccount", "top" }, base = "ou=people")
public class User {
[...]
@Id
private Name dn;
@Attribute(name = "uid")
@DnAttribute(value = "uid")
private String username;
@Attribute(name = "cn")
private String fullName;
@Attribute(name = "givenName")
private String firstName;
@Attribute(name = "sn")
private String lastName;
@Attribute(name = "o")
private String organization;
@Attribute(name = "userPassword")
private String password;
// Getters & Setters
[...]
}
我的存储库的基本方法:
And basic methods of my repository :
public User findByUid(String uid) {
return ldapTemplate.findOne(query().where("uid").is(uid), User.class);
}
public void update(User user) {
ldapTemplate.update(user);
}
除密码属性外,其他所有内容都可以正常工作.例如,如果我仅更改用户名,密码也将更改.
Everything works fine except for the password attribute. For example, if I change only the user first name, the password is also changed.
我想知道如何处理编码的密码(使用SHA-安全哈希算法).
I want to know how to deal with an encoded password (using the SHA - Secure Hashing Algorithm).
我看不到任何允许指定编码方法的注释.
I don't see any annotations allowing to specify the encoding method.
我们必须手动处理吗?
推荐答案
简短版
@Attribute(name = "userPassword", type = Type.BINARY)
private byte[] password;
是您的密码属性的正确定义.这是因为LDAP也将密码存储为二进制.
is the correct definition of your password attribute. This is because LDAP stores the password as binary too.
为提供方便的交互方式,您应修改password
To provide a convenient way of interaction, you should modify the setter for password
public void setPassword(String password) {
this.password = password.getBytes(Charset.forName("UTF-8"));
}
长版
问题是您对userPassword的定义.它是一个java.lang.String.而且,Spring LDAP ODM属性注释默认为Type.STRING
Long version
The problem is your definition of userPassword. It is a java.lang.String. And the Spring LDAP ODM Attribute annotation defaults to Type.STRING
您的LDAP将字符串作为字节数组获取,并检查它是否具有正确的前缀(在我们的示例中为{SSHA}).如果不存在前缀,它将使用其配置的哈希算法对给定的字符串进行哈希处理,并将其作为二进制存储在属性中.这是根本原因.您的属性定义有所不同. LDAP有一个二进制文件,您有一个字符串.
Your LDAP gets the string as byte array and checks if it has a proper prefix (in our case {SSHA}). If there is no prefix present it hashes the given string with its configured hash algorithm and stores it in the attribute as binary. Here lays the root cause. Your attribute definition differs. LDAP has a binary, you have a string.
再次阅读条目时,要修改名字,也将读取password属性.但是,由于它应该是对象中的字符串,因此Spring会将二进制数组转换为字符串.这种转换是错误的,因为它创建了一个字符串.
When you read the entry again, to modify the first name, the password attribute gets read too. But, as it should be a string in the object, Spring converts the binary array to a string. This conversion is wrong, as it creates a string.
例如
- 您将
test放在实体对象的密码字段中. - Spring接收字符串,并将其未修改发送到LDAP服务器.
- 服务器对字符串进行哈希处理并将其另存为
{SSHA}H97JD... - 您再次阅读了该条目
-
spring得到一个字节[],其中包含代表存储值的ascii数字
- you put
testin the password field of your entity object. - Spring takes the string and sends it unmodified to the LDAP server.
- the server hashes the string and saves it as
{SSHA}H97JD... - you read the entry again
spring gets a byte[] containing the ascii numbers representing the stored value
[123, 83, 83, 72, 65, 125, 72, 57, 55, 74, 68, ...]
转换为字符串会导致以下结果:
a conversion to a string results in the following:
123,83,83,72,65,125,72,57,55,74,68,...
spring在您的实体中将此字符串设置为密码值
spring sets this string in your entity as password value
这篇关于Spring LDAP-如何管理编码(SHA)密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
