使用Spring Security时如何更改密码哈希算法? [英] How to change password hashing algorithm when using spring security?

问题描述

我正在开发一个基于Spring MVC的旧版Web应用程序，按当前标准，该应用程序使用了不合适的哈希算法.现在，我想逐步将所有哈希迁移到bcrypt.我的高级策略是:

I'm working on a legacy Spring MVC based web Application which is using a - by current standards - inappropriate hashing algorithm. Now I want to gradually migrate all hashes to bcrypt. My high level strategy is:

• 默认情况下，bcrypt会生成新的哈希
• 当用户成功登录并且仍然具有旧式哈希时，应用程序将用新的bcrypt哈希替换旧哈希.

使用Spring Security实施此策略的最惯用的方法是什么?我应该在AccessDecisionManager上还是在…上使用自定义筛选器?

What is the most idiomatic way of implementing this strategy with Spring Security? Should I use a custom Filter or my on AccessDecisionManager or …?

推荐答案

您可能必须自定义AuthenticationProvider，因为这是将密码与用户数据进行实际比较的地方，并且您拥有可用的所有信息.

You'll probably have to customize your AuthenticationProvider since that is where the password is actually compared with the user data and you have all the information you need available.

在authenticate方法中，您将首先加载用户数据.然后使用BCryptPasswordEncoder和您的旧密码检查用户提供的密码.如果都未返回匹配项，则抛出BadCredentialsException.

In the authenticate method, you would first load the user data. Then check the user-supplied password with both a BCryptPasswordEncoder and your legacy one. If neither returns a match, throw a BadCredentialsException.

如果用户成功通过身份验证(非常重要:-)，并且密码为旧格式(与旧编码器匹配)，则您将调用一些附加代码来更新用户的帐户数据，并用bcrypt替换旧哈希. BCryptPasswordEncoder也可以用于创建新的哈希.

If the user authenticates successfully (very important :-)) and the password is legacy format (the legacy encoder matched), you would then call some additional code to update the user's account data and replace the legacy hash with a bcrypt one. The BCryptPasswordEncoder can be also be used to create new hashes.

如果需要，可以在进行比较之前预先检测存储的哈希是否已经被bcrypt加密. Bcrypt字符串具有完全不同的格式.

If you want, you could detect in advance whether the stored hash was already bcrypt before doing the comparisons. Bcrypt strings have quite a distinct format.

还要注意，为了更难猜测有效的帐户名，您应该尝试使该方法在提供的用户名存在和不存在时(根据花费的时间)相同.因此，即使您没有提供的用户名的任何用户数据，也要致电编码器.

Note also that to make it harder to guess valid account names, you should try to make the method behave the same both when a supplied username exists and when it doesn't (in terms of the time it takes). So call the encoders even when you don't have any user data for the supplied username.

这篇关于使用Spring Security时如何更改密码哈希算法?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！