Spring LDAP - 如何管理编码(SHA)密码 [英] Spring LDAP - How to manage encoded (SHA) password
问题描述
我想使用 Spring LDAP 实现一个基本的用户存储库,它是对象目录映射 (ODM) 的概念.
I want to implement a basic user repository using Spring LDAP and it's concept of Object-Directory Mapping (ODM).
我的用户类非常简单:
@Entry(objectClasses = { "inetOrgPerson", "organizationalPerson", "person", "shadowAccount", "top" }, base = "ou=people")
public class User {
[...]
@Id
private Name dn;
@Attribute(name = "uid")
@DnAttribute(value = "uid")
private String username;
@Attribute(name = "cn")
private String fullName;
@Attribute(name = "givenName")
private String firstName;
@Attribute(name = "sn")
private String lastName;
@Attribute(name = "o")
private String organization;
@Attribute(name = "userPassword")
private String password;
// Getters & Setters
[...]
}
以及我的存储库的基本方法:
And basic methods of my repository :
public User findByUid(String uid) {
return ldapTemplate.findOne(query().where("uid").is(uid), User.class);
}
public void update(User user) {
ldapTemplate.update(user);
}
除了密码属性外,一切正常.例如,如果我只更改用户名,则密码也会更改.
Everything works fine except for the password attribute. For example, if I change only the user first name, the password is also changed.
我想知道如何处理编码密码(使用 SHA - 安全散列算法).
I want to know how to deal with an encoded password (using the SHA - Secure Hashing Algorithm).
我没有看到任何允许指定编码方法的注释.
I don't see any annotations allowing to specify the encoding method.
我们必须手动处理吗?
推荐答案
短版
@Attribute(name = "userPassword", type = Type.BINARY)
private byte[] password;
是密码属性的正确定义.这是因为 LDAP 也将密码存储为二进制.
is the correct definition of your password attribute. This is because LDAP stores the password as binary too.
为了提供方便的交互方式,您应该修改 password
To provide a convenient way of interaction, you should modify the setter for password
public void setPassword(String password) {
this.password = password.getBytes(Charset.forName("UTF-8"));
}
加长版
问题在于您对 userPassword 的定义.它是一个 java.lang.String.并且 Spring LDAP ODM Attribute 注解默认为 Type.STRING
Long version
The problem is your definition of userPassword. It is a java.lang.String. And the Spring LDAP ODM Attribute annotation defaults to Type.STRING
您的 LDAP 将字符串作为字节数组获取并检查它是否具有正确的前缀(在我们的示例中为 {SSHA}).如果不存在前缀,它会使用其配置的哈希算法对给定字符串进行哈希处理,并将其作为二进制存储在属性中.根本原因就在这里.您的属性定义不同.LDAP 有一个二进制文件,你有一个字符串.
Your LDAP gets the string as byte array and checks if it has a proper prefix (in our case {SSHA}). If there is no prefix present it hashes the given string with its configured hash algorithm and stores it in the attribute as binary. Here lays the root cause. Your attribute definition differs. LDAP has a binary, you have a string.
当您再次阅读条目时,要修改名字,密码属性也会被读取.但是,由于它应该是对象中的字符串,因此 Spring 将二进制数组转换为字符串.这种转换是错误的,因为它会创建一个字符串.
When you read the entry again, to modify the first name, the password attribute gets read too. But, as it should be a string in the object, Spring converts the binary array to a string. This conversion is wrong, as it creates a string.
例如
- 您将
test放在实体对象的密码字段中. - Spring 获取字符串并将其未修改发送到 LDAP 服务器.
- 服务器对字符串进行哈希处理并将其保存为
{SSHA}H97JD... - 你又读了一遍文章
spring 得到一个字节[],其中包含代表存储值的 ascii 数字
- you put
testin the password field of your entity object. - Spring takes the string and sends it unmodified to the LDAP server.
- the server hashes the string and saves it as
{SSHA}H97JD... - you read the entry again
spring gets a byte[] containing the ascii numbers representing the stored value
[123, 83, 83, 72, 65, 125, 72, 57, 55, 74, 68, ...]
转换为字符串会产生以下结果:
a conversion to a string results in the following:
123,83,83,72,65,125,72,57,55,74,68,...
spring 将此字符串设置为您的实体中的密码值
spring sets this string in your entity as password value
这篇关于Spring LDAP - 如何管理编码(SHA)密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
