春记得,我自定义身份验证提供者 [英] Spring remember-me with custom authentication provider
问题描述
我想实施记得我服务,为我的申请。我现在面临的主要问题是,我使用一个自定义的验证提供程序。它采用了身份验证的第三方应用程序。我没有自己的数据库的直接访问。
I want to implement remember me services for my application. The main problem I am facing is I am using a custom authentication provider . which uses a third party application for authentication. I dont have direct access to their DB.
我查这个<一个href=\"http://stackoverflow.com/questions/7331784/spring-security-remember-me-with-custom-authentication-provider\">Link它会告诉执行UserDetailService的是强制性的userauthenticxation服务。不幸的是在我的情况我不能做到这一点。
I checked this Link and It tells implementation of UserDetailService is Mandatory for userauthenticxation service. Unfortunately in my case I cant do this.
我查这个<一个href=\"http://stackoverflow.com/questions/8734484/spring-security-config-error-while-server-startup\">Link同时,它说你也可以实行 customRememberMeServices 。但我不知道如何做到这一点。它只是传递的请求,并且它不具有凭证的响应。
I checked this Link as well and it says you may also implement a customRememberMeServices . But I am not sure how this is done. It just passes a request and a response which doesn't have the credentials.
随着有限的理解我;在令牌春天店userName和密码
With the limited understanding I have; spring stores userName and password in the token
base64(username + ":" + expirationTime + ":" +
md5Hex(username + ":" + expirationTime + ":" password + ":" + key))
username: As identifiable to the UserDetailsService
password: That matches the one in the retrieved UserDetails
expirationTime: The date and time when the remember-me token expires,
expressed in milliseconds
key: A private key to prevent modification of the remember-me token
有没有一种方法可以让我从此令牌找回密码?如果不是我怎么回事,可以达到同样的?
Is there a way I can retrieve password from this token ? if not how else I can achieve the same ?
推荐答案
没有。令牌是单向散列。整点是密码被用于创建令牌,并将其可以在以后当用户再次连接使用相同的数据进行验证。如果您无法读取数据库的密码,那么你不能直接使用此方法。你可以为每个用户创建一个假的随机密码并将其存放在其中你可以使用一个数据库,并实施的UserDetailsService 它会加载该网址。
No. The token is a one-way hash. The whole point is that the password is used to create the token and it can later be verified using the same data when the user connects again. If you can't read the password from the database then you can't use this method directly. You could create a fake random password for each user and store it in a database which you do have access to, and implement a UserDetailsService which loads that instead.
另外,你可以使用另外的<一个href=\"http://docs.spring.io/spring-security/site/docs/3.2.3.RELEASE/reference/htmlsingle/#remember-me-persistent-token\"相对=nofollow>永久标记实现,它存储实际的令牌在数据库中,而不是从独特的用户数据重建它。
Alternatively, you can use the alternative "persistent token" implementation, which stores the actual token in the database, rather than rebuilding it from unique user data.
这篇关于春记得,我自定义身份验证提供者的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
