Spring Security:DB 和 applicationContext 中的密码编码 [英] Spring Security:password encoding in DB and in applicationContext

问题描述

有配置(applicationContext-security.xml):

Have config (applicationContext-security.xml):

<authentication-manager alias="authenticationManager">
    <authentication-provider>
    <password-encoder hash="sha"/>
        <jdbc-user-service data-source-ref="dataSource"/>
    </authentication-provider>
</authentication-manager>

来自其他方面的 SQL 来自我的 dataSource(它是 JdbcDaoImpl):

from other side have SQLs from my dataSource(it's JdbcDaoImpl):

...
    public static final String DEF_USERS_BY_USERNAME_QUERY =
            "select username,password,enabled " +
            "from users " +
            "where username = ?";
...

此代码中现在有关于 sha 的字样，因此从标准 Spring Security users 表中选择的密码未编码.

There is now word about sha in this code,so password selected from standard Spring Security users table not encoded.

也许，我应该在此处的休眠映射配置中为 password 列提供一些 sha 属性:

Perhaps, I should provide some sha attribute for password column in my hibernate mapping config here:

<class name="model.UserDetails" table="users">
    <id name="id">
        <generator class="increment"/>
    </id>
    <property name="username" column="username"/>
    <property name="password" column="password"/>
    <property name="enabled" column="enabled"/>
    <property name="mail" column="mail"/>
    <property name="city" column="city"/>
    <property name="confirmed" column="confirmed"/>
    <property name="confirmationCode" column="confirmation_code"/>

    <set name="authorities" cascade="all" inverse="true">
        <key column="id" not-null="true"/>
        <one-to-many class="model.Authority"/>
    </set>

</class>

现在密码按原样保存到数据库中，但应该进行编码.

For now password saved to DB as is,but should be encoded.

如何将 applicationContext 配置和数据库查询添加到相同的密码编码中?

How to friend applicationContext config and DB queries to be the same password encoding?

推荐答案

如果您自己选择散列系统，而不是使用已经包含散列密码的现有数据库构建应用程序，那么您应该确保您的散列算法也使用盐.不要只使用简单的摘要.

If you are choosing a hashing system yourself, rather than building an app using an existing database which already contains hashed passwords, then you should make sure your hashing algorithm also uses a salt. Don't just use a plain digest.

一个不错的选择是 bcrypt，我们现在通过 BCryptPasswordEncoder(使用 jBCrypt).这会自动生成一个盐并将其与单个字符串中的哈希值连接起来.

A good choice is bcrypt, which we now support directly in Spring Security 3.1 via the BCryptPasswordEncoder (implemented using jBCrypt). This automatically generates a salt and concatenates it with the hash value in a single String.

某些数据库内置了对散列的支持(例如 Postgres).否则，您需要自己对密码进行哈希处理，然后再将其传递给 JDBC:

Some databases have built-in support for hashing (e.g. Postgres). Otherwise, you need to hash the password yourself before passing it to JDBC:

String password = "plaintextPassword";
PasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
String hashedPassword = passwordEncoder.encode(password);

这就是您在创建用户时对密码进行编码所需要做的全部工作.

That's all you need to do to encode the passwords when you create a user.

对于身份验证，您可以使用以下内容:

For authentication, you would use something like:

<bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder"/>

<bean id="authProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
  <property name="userDetailsService" ref="yourJdbcUserService" />
  <property name="passwordEncoder" ref="encoder" />
</bean>

这篇关于Spring Security:DB 和 applicationContext 中的密码编码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！