春季安全盐 [英] Spring Security Salt
问题描述
我正在尝试在添加新用户/密码时添加盐,但是文档似乎缺少该操作的方法.
I'm trying to add a salt when adding a new user/pwd, but the docs seem to be missing how to do this.
这是一个基本示例:
<authentication-manager>
<authentication-provider user-service-ref="userDetailsService">
<password-encoder hash="md5">
<salt-source user-property="username"/>
</password-encoder>
</authentication-provider>
</authentication-manager>
通过示例可以看到,没有使用自定义盐或自定义密码编码器.
You can see by the example that neither a custom salt or custom password encoder is used.
那么,在添加新用户/密码时我该如何连接Salt?我认为这可能与以下内容类似:
So, how would I wire the Salt in when adding a new user/pwd? I'd assume it would be something along the lines of:
@Autowired SaltSource saltSource;
protected void foo(final CustomUser user) {
final PasswordEncoder encoder = new Md5PasswordEncoder();
user.setPassword(encoder.encodePassword(user.getPassword(), saltSource));
}
但是,由于我使用的是默认的盐/密码编码器,而我没有自定义的盐豆,因此自动装配会失败.
However, since I am using the default salt/password encoders and I don't have a custom salt bean the autowire would fail.
有任何线索使这项工作有效吗?
Any clue how to make this work?
推荐答案
添加用户时,不会自动连接SaltSource
. SaltSource
是Spring用来提供盐源的抽象,仅用于密码检查.
You don't autowire the SaltSource
when adding user. The SaltSource
is an abstraction used by Spring to provide the source of the salt for password checking only.
创建正确编码的密码哈希您只需将盐本身放到PasswordEncoder
-username
属性的值,而不是SaltSource
:
To create a properly encoded password hash You just past the salt itself to the PasswordEncoder
- the value of username
property, not the SaltSource
:
private PasswordEncoder encoder = new Md5PasswordEncoder();
public User createUser(String username, String plainTextPassword) {
User u = new User();
u.setUsername(username);
u.setPassword(encoder.encodePassword(plainTextPassword, username));
getEntityManager().persist(u); // optional
return u;
}
此外,在将SaltSource
的自动装配定义为内部bean之前,该装配不会起作用.您可以将ReflectionSaltSource
定义为顶级bean,并将其ID传递给password-encoder
,即:
Moreover the autowire of SaltSource
won't work until it's defined as an inner bean. You could define the ReflectionSaltSource
as top level bean and pass it's ID to the password-encoder
, i.e.:
<bean id="saltSource"
class="org.springframework.security.authentication.dao.ReflectionSaltSource"
p:userPropertyToUse="username" />
<bean id="passwordEncoder"
class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />
<bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"
p:passwordEncoder-ref="passwordEncoder"
p:saltSource-ref="saltSource"
p:userDetailsService-ref="userDetailsService" />
<authentication-manager>
<authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>
然后:
@Autowired private PasswordEncoder passwordEncoder;
@Autowired private SaltSource saltSource;
public CustomUserDetails createUser(String username, String plainTextPassword) {
CustomUserDetails u = new CustomUserDetails();
u.setUsername(username);
u.setPassword(passwordEncoder.encodePassword(
plainTextPassword, saltSource.getSalt(u)));
getEntityNamager().persist(u); // optional
return u;
}
这篇关于春季安全盐的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!