创建帐户、忘记密码和更改密码 [英] Create Account, Forgot Password and Change Password

问题描述

Spring Security 非常适合开发人员想要保护其 Web 应用的安全.

Spring Security is great when the developer wants to secure his web app.

但是，如何创建帐户?和忘记密码"?大多数登录页面都有这些链接以及用户名和密码字段.Spring 的默认登录页面没有这些链接...在好的情况下，它可以支持记住我"...

However, what about creating the account? and "forgot password"? most login pages have these links as well as the username and password fields. Spring's default login-page does not have these links... in the good case, it can support "remember me"...

Spring 是否支持创建帐户、忘记密码和更改密码的这些流程?如果答案是肯定的，能否请您指点我一些文档?

Does Spring supports these flows, of Create Account, Forgot Password and Change Password? If the answer is yes, can you please point me to some documentations?

我已经搜索过这个问题，但没有找到任何东西.

I've searched this issue but could not find anything.

谢谢！

推荐答案

你说得对.AFAIK 没有实现这些流程的通用"包.前段时间我搜索了很多此类代码，但一无所获.我认为@luizcarlosfx 是对的，每个应用程序都有自己的需求，因此很难编写适合所有需求的通用内容.

You are completely right. AFAIK there is no "generic" package that implements these flows. I've searched a lot for this kind of code a while ago, and found nothing. I think that @luizcarlosfx is right, that each application has its own needs, therefore it is hard to write something generic that fits all needs.

我看到了诸如实施起来并不难"之类的评论.真的.但是您必须确保处理所有情况.例如，如果用户尝试创建已经存在的帐户会发生什么?如果用户尝试创建已经存在但不活动的帐户会发生什么?密码的策略呢?(太长/太短/多少大写等)如何将带有激活链接的电子邮件发送给用户?你如何创建这个链接?你如何加密它?将收到链接点击并激活帐户的控制器呢?越来越多……

I saw comments like "It's not so difficult to implement". True. But you have to make sure you take care of all cases. For example, what happens if a user tries to create account that is already exists? what happens if a user tries to create account that is already exists but inactive? what about the policy of the password? (too long/too short/how many capital etc) what about sending the email with the activation link to the user? how fo you create this link? how do you encrypt it? what about the controller that will receive the click on the link and activate the account? and more and more...

然而，我向前迈进了一步，并尝试编写一些可以回答大多数流程的东西 - 注册、忘记密码、更改密码等，以及一些足够安全的东西，以便应用程序可以使用它而不必担心它很容易被黑客入侵.

However, I took it a step forward and tried to code something that will answer most flows - registration, forgot-password, change password etc, and something that will be secured enough so applications will be able to use it without the fear that it will be easily hacked.

我已经为此用例实施了一个 JAVA 项目.它是开源的，基于 Spring-Security.发布版本在 Maven-Central 上，因此您不需要编译它，而是可以将其作为 maven 依赖项获取到您的项目中！

I have implemented a JAVA project for this use case. It is open source, based on Spring-Security. A release version is on Maven-Central, so you do not need to compile it, but instead you can fetch it as maven-dependency to your project!

<dependency>
    <groupId>com.ohadr</groupId>
    <artifactId>authentication-flows</artifactId>
    <version>1.5.0-RELEASE</version>
</dependency>

我认为它回答了您的问题...

I think it answers your question...

一切都有解释(如果有什么遗漏 - 让我知道......)

There are explanations for everything (and if something is missing - let me know...)

您可以在此处找到客户端应用程序代码(即用法)的示例.

You can find here an example for a client application's code (i.e. the usage).

这是项目的主页加上一个演示，还有另一个演示在这里(但这是一个应用程序，升级到版本 1.6.1 后需要使用nice"域的电子邮件登录 - nice.com.所以你不能真正使用它用于演示；使用第一个示例).这是一个使用 auth-flows 的客户端网络应用程序，带有所有解释的自述文件.

This is the main page of the project plus a demo, and another demo is here (but this is an app that after upgrading to version 1.6.1 requires login with email with "nice" domain - nice.com. so you cannot really use it for demo; use the first example). This is a client web-app that uses the auth-flows, with the README with all explanations.

希望有帮助！

这篇关于创建帐户、忘记密码和更改密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！