春季安全盐 [英] Spring Security Salt

问题描述

我正在尝试在添加新用户/密码时添加盐，但是文档似乎缺少该操作的方法.

I'm trying to add a salt when adding a new user/pwd, but the docs seem to be missing how to do this.

这是一个基本示例:

<authentication-manager>
    <authentication-provider user-service-ref="userDetailsService">
        <password-encoder hash="md5">
            <salt-source user-property="username"/>
        </password-encoder>
    </authentication-provider>
</authentication-manager>

通过示例可以看到，没有使用自定义盐或自定义密码编码器.

You can see by the example that neither a custom salt or custom password encoder is used.

那么，在添加新用户/密码时我该如何连接Salt?我认为这可能与以下内容类似:

So, how would I wire the Salt in when adding a new user/pwd? I'd assume it would be something along the lines of:

@Autowired SaltSource saltSource;
protected void foo(final CustomUser user) {
    final PasswordEncoder encoder = new Md5PasswordEncoder();
    user.setPassword(encoder.encodePassword(user.getPassword(), saltSource));
}

但是，由于我使用的是默认的盐/密码编码器，而我没有自定义的盐豆，因此自动装配会失败.

However, since I am using the default salt/password encoders and I don't have a custom salt bean the autowire would fail.

有任何线索使这项工作有效吗?

Any clue how to make this work?

推荐答案

添加用户时，不会自动连接SaltSource. SaltSource是Spring用来提供盐源的抽象，仅用于密码检查.

You don't autowire the SaltSource when adding user. The SaltSource is an abstraction used by Spring to provide the source of the salt for password checking only.

创建正确编码的密码哈希您只需将盐本身放到PasswordEncoder-username属性的值，而不是SaltSource:

To create a properly encoded password hash You just past the salt itself to the PasswordEncoder - the value of username property, not the SaltSource:

private PasswordEncoder encoder = new Md5PasswordEncoder();

public User createUser(String username, String plainTextPassword) {
    User u = new User();
    u.setUsername(username);
    u.setPassword(encoder.encodePassword(plainTextPassword, username));
    getEntityManager().persist(u); // optional
    return u;
}

---

此外，在将SaltSource的自动装配定义为内部bean之前，该装配不会起作用.您可以将ReflectionSaltSource定义为顶级bean，并将其ID传递给password-encoder，即:

---

Moreover the autowire of SaltSource won't work until it's defined as an inner bean. You could define the ReflectionSaltSource as top level bean and pass it's ID to the password-encoder, i.e.:

<bean id="saltSource"
    class="org.springframework.security.authentication.dao.ReflectionSaltSource"
    p:userPropertyToUse="username" />

<bean id="passwordEncoder" 
    class="org.springframework.security.authentication.encoding.Md5PasswordEncoder" />

<bean id="daoAuthenticationProvider"
    class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"
    p:passwordEncoder-ref="passwordEncoder"
    p:saltSource-ref="saltSource"
    p:userDetailsService-ref="userDetailsService" />

<authentication-manager>
    <authentication-provider ref="daoAuthenticationProvider" />
</authentication-manager>

然后:

@Autowired private PasswordEncoder passwordEncoder;
@Autowired private SaltSource saltSource;

public CustomUserDetails createUser(String username, String plainTextPassword) {
    CustomUserDetails u = new CustomUserDetails();
    u.setUsername(username);
    u.setPassword(passwordEncoder.encodePassword(
            plainTextPassword, saltSource.getSalt(u)));
    getEntityNamager().persist(u); // optional
    return u;
} 

这篇关于春季安全盐的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！